56

I have a Linode VPS running Nginx, which currently serves only static content.

Once I was looking at the log and noticed some strange requests:

XXX.193.171.202 - - [07/Aug/2013:14:04:36 +0400] "GET /user/soapCaller.bs HTTP/1.1" 404 142 "-" "Morfeus Fucking Scanner"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 142 "-" "ZmEu"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 142 "-" "ZmEu"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 142 "-" "ZmEu"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 142 "-" "ZmEu"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 142 "-" "ZmEu"
XXX.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 142 "-" "ZmEu"
XXX.221.207.157 - - [07/Aug/2013:22:04:20 +0400] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 172 "-" "-"
XXX.221.207.157 - admin [07/Aug/2013:22:04:21 +0400] "GET /HNAP1/ HTTP/1.1" 404 142 "http://212.71.249.8/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x"

Should I worry about somebody trying to hack my server in this case?

Michael Pankov
  • 671
  • 1
  • 5
  • 6
  • 5
    The HNAP request is an attempt to take advantage of an old d-link security flaw shown [HERE](http://www.securityfocus.com/bid/37690/exploit) –  Feb 02 '14 at 00:33

4 Answers4

71

It appears that your server is the target of an automated attack involving the ZmEu scanner.

That first request appears to be from another automated attack involving the Morfeus Scanner.

That last request appears to be an attempt to exploit vulnerabilities in the Home Network Administration Protocol (HNAP) implementations of D-Link routers. More information about the attack can be found here.

From a cusory glance at the request it's making, I'd say you have nothing to worry about if you aren't running phpmyadmin on your systems. Such attacks are commonplace for servers connected to the internet and the scans are getting 404's indicating that your server does not have what they are looking for.

Diego Queiroz
  • 103
  • 5
  • 1
    Thank you. Can you comment on first and last two requests? Seems they're not part of ZmEu attack. – Michael Pankov Aug 08 '13 at 17:28
  • @Constantius That first request appears to be another automated scanner hitting a HTTP 404. Nothing to worry about there. I can't tell what the second last request appears to be doing, but the last request appears to be an attempt to exploit a vulnerability in Dlink routers. I will update my answer. –  Aug 09 '13 at 03:12
  • The second to last is probably an HTTPS connection attempt. – deed02392 Feb 17 '14 at 16:31
  • In 2014, the HNAP was succesfully exploited by The Moon worm. https://isc.sans.edu/forums/diary/More+on+HNAP+What+is+it+How+to+Use+it+How+to+Find+it/17648/ – Palec May 14 '16 at 10:29
33

Every server that is connected to the Internet will receive hundreds of "weird requests". Most of them are from automatic botnets which try to replicate, by finding machines which feature a specific vulnerability. They try random IP addresses (there are only four billions of possible IP addresses, after all). So yes, someone is trying to enter into your server, but that "someone" is a mindless automaton who has nothing against you, specifically.

I would say that if you find the log entries, then the attack did not work so you don't have to worry about them. When the attack is successful, the first thing the attacker does is to remove its traces from log files.

This does highlight the utmost necessity of installing security fixes, because every online server is, by construction, exposed and will be targeted by such random attacks at some point.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 4
    Your point about the first thing an attacker might do is erase the traces of entry is very enlightening! We channel our logs out to another server, so hopefully if something were to happen we will have a record. :) – Dustin Graham Oct 09 '13 at 15:29
  • I have question, is there a service that I can redirect these attackers to these services so they will be identified. I'm getting the same requests to my ip address, but my domain has Cloudflare should I redirect them to the Cloudflare domain? So I can block them. – siniradam Dec 16 '19 at 07:15
11

if you want to block known scanners you might want to use nginx-based WAF naxsi + doxi-rules; these scanners are widely known

doxi + naxsi in action

Community
  • 1
that guy from over there
  • 3,476
  • 17
  • 26
-1

According to the latest report the Vulnerability is in ZynOS and is trouble for the users of the router from the D-Link, TP-Link, ZTE and other manufacturers which allow remote hackers in changing the DNS settings and hijacks the user traffic. This vulnerability has a "backdoor-type" function "built" into the router suggests a deliberate implementation.

  1. The input of the “ping” tool that D-Link DIR636L incorrectly filters allows the injection of the arbitrary commands into the router
  2. This enables the remote attacker that gains the full control of the router, for example that attacks the network in the DDoS style attack or even the exposure of computers behind the devices to internet that changes firewall/NAT rules on the routers
user3829088
  • 1