Apache Struts2 remote code execution

  • Resolved newwper3

    (@newwper3)


    7 years, 3 months ago

    Hi,

    Does it mean the attack was from my server?
    Because I saw the IP is my server IP.

    127.0.0.1 GET /index.php - Apache Struts2 remote code execution CVE-2017-5638 - [SERVER:CONTENT_TYPE = %{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.co...] - xxx.xxx.xxx (my server ip)

    Is my website safe?
    Thanks ??

    • This topic was modified 7 years, 3 months ago by newwper3.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Your site is safe, but 127.0.0.1 is the localhost IP. Do you see it anywhere else in the firewall log, or there is only this occurrence? Is there any warning in the firewall “Overview” page about your IP?

    Thread Starter newwper3

    (@newwper3)

    Hi,

    I also found these:
    127.0.0.1 GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = User-Agent:Mozilla/4.0
    09/Dec/17 02:27:07 127.0.0.1 GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])]
    10/Dec/17 04:10:45 127.0.0.1 GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0/cc-prepass-https; [email protected])]
    15/Dec/17 00:14:56 127.0.0.1 GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0/cc-prepass-https; [email protected])]

    I put the .htninja in /home/user/public_html/.htninja, because my hosting not allow to put into /home/user/.htninja. I guess maybe cause by Cloudflare, Cleantalk spam firewall or Varnish.

    The most important is website is safe, haha

    Thanks:)

    Plugin Author nintechnet

    (@nintechnet)

    There’s something wrong with your configuration and/or the .htninja.
    You can click on “About…” and then on the “System Info” button. It will show you which IP (REMOTE_ADDR) is detected by NinjaFirewall.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Apache Struts2 remote code execution’ is closed to new replies.