Malware attempt?


Geck0

Recommended Posts

Hi,
Bear with me as I explain this. I'm on Nextcloud 17 on unRaid with several other dockers. Recently, I've been attempting to get Oauth2_proxy working, behind nginx reverse proxy.
I was setting up Oauth2_proxy on Unraid using a docker, with Nextcloud as the Oauth2 authority.

I decided to use the airsonic for testing. I managed to reach the "sign into Nextcloud" page but couldn't get any further. When I went to look at the airsonic log on the reverse proxy, I found this immediately after the failed oauth2 attempt:

193.57.40.46 - - [22/Jan/2020:19:04:00 +1100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200

The ip address is Ukranian. I wasn't connected to a vpn at the time, and this appears to be a malware exploit.

When I copied and pasted this into my browser it took me straight into Nextcloud. I was already authenticated on the browser so that is not a concern. However, when not authenticated it takes me to the external https:// of the nextcloud subdomain. Fortunately, I have 2FA set up.

Whilst not directly linked to Nextcloud, is this something that somebody could elaborate on? I'm concerned about the irony of using Oauth2_proxy by "pusher". I'm not being suggestive that the coder(s) have done anything wrong, however its incredibly ironic.
 

Link to comment
  • 3 weeks later...

https://www.cvedetails.com/cve/CVE-2017-9841/

 

I'm not sure if Nextcloud uses phpunit, but its likely just some script somewhere just running through any IP that has 80/443 open and testing for known vulnerable scripts. If it redirects to/loads a login page or nextcloud, you are likely fine if they come back and try to post things to it.

 

Having your server connected to the internet will bring a lot of unwanted traffic.

 

For example:

$ grep 183.134.74.13 access.log.1 | wc -l
935
Sample of the logs:
183.134.74.13 - - [13/Feb/2020:02:24:34 +0000] "POST /zmp.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /803.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /zzz.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:36 +0000] "POST /ze.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:37 +0000] "POST /nnb.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"

And that went on for 10 minutes.

 

That said, if you are worried about one random page hit from a random IP, it might be worth considering if you really need your server connected to the internet and if it wouldn't be better off using a VPN to access services.

Edited by Morphed
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.