Geck0 Posted January 22, 2020 Share Posted January 22, 2020 Hi, Bear with me as I explain this. I'm on Nextcloud 17 on unRaid with several other dockers. Recently, I've been attempting to get Oauth2_proxy working, behind nginx reverse proxy. I was setting up Oauth2_proxy on Unraid using a docker, with Nextcloud as the Oauth2 authority. I decided to use the airsonic for testing. I managed to reach the "sign into Nextcloud" page but couldn't get any further. When I went to look at the airsonic log on the reverse proxy, I found this immediately after the failed oauth2 attempt: 193.57.40.46 - - [22/Jan/2020:19:04:00 +1100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 The ip address is Ukranian. I wasn't connected to a vpn at the time, and this appears to be a malware exploit. When I copied and pasted this into my browser it took me straight into Nextcloud. I was already authenticated on the browser so that is not a concern. However, when not authenticated it takes me to the external https:// of the nextcloud subdomain. Fortunately, I have 2FA set up. Whilst not directly linked to Nextcloud, is this something that somebody could elaborate on? I'm concerned about the irony of using Oauth2_proxy by "pusher". I'm not being suggestive that the coder(s) have done anything wrong, however its incredibly ironic. Quote Link to comment
Morphed Posted February 13, 2020 Share Posted February 13, 2020 (edited) https://www.cvedetails.com/cve/CVE-2017-9841/ I'm not sure if Nextcloud uses phpunit, but its likely just some script somewhere just running through any IP that has 80/443 open and testing for known vulnerable scripts. If it redirects to/loads a login page or nextcloud, you are likely fine if they come back and try to post things to it. Having your server connected to the internet will bring a lot of unwanted traffic. For example: $ grep 183.134.74.13 access.log.1 | wc -l 935 Sample of the logs: 183.134.74.13 - - [13/Feb/2020:02:24:34 +0000] "POST /zmp.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" 183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /803.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" 183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /zzz.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" 183.134.74.13 - - [13/Feb/2020:02:24:36 +0000] "POST /ze.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" 183.134.74.13 - - [13/Feb/2020:02:24:37 +0000] "POST /nnb.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" And that went on for 10 minutes. That said, if you are worried about one random page hit from a random IP, it might be worth considering if you really need your server connected to the internet and if it wouldn't be better off using a VPN to access services. Edited February 13, 2020 by Morphed Quote Link to comment
BRiT Posted February 13, 2020 Share Posted February 13, 2020 Never expose or put your server directly in the internet. Your server will be incredibly easy to find. There are search engines targetting IoT devices that have a large selection of unRaid servers listed. Some of the servers have no password set and are even easier pickings. Quote Link to comment
Morphed Posted February 14, 2020 Share Posted February 14, 2020 My logs came from my webserver hosting some websites. I had never thought to run unraid through shodan till now... >442 results with: >208 HTTP/HTTPS >52 SMB yeouch.... just by searching "unraid" Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.