Hacked python server

Question

I did a stupid thing. I started a local python server using sudo python3 -m http.server I was just gonna access some documents and turn it off but I forgot about it and left it running for 2 days.

The server was running on a digital ocean instance without any private data. It does however contain various coding projects (not under version control), some ramblings that I at one point intended to turn in to a blog and some other stuff.

I suddenly remembered and signed and it looks like somebody at least attempted to hack in. I am hoping somebody here can help me understand what happened and what steps I should take next. Here is a slice of the output:

----------------------------------------                                                                                                                                                                                 
5.178.86.78 - - [10/Sep/2019 23:20:49] code 400, message Bad request syntax ('\x05\x01\x00')                                                                                                                             
5.178.86.78 - - [10/Sep/2019 23:20:49] "" 400 -                                                                                                                                                                          
----------------------------------------                                                                                                                                                                                 
Exception happened during processing of request from ('5.178.86.78', 30322)                                                                                                                                              
Traceback (most recent call last):                                                                                                                                                                                       
  File "/usr/lib/python3.6/socketserver.py", line 317, in _handle_request_noblock                                                                                                                                        
    self.process_request(request, client_address)                                                                                                                                                                        
  File "/usr/lib/python3.6/socketserver.py", line 348, in process_request                                                                                                                                                
    self.finish_request(request, client_address)                                                                                                                                                                         
  File "/usr/lib/python3.6/socketserver.py", line 361, in finish_request                                                                                                                                                 
    self.RequestHandlerClass(request, client_address, self)                                                                                                                                                              
  File "/usr/lib/python3.6/socketserver.py", line 721, in __init__                                                                                                                                                       
    self.handle()                                                                                                                                                                                                        
  File "/usr/lib/python3.6/http/server.py", line 418, in handle                                                                                                                                                          
    self.handle_one_request()
  File "/usr/lib/python3.6/http/server.py", line 396, in handle_one_request
    if not self.parse_request():
  File "/usr/lib/python3.6/http/server.py", line 322, in parse_request
    "Bad request syntax (%r)" % requestline)
  File "/usr/lib/python3.6/http/server.py", line 473, in send_error
    self.wfile.write(body)
  File "/usr/lib/python3.6/socketserver.py", line 800, in write
    self._sock.sendall(b)
BrokenPipeError: [Errno 32] Broken pipe
----------------------------------------
85.175.98.209 - - [11/Sep/2019 00:24:45] code 400, message Bad request version ('HTTP')
85.175.98.209 - - [11/Sep/2019 00:24:45] "GET ../../mnt/custom/ProductDefinition HTTP" 400 -
85.175.98.209 - - [11/Sep/2019 00:31:21] code 400, message Bad request version ('HTTP')
85.175.98.209 - - [11/Sep/2019 00:31:21] "GET ../../mnt/custom/ProductDefinition HTTP" 400 -

Here is an other piece:

BrokenPipeError: [Errno 32] Broken pipe
----------------------------------------
115.238.34.19 - - [12/Sep/2019 00:42:46] code 501, message Unsupported method ('CONNECT')
115.238.34.19 - - [12/Sep/2019 00:42:46] "CONNECT www.baidu.com:443 HTTP/1.0" 501 -
182.101.56.29 - - [12/Sep/2019 01:00:48] code 404, message File not found
182.101.56.29 - - [12/Sep/2019 01:00:48] "HEAD http://123.125.114.144/ HTTP/1.1" 404 -
109.234.153.132 - - [12/Sep/2019 03:22:33] code 501, message Unsupported method ('POST')
109.234.153.132 - - [12/Sep/2019 03:22:33] "POST http://check.best-proxies.ru/azenv.php?s=156825855305657PC115286029608000 HTTP/1.1" 501 -
109.234.153.132 - - [12/Sep/2019 03:22:38] code 501, message Unsupported method ('CONNECT')
109.234.153.132 - - [12/Sep/2019 03:22:38] "CONNECT check.best-proxies.ru:80 HTTP/1.1" 501 -
109.234.153.133 - - [12/Sep/2019 03:22:49] code 400, message Bad request syntax ('\x04\x01\x00P\x05²VL0\x00')
109.234.153.133 - - [12/Sep/2019 03:22:49] "P²VL0" 400 -
----------------------------------------
Exception happened during processing of request from ('109.234.153.133', 37823)
Traceback (most recent call last):
  File "/usr/lib/python3.6/socketserver.py", line 317, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.6/socketserver.py", line 348, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.6/socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.6/socketserver.py", line 721, in __init__
    self.handle()
  File "/usr/lib/python3.6/http/server.py", line 418, in handle
    self.handle_one_request()
  File "/usr/lib/python3.6/http/server.py", line 396, in handle_one_request
    if not self.parse_request():
  File "/usr/lib/python3.6/http/server.py", line 322, in parse_request
    "Bad request syntax (%r)" % requestline)
  File "/usr/lib/python3.6/http/server.py", line 473, in send_error
    self.wfile.write(body)
  File "/usr/lib/python3.6/socketserver.py", line 800, in write
    self._sock.sendall(b)
BrokenPipeError: [Errno 32] Broken pipe
----------------------------------------
109.234.153.131 - - [12/Sep/2019 03:22:54] code 400, message Bad request syntax ('\x05\x01\x00')
109.234.153.131 - - [12/Sep/2019 03:22:54] "" 400 -
----------------------------------------
Exception happened during processing of request from ('109.234.153.131', 18665)

There are a couple of error messages after from what seems like somebody attempting to post binaries:

5.178.86.76 - - [10/Sep/2019 23:20:44] code 400, message Bad request syntax ('\x04\x01\x00P\x05²VL0\x00')
...
5.178.86.78 - - [10/Sep/2019 23:20:49] code 400, message Bad request syntax ('\x05\x01\x00')

Both ends with exceptions.

One thing I find really impressive is that the server was accessed 5 minutes after it came online by a third party

The attacks all occur between 23-10 every day

No its more of a security question, my primary concern is if there might be someone with remote access to my server. Also I am curious of what its possible to tell from the information posted — user25470, Sep 12 '19 at 20:18

Hacked python server

0 Answers0