LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-26-2014, 03:10 AM   #1
coralfang
Member
 
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 836
Blog Entries: 3

Rep: Reputation: 297Reputation: 297Reputation: 297
Strange entry in nginx access.log


I've been getting this for the past few days which i have not seen before:
Code:
99.25.137.246 - - [25/Oct/2014:10:36:05 +0100] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 166 "-" "-"
99.25.137.246 - admin [25/Oct/2014:10:36:05 +0100] "GET /HNAP1/ HTTP/1.1" 404 424 "http://11.22.33.44/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x"
(replaced my server with 11.22.33.44)

Looks like shellcode to me, but what is it doing. I've shut the server down for now because of the line "admin" appearing in the log entry, has it been compromised?
 
Old 10-26-2014, 05:33 AM   #2
Doc CPU
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Mint, Debian, Gentoo, Win 2k/XP
Posts: 1,099

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
Hi there,

Quote:
Originally Posted by coralfang View Post
I've been getting this for the past few days which i have not seen before:
Code:
99.25.137.246 - - [25/Oct/2014:10:36:05 +0100] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 166 "-" "-"
99.25.137.246 - admin [25/Oct/2014:10:36:05 +0100] "GET /HNAP1/ HTTP/1.1" 404 424 "http://11.22.33.44/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x"
(replaced my server with 11.22.33.44)

Looks like shellcode to me
it isn't. The first line is the attempt of a client (presumably a bot) to establish an SSL connection to your server, which your server doesn't support and therefore misunderstands the code as an HTTP request. The second line is an attempt to exploit a bug in Linksys routers known as the HNAP1 bug.

Quote:
Originally Posted by coralfang View Post
I've shut the server down for now because of the line "admin" appearing in the log entry, has it been compromised?
Shutting down the server is over-cautious here, IMHO. The server itself isn't affected; it correctly answers these two requests with a 400 and 404 status. If you have a Linksys router which may have that bug, however, I'd replace it immediately. On the other hand, if there was a router in your network which is affected, the request wouldn't get through to your server.

So it looks like this is annoying for you, but not really a problem.

[X] Doc CPU
 
1 members found this post helpful.
Old 10-26-2014, 05:45 AM   #3
coralfang
Member
 
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 836

Original Poster
Blog Entries: 3

Rep: Reputation: 297Reputation: 297Reputation: 297
Ok thanks for explaining. The server itself is just for personal use at the moment, so it's not like anyone will complain about downtime haha. I was alarmed by the "admin" string before the date in the entries immediately following the suspicious request, thinking it could be exploiting nginx, but after reading somewhere it apparently means they only requested admin as the login name for the page and didn't actually login/create an account.

I don't have a router affected by this so that's good to know.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] CentOS5/Apache: Strange log entry: /w00tw00t.at.ISC.SANS.DFind:) thelinuxist Linux - Security 4 11-21-2012 04:32 AM
Postfix - Strange Log Entry carlosinfl Linux - Server 4 09-10-2008 11:00 PM
Strange Apache HTTPD log entry cylarz Linux - Server 6 04-03-2008 07:46 AM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
Strange Log Watch entry magyartoth Linux - General 4 06-07-2002 10:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration