1 Topic by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 69

Topic: What is this nginx errors

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
1.7.1
downloadable
Ubuntu 22.04
Mariadb
Nginx
No Pro

I get a lot of error messages in the nginx error log.
What can this be?
root@mail:~# tail -f /var/log/nginx/error.log
2025/01/11 03:27:04 [error] 59341#59341: *1424 access forbidden by rule, client: 13.41.204.237, server: _, request: "GET /.git/config HTTP/1.1", host: "webmail.mxmail.se"
2025/01/11 03:42:01 [error] 59341#59341: *1434 open() "/var/www/html/admin/assets/js/views/login.js" failed (2: No such file or directory), client: 168.253.90.155, server: _, request: "GET /admin/assets/js/views/login.js HTTP/1.0", host: "0.0.0.0"
2025/01/11 03:46:19 [error] 59341#59341: *1436 open() "/var/www/html/cgi-bin/luci/;stok=/locale" failed (2: No such file or directory), client: 95.214.55.39, server: _, request: "GET /cgi-bin/luci/;stok=/locale HTTP/1.1", host: "156.67.80.139:80"
2025/01/11 04:04:26 [error] 59341#59341: *1437 open() "/var/www/html/admin/assets/js/views/login.js" failed (2: No such file or directory), client: 64.23.201.216, server: _, request: "GET /admin/assets/js/views/login.js HTTP/1.0", host: "0.0.0.0"
2025/01/11 04:53:51 [error] 59341#59341: *1447 open() "/var/www/html/cgi-bin/luci/;stok=/locale" failed (2: No such file or directory), client: 95.214.55.39, server: _, request: "GET /cgi-bin/luci/;stok=/locale HTTP/1.1", host: "156.67.80.139:80"
2025/01/11 05:01:18 [crit] 59341#59341: *1462 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 87.249.134.22, server: 0.0.0.0:443
2025/01/11 05:41:28 [error] 59341#59341: *1478 open() "/var/www/html/css/images/PTZOptics_powerby.png" failed (2: No such file or directory), client: 45.156.130.4, server: _, request: "GET /css/images/PTZOptics_powerby.png HTTP/1.1", host: "156.67.80.139"
2025/01/11 05:57:31 [error] 59341#59341: *1480 open() "/var/www/html/cgi-bin/luci/;stok=/locale" failed (2: No such file or directory), client: 95.214.55.39, server: _, request: "GET /cgi-bin/luci/;stok=/locale HTTP/1.1", host: "156.67.80.139:80"
2025/01/11 05:58:17 [error] 59341#59341: *1485 open() "/var/www/html/.env" failed (2: No such file or directory), client: 132.145.29.111, server: _, request: "GET /.env HTTP/1.1", host: "mail.mxmail.pro"
2025/01/11 05:58:17 [error] 59341#59341: *1489 open() "/var/www/html/.env" failed (2: No such file or directory), client: 132.145.29.111, server: _, request: "GET /.env HTTP/1.1", host: "webmail.mxmail.se"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 925

Re: What is this nginx errors

That is a probe attack:

https://www.radware.com/blog/security/t … s-in-2020/

someone checks for vulnerabilities

3 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 69

Re: What is this nginx errors

OK thanks. Seems they are after .env mostly. But they and many others are DENY ALL

Cthulhu wrote:

That is a probe attack:

https://www.radware.com/blog/security/t … s-in-2020/

someone checks for vulnerabilities

4 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 69

Re: What is this nginx errors

Cthulhu wrote:

That is a probe attack:

https://www.radware.com/blog/security/t … s-in-2020/

someone checks for vulnerabilities

@Cthulhu Did not find anything like it on that webpage

5 Reply by Cthulhu (edited by Cthulhu 2025-01-12 12:41:49)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 925

Re: What is this nginx errors

2025/01/11 04:04:26 [error] 59341#59341: *1437 open() "/var/www/html/admin/assets/js/views/login.js" failed (2: No such file or directory), client: 64.23.201.216, server: _, request: "GET /admin/assets/js/views/login.js HTTP/1.0", host: "0.0.0.0"

---->

Service Exploit #4: /admin/assets/js/views/login.js
1.56% of all web services hits.
Sangoma FreePBX - multiple vulnerabilities.

Sangoma FreePBX is a web-based open-source graphical user interface, GUI, that helps to install and configure an Asterisk-based (a voice over IP and telephony server) open-source phone system on a server or virtual environment. Starting in 2018, many requests for the resource /admin/assets/js/views/login.js were identified and captured in Radware’s Threat Deception Network. This resource belongs to Sangoma FreePBX code and it looks like the attackers are trying to detect vulnerable FreePBX servers and exploit one of the known vulnerabilities.

What is the risk? The compromised server can be used to steal user’s data, crypto mining, or any other malicious usage.

Attacker clearly checked for that exploit


https://www.greynoise.io/blog/active-ex … et-routers

---->

2025/01/11 03:46:19 [error] 59341#59341: *1436 open() "/var/www/html/cgi-bin/luci/;stok=/locale" failed (2: No such file or directory), client: 95.214.55.39, server: _, request: "GET /cgi-bin/luci/;stok=/locale HTTP/1.1", host: "156.67.80.139:80"


I could find you the expoit for literally every thing what got checked there, but i don'f feel like to dig any deeper

And you cannot avoid such stuff, i did a fail2ban filter especially for such exploits, that and keeping your system up to date is the only thing you can do

6 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 69

Re: What is this nginx errors

Wellfor me this is the disturbing one. but after disabling tls v 1.3 it stopped so need to adress that further

2025/01/11 05:01:18 [crit] 59341#59341: *1462 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 87.249.134.22, server: 0.0.0.0:443


Cthulhu wrote:
2025/01/11 04:04:26 [error] 59341#59341: *1437 open() "/var/www/html/admin/assets/js/views/login.js" failed (2: No such file or directory), client: 64.23.201.216, server: _, request: "GET /admin/assets/js/views/login.js HTTP/1.0", host: "0.0.0.0"

---->

Service Exploit #4: /admin/assets/js/views/login.js
1.56% of all web services hits.
Sangoma FreePBX - multiple vulnerabilities.

Sangoma FreePBX is a web-based open-source graphical user interface, GUI, that helps to install and configure an Asterisk-based (a voice over IP and telephony server) open-source phone system on a server or virtual environment. Starting in 2018, many requests for the resource /admin/assets/js/views/login.js were identified and captured in Radware’s Threat Deception Network. This resource belongs to Sangoma FreePBX code and it looks like the attackers are trying to detect vulnerable FreePBX servers and exploit one of the known vulnerabilities.

What is the risk? The compromised server can be used to steal user’s data, crypto mining, or any other malicious usage.

Attacker clearly checked for that exploit


https://www.greynoise.io/blog/active-ex … et-routers

---->

2025/01/11 03:46:19 [error] 59341#59341: *1436 open() "/var/www/html/cgi-bin/luci/;stok=/locale" failed (2: No such file or directory), client: 95.214.55.39, server: _, request: "GET /cgi-bin/luci/;stok=/locale HTTP/1.1", host: "156.67.80.139:80"


I could find you the expoit for literally every thing what got checked there, but i don'f feel like to dig any deeper

And you cannot avoid such stuff, i did a fail2ban filter especially for such exploits, that and keeping your system up to date is the only thing you can do

7 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 925

Re: What is this nginx errors

Disableing TLS1.3 won't help you with this, it will cause other problems with legit clients and requests.