8

Recently, I saw some strange entries on my local-only webserver. The thing is I don't know if the attack came from outside the network or from an infected machine. I have read up a little on the hnap attack, but I'm still unsure what to do about it. Essentially, Cisco routers have vulnerabilities because of the "home network administration protocol." And from what I've read there is no solution.

If it is an infected system I'd like to pinpoint it by listening to network traffic, but I'm not sure how to do that. I tried using snort and wireshark, but these programs seem pretty advanced. Alternatively, I am thinking that if someone was able to compromise my network by cracking the network key, they could join the network and run whatever scans they want. Otherwise, maybe someone is accessing from outside the local network.

Here are the entries (updated to show multiple requests from my PC):

[03/Sep/2017 11:35:13] "GET / HTTP/1.1" 400 67505
Invalid HTTP_HOST header: '192.168.yyy.yyy'.

[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.1' (Router IP).

[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.2' (PC IP).

[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '10.1.0.1' (Virtualbox IP on PC).

What can I do to track down the problem? Is there an easy way to listen for more of these requests and pinpoint the source? Are there better malware/spyware scanners that might pick up on a worm?

(I use up-to-date antivirus and it is not detecting anything, so there's that.)

James
  • 545
  • 2
  • 5
  • 8

1 Answers1

7

What you found was that a device connected to your web server and requested /HNAP1/

HNAP is a protocol for managing devices, so with just this information about potential attacks, my guess is that this has been done by a device on your network that supports this protocol (eg. it may be trying to obtain from your router the public IP address).

Your log line should contain the IP address of the client that performed such request,¹ eg:

192.168.123.123 - - [03/Sep/2017 11:35:13] "GET / HTTP/1.1" 400 67505

in this case, the request would have been performed by 192.168.123.123.

¹ I am assuming you are using Common Log Format, if you are using a custom format, you should add the remote address somewhere)

Regarding your update, the «Invalid HTTP_HOST header» message is mostly irrelevant here. The client connected specifying that it wanted to speak with (192.168.yyy.yyy / 192.168.1.1 / 192.168.1.2 / 10.1.0.1) but your server is not configured with virtual hosts for those. The important piece is the lefthand IP (although if it enumerated both the external and VirtualBox interface, it probably means it came from your PC).

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • The source address was my PC IP, a virtual gateway IP (virtualbox networking), and the router gateway IP (something like 192.168.1.1). Does this indicate that my PC is compromised? – James Sep 03 '17 at 23:14
  • @TechMedicNYC so you had several three requests to /HNAP1/ cinung from different IP addresses? – Ángel Sep 03 '17 at 23:16
  • I've updated the question body for clarity. It shows the example source IPs and locations. – James Sep 03 '17 at 23:17
  • @TechMedicNYC I updated my answer. The important piece are the IP addresses at the left, not those on the Host header. – Ángel Sep 03 '17 at 23:26