hacker attempts on my servers

Question

hacker attempts on my servers

torian257x opened this issue 7 years ago · 2 comments

I am worried, because the raised exception actually looks like they can get in somehow

here some of my log I see:

2017-10-07 22:25:44,016 [INFO ] 61.77.251.219 - code 403, message Web UI is not enabled
2017-10-07 22:25:44,017 [INFO ] 61.77.251.219 - "GET /system.ini?loginuse&loginpas HTTP/1.1" 403 -
2017-10-07 22:25:44,507 [INFO ] 61.77.251.219 - code 403, message Web UI is not enabled
2017-10-07 22:25:44,507 [INFO ] 61.77.251.219 - "GET /shell?cat%20/etc/passwd HTTP/1.1" 403 -
2017-10-09 17:10:33,274 [INFO ] 139.162.79.87 - code 403, message Web UI is not enabled
2017-10-09 17:10:33,302 [INFO ] 139.162.79.87 - "GET / HTTP/1.1" 403 -
2017-10-11 08:49:06,285 [INFO ] 149.202.175.3 - code 403, message Web UI is not enabled
2017-10-11 08:49:06,314 [INFO ] 149.202.175.3 - "GET /videostream.cgi?user=admin&pwd= HTTP/1.1" 403 -
2017-10-12 02:47:53,087 [INFO ] 139.162.79.87 - code 403, message Web UI is not enabled
2017-10-12 02:47:53,120 [INFO ] 139.162.79.87 - "GET / HTTP/1.1" 403 -
2017-10-13 18:45:23,466 [INFO ] 139.162.79.87 - code 403, message Web UI is not enabled
2017-10-13 18:45:23,492 [INFO ] 139.162.79.87 - "GET / HTTP/1.1" 403 -
2017-10-16 17:39:37,566 [INFO ] 139.162.79.87 - code 403, message Web UI is not enabled
2017-10-16 17:39:37,604 [INFO ] 139.162.79.87 - "GET / HTTP/1.1" 403 -
2017-10-18 21:52:21,087 [INFO ] 80.82.77.33 - code 403, message Web UI is not enabled
2017-10-18 21:52:21,173 [INFO ] 80.82.77.33 - "GET / HTTP/1.1" 403 -
2017-10-18 21:52:24,045 [INFO ] 80.82.77.33 - code 403, message Web UI is not enabled
2017-10-18 21:52:24,045 [INFO ] 80.82.77.33 - "GET /favicon.ico HTTP/1.1" 403 -
2017-10-18 21:56:47,239 [INFO ] 80.82.77.139 - code 403, message Web UI is not enabled
2017-10-18 21:56:47,240 [INFO ] 80.82.77.139 - "GET / HTTP/1.1" 403 -
2017-10-18 21:56:47,573 [INFO ] 80.82.77.139 - code 403, message Web UI is not enabled
2017-10-18 21:56:47,574 [INFO ] 80.82.77.139 - "GET /favicon.ico HTTP/1.1" 403 -
2017-10-19 08:45:47,697 [INFO ] 5.39.219.19 - code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/\xe0\x00\x00\x00\x00\x00Cookie:')
2017-10-19 08:45:47,715 [INFO ] 5.39.219.19 - "^C^@^@/^@^@^@^@^@cookie: mstshash=Administr" 400 -
2017-10-19 12:49:43,894 [INFO ] 139.162.79.87 - code 403, message Web UI is not enabled
2017-10-19 12:49:43,895 [INFO ] 139.162.79.87 - "GET / HTTP/1.1" 403 -

and

2017-10-01 14:23:55,771 [INFO ] ----------------------------------------
2017-10-01 14:23:55,771 [INFO ]
2017-10-01 14:23:56,057 [INFO ] Incoming request from 24.69.116.185:47945
2017-10-01 14:23:56,058 [INFO ] ----------------------------------------
2017-10-01 14:23:56,058 [INFO ]
2017-10-01 14:23:56,058 [INFO ] Exception happened during processing of request from
2017-10-01 14:23:56,058 [INFO ]
2017-10-01 14:23:56,058 [INFO ] ('24.69.116.185', 47945)
2017-10-01 14:23:56,058 [INFO ]
2017-10-01 14:23:56,058 [ERROR] Traceback (most recent call last):
2017-10-01 14:23:56,058 [ERROR] File "/usr/lib/python2.7/SocketServer.py", line 295, in _handle_request_noblock
2017-10-01 14:23:56,058 [ERROR] self.process_request(request, client_address)
2017-10-01 14:23:56,059 [ERROR] File "/usr/lib/python2.7/SocketServer.py", line 321, in process_request
2017-10-01 14:23:56,059 [ERROR] self.finish_request(request, client_address)
2017-10-01 14:23:56,059 [ERROR] File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
2017-10-01 14:23:56,059 [ERROR] self.RequestHandlerClass(request, client_address, self)
2017-10-01 14:23:56,059 [ERROR] File "/usr/lib/python2.7/dist-packages/gitautodeploy/httpserver.py", line 22, in init
2017-10-01 14:23:56,059 [ERROR] super(WebhookRequestHandler, self).init(*args, **kwargs)
2017-10-01 14:23:56,059 [ERROR] File "/usr/lib/python2.7/SocketServer.py", line 649, in init
2017-10-01 14:23:56,059 [ERROR] self.handle()
2017-10-01 14:23:56,059 [ERROR] File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
2017-10-01 14:23:56,060 [ERROR] self.handle_one_request()
2017-10-01 14:23:56,060 [ERROR] File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
2017-10-01 14:23:56,060 [ERROR] method()
2017-10-01 14:23:56,060 [ERROR] File "/usr/lib/python2.7/dist-packages/gitautodeploy/httpserver.py", line 116, in do_POST
2017-10-01 14:23:56,060 [ERROR] 'payload': json.loads(request_body),
2017-10-01 14:23:56,060 [ERROR] File "/usr/lib/python2.7/json/init.py", line 338, in loads
2017-10-01 14:23:56,060 [ERROR] return _default_decoder.decode(s)
2017-10-01 14:23:56,060 [ERROR] File "/usr/lib/python2.7/json/decoder.py", line 366, in decode
2017-10-01 14:23:56,060 [ERROR] obj, end = self.raw_decode(s, idx=_w(s, 0).end())
2017-10-01 14:23:56,061 [ERROR] File "/usr/lib/python2.7/json/decoder.py", line 384, in raw_decode
2017-10-01 14:23:56,061 [ERROR] raise ValueError("No JSON object could be decoded")
2017-10-01 14:23:56,061 [ERROR] ValueError: No JSON object could be decoded
2017-10-01 14:23:56,061 [INFO ] ----------------------------------------

Answer 1 · 2017-11-19T06:55:24.000Z

I don't see anything in there that looks like anything more than bots trying random things – what makes you think they've gained access?

Answer 2 · 2019-04-27T15:54:09.000Z

Disable password authentication on your servers and instead use authentication keys or certs. It's more safer that way