LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Strange entry in nginx access.log (https://www.linuxquestions.org/questions/linux-security-4/strange-entry-in-nginx-access-log-4175523364/)

coralfang 10-26-2014 03:10 AM
Strange entry in nginx access.log
 
I've been getting this for the past few days which i have not seen before:
Code:
99.25.137.246 - - [25/Oct/2014:10:36:05 +0100] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 166 "-" "-"
99.25.137.246 - admin [25/Oct/2014:10:36:05 +0100] "GET /HNAP1/ HTTP/1.1" 404 424 "http://11.22.33.44/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x"
(replaced my server with 11.22.33.44)

Looks like shellcode to me, but what is it doing. I've shut the server down for now because of the line "admin" appearing in the log entry, has it been compromised?

Doc CPU 10-26-2014 05:33 AM
Hi there,

Quote:
Originally Posted by coralfang (Post 5259712)
I've been getting this for the past few days which i have not seen before:
Code:
99.25.137.246 - - [25/Oct/2014:10:36:05 +0100] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 166 "-" "-"
99.25.137.246 - admin [25/Oct/2014:10:36:05 +0100] "GET /HNAP1/ HTTP/1.1" 404 424 "http://11.22.33.44/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x"
(replaced my server with 11.22.33.44)

Looks like shellcode to me
it isn't. The first line is the attempt of a client (presumably a bot) to establish an SSL connection to your server, which your server doesn't support and therefore misunderstands the code as an HTTP request. The second line is an attempt to exploit a bug in Linksys routers known as the HNAP1 bug.

Quote:
Originally Posted by coralfang (Post 5259712)
I've shut the server down for now because of the line "admin" appearing in the log entry, has it been compromised?
Shutting down the server is over-cautious here, IMHO. The server itself isn't affected; it correctly answers these two requests with a 400 and 404 status. If you have a Linksys router which may have that bug, however, I'd replace it immediately. On the other hand, if there was a router in your network which is affected, the request wouldn't get through to your server.

So it looks like this is annoying for you, but not really a problem.

[X] Doc CPU

coralfang 10-26-2014 05:45 AM
Ok thanks for explaining. The server itself is just for personal use at the moment, so it's not like anyone will complain about downtime haha. I was alarmed by the "admin" string before the date in the entries immediately following the suspicious request, thinking it could be exploiting nginx, but after reading somewhere it apparently means they only requested admin as the login name for the page and didn't actually login/create an account.

I don't have a router affected by this so that's good to know.


All times are GMT -5. The time now is 06:09 PM.