Logs and Bitcoins - Fri, Jun 28, 2019

Do you ever check your webserver logs? Me neither. Sometimes they’re interesting.

Background

I was going through my nginx logs for no real reason. There’s plenty of web crawlers, no suprise there.

XXX.YYY.ZZZ.28 - - [29/Jun/2019:15:23:59 +0000] "GET /robots.txt HTTP/1.1" 404 152 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

XXX.YYY.ZZZ.70 - - [29/Jun/2019:12:56:57 +0000] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

But I also noticed a lot of failed requests to folders that don’t exist.

xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:01 +0000] "GET /admin/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:09 +0000] "GET /admin/ HTTP/1.1" 404 152 "http://NOAHLUSKEY.COM/admin/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:10 +0000] "GET /downloader/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:10 +0000] "GET /downloader/ HTTP/1.1" 404 152 "http://NOAHLUSKEY.COM/downloader/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:13 +0000] "GET /rss/catalog/notifystock/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:15 +0000] "GET /rss/catalog/notifystock/ HTTP/1.1" 404 152 "http://NOAHLUSKEY.COM/rss/catalog/notifystock/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:18 +0000] "GET /rss/order/new/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
xxx.yyy.zzz.012 - - [29/Jun/2019:12:08:19 +0000] "GET /rss/order/new/ HTTP/1.1" 404 152 "http://NOAHLUSKEY.COM/rss/order/new/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Okay, looks like somebody is trying to find an admin page. That’s also not that weird, but it got me curious. Then I started noticing some other requests to files that don’t exist.

aaa.bbb.ccc.231 - - [29/Jun/2019:08:09:45 +0000] "HEAD /.ssh/id_rsa HTTP/1.0" 301 0 "-" "-"
aaa.bbb.ccc.231 - - [29/Jun/2019:10:46:31 +0000] "HEAD /.ssh/id_dsa HTTP/1.0" 301 0 "-" "-"
aaa.bbb.ccc.231 - - [29/Jun/2019:12:48:20 +0000] "HEAD /.ssh/id_ecdsa HTTP/1.0" 301 0 "-" "-"

And look at these!

eee.fff.ggg.42 - - [29/Jun/2019:16:29:27 +0000] "GET /wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:27 +0000] "GET /node/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:28 +0000] "GET /wallet/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:29 +0000] "GET /coin/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:29 +0000] "GET /bitcoin/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:30 +0000] "GET /btc/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:31 +0000] "GET /core/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:31 +0000] "GET /crypto/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:32 +0000] "GET /backup/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
eee.fff.ggg.42 - - [29/Jun/2019:16:29:33 +0000] "GET /hidden/wallet.dat HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"

What’s going on

A few things, if it’s not obvious just from reading those above logs.

  1. The first set of logs, accessing /rss/order/new/, is apparently some attack on Magento1. Well, I don’t have Magento so I don’t care.

  2. Somebody is trying to steal my private ssh keys (~/.ssh/id_rsa and others). This will only work if the nginx root is set as my home folder.

  3. Somebody is trying to steal my bitcoin wallet. This also will only work if the nginx root is set as my home folder. Also, it will only work if I actually had a bitcoin wallet. Weak hands and whatnot.

The Lesson

Don’t set your home folder as your webserver folder

That should be obvious, but there’s the evidence, just in case you needed extra convincing.

Cheers.

  1. https://support.hypernode.com/knowledgebase/how-to-protect-your-magento-store-against-brute-force/ ↩︎

Back to Home