Odd url showing up in my pubsub stream, should I be concerned?

Question

Background: Yesterday I started working on a simple metrics dashboard. I have a VBScript on my internal network that queries a database over a VPN from our Vendor. I then do a simple HTTP post to a node.js server listening on port 8000. I have zero security. All my script sends is a URL formatted like http://myserver.com:8000/name1,value2. The server then takes these and creates a new timeseries based on the first value, if it doesn't exist, and plots a point based on the second value. I pushed this to my public server yesterday about 2:00 PM.

This morning when I came in, there was a new time-series with the following URL as the name: http://testp2.czar.bielawa.pl/testproxy.php

Obviously I need to do some sort of validation that the data is coming from my network, but should I be concerned about this in general? What other steps should I take? The node.js server only parses the URL. It does not even try to process a payload. This data is not sensitive, it's just numbers of transactions for our customers and the customer names (which are publicly available).

Sounds like somewhere on your network there's some malware which has configured that server as a proxy in order to capture traffic for nefarious ends. So, yes, be worried. — Alfred Armstrong, Oct 01 '15 at 14:10

André Borie · Accepted Answer · 2016-10-03T09:26:57.203

The URL they requested explains everything. Your Node.js server is open to the public Internet, listens on a port commonly used by HTTP proxies, and a service that scans the internet for proxies stumbled upon it and decided to test it by requesting an URL and seeing whether your Node.js would return the contents of that URL (if it does, then it's an open proxy and would get listed as such in their database).

This particular attempt doesn't seem malicious. Sure, if they discover you're running an open proxy they'll most likely use it for malicious purposes (spamming, etc) but their scan is merely requesting an URL and isn't trying to exploit a bug or DoS your server. That doesn't mean someone else wouldn't try to attack and compromise your server, DoS your app by filling up its DB with garbage data or exhausting the bandwidth of the server so the legitimate HTTP requests no longer reach it.

Now, you should still think about security and whether you actually need this Node server to be reachable from the entire Internet... you say the data you care about is coming from your internal network, then why don't you put the Node server on that same network ? That way you avoid unnecessarily leaking data to the Internet and your company network's edge firewall will protect you from scanning attempts since there's no valid reason for that Node server to be accessible from the Internet, and you're no longer vulnerable to DoS attacks from the entire Internet.

If putting the Node server on the private network isn't possible, consider requiring TLS client certificates to authenticate the legitimate data source so that a client needs to have a valid certificate before even being able to establish the TLS tunnel and issue HTTP requests. Also make sure to follow security best practices such as firewalling, hardening SSH (key authentication only, and change the port to avoid scanners filling up your logs), etc for the server itself. Your Node app may be the most secure app in the world, but it won't help if someone can become root by SSH'ing in with a bruteforced password or by exploiting some other app running as root.

Great info! It's on a public server because I want to be able to monitor this feed from anywhere. Again, it's totally desensitized data. I will reconfigure the firewall to only allow access from my network and consider changing it to a nonstandard port. Thanks! — THE JOATMON, Oct 05 '15 at 12:53
@ScottBeeson consider using TLS mutual authentication - the client (your script) only accepts the exact server certificate (which can be self-signed) and the server only accepts the client certificate of the script, guaranteeing both confidentiality/integrity of the data and that only the legitimate client will be able to connect. — André Borie, Oct 05 '15 at 13:41
Will do. I already configured the firewall so that if I access the node server from another network I get a 404 (tested from my home PC) — THE JOATMON, Oct 05 '15 at 13:42
Yeah right now I just used Windows firewall "Connection Security Rule" and defined the two endpoints without any actual security. I figured it was a start. I'll work on the TLS Mutual since it doesn't require paying a root CA or whatever. — THE JOATMON, Oct 05 '15 at 13:45

Kof · Answer 2 · 2015-10-03T09:14:08.307

Most chances are that your new server received an IP that once belonged to that host, which has another system (watchdog, or some client) that remembers the old IP that once matched this DNS record.

My guess is that testp2.czar.bielawa.pl is not the host name of your server, since it is accessible and show your IP address in response. This strengthens the theory that its DNS record was updated with a new IP.

Since your logs show testp2.czar.bielawa.pl as the host, it means a machine used this host in their URL but it resolved to your IP instead. If it was really a malicious thing, you'd see your IP address instead of a host name, or your real host name.

It's fairly common with AWS's elastic IPs, for example.

Odd url showing up in my pubsub stream, should I be concerned?

2 Answers2

Linked

Related