1

I just deployed a Digital Ocean droplet and I think it was hacked within 20 minutes of deploying. Basically, I built Nginx from source the only added extra's I installed (outside the dependencies) were mod_pagespeed from GitHub (https://github.com/apache/incubator-pagespeed-ngx/archive/v${NPS_VERSION}.tar.gz).

I noticed rather quickly as I couldn't start nginx due to the port being in use and noticed some very strange logs for a new droplet.

When visiting the website listed in these logs below, the default nginx page was displayed. I tried checking the dns records for the domain but it's using Cloudflare. Now since destroying and rebuilding the droplet, the website is down, so it looks like this site was definitely loading from my server. Does anyone have any insight as to what might have happened? Was it hacked? Or was this a resused IP or something, if hacked , how to prevent this happening again?

2021/05/05 08:54:50 [error] 49585#49585: *13 open() "/usr/local/nginx/html/breakingNews/newsDetails/12887/SEE-WHAT-FIRST-LADY-DID-TO-KUMUYI---PHOTOS" failed (2: No such file or directory), client: 162.158.159.133, server: localhost, request: "GET /breakingNews/newsDetails/12887/SEE-WHAT-FIRST-LADY-DID-TO-KUMUYI---PHOTOS HTTP/1.1", host: "ogbongefriends.com"
2021/05/05 08:59:10 [error] 49585#49585: *14 open() "/usr/local/nginx/html/userdata/news_media/SE0b5iQjWpCdz9y17IVs.jpg" failed (2: No such file or directory), client: 141.101.99.44, server: localhost, request: "GET /userdata/news_media/SE0b5iQjWpCdz9y17IVs.jpg HTTP/1.1", host: "www.ogbongefriends.com", referrer: "http://www.ogbongefriends.com/breakingNews/newsDetails/7648/NAKED-NIGERIAN-GIRLS-STORM-A-NIGHT-CLUB-IN-LAGOS-PHOTOS"
2021/05/05 09:14:25 [error] 49585#49585: *15 open() "/usr/local/nginx/html/breakingNews/newsDetails/13376/NINE-BLACK-AMERICANS-SHOT-BY-US-POLICE" failed (2: No such file or directory), client: 141.101.98.147, server: localhost, request: "GET /breakingNews/newsDetails/13376/NINE-BLACK-AMERICANS-SHOT-BY-US-POLICE HTTP/1.1", host: "ogbongefriends.com"
2021/05/05 09:27:15 [error] 49585#49585: *17 open() "/usr/local/nginx/html/userdata/news_media/gVCbr935Om2fnWo4zhLS.jpg" failed (2: No such file or directory), client: 141.101.99.238, server: localhost, request: "GET /userdata/news_media/gVCbr935Om2fnWo4zhLS.jpg HTTP/1.1", host: "www.ogbongefriends.com"
2021/05/05 09:29:25 [error] 49585#49585: *18 open() "/usr/local/nginx/html/config/getuser" failed (2: No such file or directory), client: 205.185.122.102, server: localhost, request: "GET /config/getuser?index=0 HTTP/1.1", host: "188.166.156.235:80"
dylzee
  • 111
  • 1
  • 2
    They seem like GET requests from outside. – choroba May 05 '21 at 10:57
  • Yes, but I've never seen random GET requests like this to a new machine, and during the first hour or so of setting up servers I spend a lot of time in these logs. – dylzee May 05 '21 at 11:33
  • 1
    @dylzee Hosting companies reuse IPs; it may just be that this IP was previously owned by what appears to be a news site of some kind. – ceejayoz May 05 '21 at 11:40
  • I was not aware they reuse IP's and I haven't encountered this before. I did move to a much busier zone than I normally do though and reusing IPs does make sense considering the shortage of them. Thanks for your input! – dylzee May 05 '21 at 13:07

1 Answers1

2

Those are just random GET requests to your server, that NGINX dutifully tried to find from disk, naturally couldn't find, and as such couldn't serve, which generated the error. Basically what's happening is that either somebody before you had that specific IP and hosted that stuff, or it's just somebody firing random GET requests around the world for reasons that will forever be unclear.

TL;DR: Those are requests, so no indication of a compromised server, just Internet background noise. The Internet is a weird place.

Stuggi
  • 3,506
  • 4
  • 19
  • 36
  • Ok, but I've never seen this before on a new machine. AND it gets weirder though. I just rebuilt the machine and did an apt update && apt upgrade and installed nginx from the repository and the same thing again. That site (www.ogbongefriends.com) is currently loading from my server at /var/www/html and I've edited the default nginx page heading. you can view it and check. Any idea wtf is going on? – dylzee May 05 '21 at 11:36
  • If I read the log entry correctly, it seems like they are either actually requesting that junk with the correct domain name, or you have something set up a bit weird in the NGINX config, so that it defaults to that domain. Not that it really matters, easiest way to get rid of them is to configure your server to rate limit IPs that spam you with requests, which isn't a bad idea generally. Hiding behind Cloudflare (it's free after all) is also an option. – Stuggi May 05 '21 at 11:40
  • I just have a 100% default nginx server. The issue is that the website is loading from my server too. I guess once I remove the default from sites-enabled and set up my virtual hosts that will not be the case anymore. Anyway, I didn't think Digital Ocean reuse IP's which is why I'm totally confused, but I guess that's the case here. Had the requests not been for spammy stuff I probably wouldn't have been so alarmed. Thanks for your input. – dylzee May 05 '21 at 13:05
  • 2
    Practically every hosting service needs to re-use IP addresses. Depending on the previous sites, the traffic patterns can be different. Furthermore, if the previous site operator forgot to remove his DNS entry after dropping the server, you still get his old traffic. Also, Debian's default nginx configuration unfortunately shows content with default server, which then manifests like this. – Tero Kilkanen May 05 '21 at 14:46