Strange log on my EC2 machine. Hack attempt?

waldgeist · January 12, 2016, 9:06pm

I have to admit that I am quite new to DevOps (and I was very happy that mupx made it so easy for me to get my app running on an EC2 instance!). Today I had a look at the server logs and was a bit puzzled when I saw entries like these:

Error: url must be a relative URL: http://dhg.pisz.pl/httptest.php
     at [object Object]._.extend.classify (packages/routepolicy/routepolicy.js:107:1)
     at IsAppUrl (packages/meteorhacks_fast-render/lib/server/utils.js:19:1)
     at [object Object].filterFunction (packages/meteorhacks_fast-render/lib/server/routes.js:6:1)
     at [object Object].PickerImp._dispatch (packages/meteorhacks_picker/packages/meteorhacks_picker.js:44:1)
     at processNextSubRouter (packages/meteorhacks_picker/packages/meteorhacks_picker.js:80:1)
     at processNextRoute (packages/meteorhacks_picker/packages/meteorhacks_picker.js:73:1)
     at processNextMiddleware (packages/meteorhacks_picker/packages/meteorhacks_picker.js:56:1)
     at [object Object].PickerImp._dispatch (packages/meteorhacks_picker/packages/meteorhacks_picker.js:50:1)
     at Object.Package [as handle] (packages/meteorhacks_picker/packages/meteorhacks_picker.js:140:1)
     at next (/bundle/bundle/programs/server/npm/webapp/node_modules/connect/lib/proto.js:190:15)

The URLs vary, but they are all coming from strange domains (mostly from Poland). Does anyone with more experience than me have an explanation what might be happening here. For my noob eyes, it looks like a hacker / injection attempt.

BTW: Is there any guide / tutorial out there on how to “harden” a mupx/Ubuntu based Meteor set-up?

ffxsam · January 12, 2016, 9:31pm

Definitely a hack attempt, but too bad they don’t realize you’re running a Node.js server.

You could edit your nginx config to block requests like these. I guess if it were me in your position, I’d make it so any requests that end in “.php” would be redirected to a website full of popup ads.

seba · January 12, 2016, 9:36pm

Probably just bots that try some often occuring exploits. Nothing to worry about.

XTA · January 12, 2016, 9:36pm

That’s normal, we are also having such logs from bots that try to access /phpmyadmin or other typical urls from plugins or frameworks that maybe have a vulnerability.

ffxsam · January 12, 2016, 9:40pm

If you’re using nginx, add this to your server block:

  # Begone, hackers!
  # urls ending in .php or .pl will be bounced elsewhere
  location ~* \.(php|pl)$ {
    rewrite .* http://google.com;
  }

You could, instead of rewrite, just do return 404;, or use return 301 url_here; to do HTTP 301 redirect. Lots of options.

And that raises the question: what’s the worst possible website you can redirect someone to?

waldgeist · January 12, 2016, 9:53pm

Thanks @all for your quick replies. Nice idea to redirect them to a funny website, maybe some honeypot

miningsam · January 12, 2016, 10:01pm

Can post the url here - but the word “eel soup” and first hit on Google. There is no coming back from that.

lai · January 12, 2016, 10:08pm

I wouldn’t mess with these guys, just block the requests and that’s it, don’t try to taichi or aikido it.

I had a friend who did something like this and next thing he knows, his sys admin asks him the next day, “uh… who did you piss off?”

He got DDOS’d.

khamoud · January 12, 2016, 10:09pm

Googled it. Thought about clicking on it. Decided not to.

miningsam · January 12, 2016, 10:12pm

Googled it. Thought about clicking on it. Decided not to.

Good, good choice. I still think you should know that it is about well, eels, a funnel, bodily exits and two japanese women trying to bring the deep space program for other organisms available by launching them. Happy dreaming!