3

Alright, so I left my Node.js server alone for a while and came back to find some really interesting stuff in the logs. Apparently some moron from China or Poland tried to hack my server using directory traversal and what not, while it seems though he did not succeed I am unable understand few entries in the log. This is the output of a "hohup.out" file.

The attack starts, apparently he is trying to find out some console entry in my server. All of which fail and return a 404.

[90mGET /../../../../../../../../../../../ [31m500 [90m6ms - 2b[0m
[90mGET /<script>alert(53416)</script> [33m404 [90m7ms[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m1ms - 240b[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET /pz3yvy3lyzgja41w2sp [33m404 [90m1ms[0m
[90mGET /stylesheets/style.css [33m404 [90m0ms[0m
[90mGET /index.html [33m404 [90m1ms[0m
[90mGET /index.htm [33m404 [90m0ms[0m
[90mGET /default.html [33m404 [90m0ms[0m
[90mGET /default.htm [33m404 [90m1ms[0m
[90mGET /default.asp [33m404 [90m1ms[0m
[90mGET /index.php [33m404 [90m0ms[0m
[90mGET /default.php [33m404 [90m1ms[0m
[90mGET /index.asp [33m404 [90m0ms[0m
[90mGET /index.cgi [33m404 [90m0ms[0m
[90mGET /index.jsp [33m404 [90m1ms[0m
[90mGET /index.php3 [33m404 [90m0ms[0m
[90mGET /index.pl [33m404 [90m0ms[0m
[90mGET /default.jsp [33m404 [90m0ms[0m
[90mGET /default.php3 [33m404 [90m0ms[0m
[90mGET /index.html.en [33m404 [90m0ms[0m
[90mGET /web.gif [33m404 [90m34ms[0m
[90mGET /header.html [33m404 [90m1ms[0m
[90mGET /homepage.nsf [33m404 [90m1ms[0m
[90mGET /homepage.htm [33m404 [90m1ms[0m
[90mGET /homepage.asp [33m404 [90m1ms[0m
[90mGET /home.htm [33m404 [90m0ms[0m
[90mGET /home.html [33m404 [90m1ms[0m
[90mGET /home.asp [33m404 [90m1ms[0m
[90mGET /login.asp [33m404 [90m0ms[0m
[90mGET /login.html [33m404 [90m0ms[0m
[90mGET /login.htm [33m404 [90m1ms[0m
[90mGET /login.php [33m404 [90m0ms[0m
[90mGET /index.cfm [33m404 [90m0ms[0m
[90mGET /main.php [33m404 [90m1ms[0m
[90mGET /main.asp [33m404 [90m1ms[0m
[90mGET /main.htm [33m404 [90m1ms[0m
[90mGET /main.html [33m404 [90m2ms[0m
[90mGET /Welcome.html [33m404 [90m1ms[0m
[90mGET /welcome.htm [33m404 [90m1ms[0m
[90mGET /start.htm [33m404 [90m1ms[0m
[90mGET /fleur.png [33m404 [90m0ms[0m
[90mGET /level/99/ [33m404 [90m1ms[0m
[90mGET /chl.css [33m404 [90m0ms[0m
[90mGET /images/ [33m404 [90m0ms[0m
[90mGET /robots.txt [33m404 [90m2ms[0m
[90mGET /hb1/presign.asp [33m404 [90m1ms[0m
[90mGET /NFuse/ASP/login.htm [33m404 [90m0ms[0m
[90mGET /CCMAdmin/main.asp [33m404 [90m1ms[0m
[90mGET /TiVoConnect?Command=QueryServer [33m404 [90m1ms[0m
[90mGET /admin/images/rn_logo.gif [33m404 [90m1ms[0m
[90mGET /vncviewer.jar [33m404 [90m1ms[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m7ms - 240b[0m
[90mOPTIONS / [32m200 [90m1ms - 3b[0m
[90mTRACE / [33m404 [90m0ms[0m
[90mPROPFIND / [33m404 [90m0ms[0m
[90mGET /\./ [33m404 [90m1ms[0m

But here is when things start getting fishy.

[90mGET http://www.google.com/ [32m200 [90m2ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m1ms - 240b[0m
[90mGET /robots.txt [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m3ms[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET http://37.28.156.211/sprawdza.php [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m2ms - 240b[0m
[90mHEAD / [32m200 [90m1ms - 240b[0m
[90mGET http://www.daydaydata.com/proxy.txt [33m404 [90m19ms[0m
[90mHEAD / [32m200 [90m1ms - 240b[0m
[90mGET /manager/html [33m404 [90m2ms[0m
[90mGET / [32m200 [90m4ms - 240b[0m
[90mGET http://www.google.pl/search?q=wp.pl [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mHEAD / [32m200 [90m2ms - 240b[0m
[90mGET http://www.google.pl/search?q=onet.pl [33m404 [90m1ms[0m
[90mHEAD / [32m200 [90m2ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET http://www.google.pl/search?q=ostro%C5%82%C4%99ka [33m404 [90m1ms[0m
[90mGET http://www.google.pl/search?q=google [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m2ms - 240b[0m
[90mHEAD / [32m200 [90m2ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET http://www.baidu.com/ [32m200 [90m2ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mPOST /api/login [32m200 [90m1ms - 28b[0m
[90mGET /web-console/ServerInfo.jsp [33m404 [90m2ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m10ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://proxyjudge.info [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m2ms - 240b[0m
[90mGET / [32m200 [90m1ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m3ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m3ms - 240b[0m
[90mGET http://www.baidu.com/ [32m200 [90m1ms - 240b[0m
[90mGET /manager/html [33m404 [90m0ms[0m
[90mGET /manager/html [33m404 [90m1ms[0m
[90mGET http://www.google.com/ [32m200 [90m2ms - 240b[0m
[90mHEAD / [32m200 [90m1ms - 240b[0m
[90mGET http://www.google.com/ [32m200 [90m1ms - 240b[0m
[90mGET http://www.google.com/search?tbo=d&source=hp&num=1&btnG=Search&q=niceman [33m404 [90m2ms[0m

So my questions are, how come my server is returning a "200" OK for root level domains? How did the hacker even manage to send a GET request to my server such that "http://www.google.com" shows up in the log while my server is simply an API that works on relative URLs such as "/api/login".

And, while I looked up the OPTIONS, TRACE and PROPFIND HTTP requests that my server has logged it would be great if someone could explain what exactly was the hacker trying to achieve by using these verbs?

Also what in the world does "[90m [32m [90m1ms - 240b[0m" mean? The "ms" makes sense, probably milliseconds for the request, rest I am unable to understand.

Thank you!

Abdullah Khan
  • 131
  • 1
  • 3
  • 2
    Those "[NNm" appear to be escape sequences, likely for terminal ANSI colors. I may be wrong though. – maik Jun 13 '14 at 16:07
  • I want to ask Kyle (or anyone) what can be done to stop these types of requests specifically on a node server? Seems like its not a good idea to have your server as a proxy for anyone who wants to use it.. – Jeff Ryan Oct 16 '15 at 18:06
  • @JeffRyan If your server is truly acting as a proxy, that needs to be fixed. There'll always be *attempts* to use servers as proxies, though, and there's not really anything you can do to prevent such automated scans entirely. You can use something like fail2ban to block IPs that request certain URLs - if you don't have `/phpmyadmin/` on your server it's probably fine to blacklist any visitor looking for it. – ceejayoz Oct 24 '18 at 13:29

1 Answers1

7

This looks like it might be just be an automated scan, so there is a lot in play here behind these. So I'm going to focus on your first question:

How did the hacker even manage to send a GET request to my server such that "http://www.google.com" shows up in the log while my server is simply an API that works on relative URLs such as "/api/login".

Web servers bind to things, and they do this at different network levels. They generally can bind to following:

  • At the IP layer, they can bind to specific IPs, or any IP. Any IP will usually show up with netstat as listening with something like *:80 or :80, which means, any IP. 1.2.3.4:80 would mean only IP 1.2.3.4
  • At the Transport layer which are specific ports such as TCP port 80, the ":80"
  • At "Hostnames" at the application layer (the web server code). It does this by inspecting the "Host" header in the HTTP packet.

Therefore, if you are not binding to a specific hostname, someone can you send you a request, set the HTTP host header to whatever they want, and your webserver will accept it. For example:

[kbrandt@grove: ~] ping google.com | head -n1
PING google.com (173.194.37.103): 56 data bytes
[kbrandt@grove: ~] curl -H 'Host: foo.com' 173.194.37.103
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448