Snort Alert: JSP webshell backdoor detected

warriorcookie · November 28, 2018, 12:06am

I noticed a number of Snort alerts in my firewall logs the other day pointing to the IP for my Nextcloud server.

-Nextcloud 14.0.4 running in a iocage VM. It’s externally accessible to the www and has a domain registered to the IP. Security scan came back with A+, no vulnerabilities found.

A couple of the most concerning examples:

-Nov 26 14:24:35 123.207.84.50:50422 --> 192.168.***.***:80 MALWARE-BACKDOOR JSP webshell backdoor detected
whois query points to Tencent Cloud Computing (Beijing) Co. Ltd

-Nov 21 00:54:42 61.184.72.61:64373 --> 192.168.***.***:80 SERVER-APACHE Apache Struts remote code execution
whois query points to ChinaNet Hubei Province Network

There’s quite a few other alerts for SSLv3 DDOS attacks and webapp attacks for various IP cameras pointing to the nextcloud server which is probably just bots poking around to see what hits. But remote code execution and trojan backdoor alerts make me worried. Are these strictly outside in attacks or does this indicate there’s malicous code running on my server? Is there a way to test my nextcloud instance to make sure all is well?

warriorcookie · December 14, 2018, 12:49am

Anybody have any suggestions? I’m still seeing this alot.

tflidd · December 14, 2018, 8:00am

Hard to say like this. You see that they try to access port 80, on your Folder for your http virtual host, are there any strange files? What do the apache logs tell you, anyone with successful (no error code) access via http?

Perhaps they just scan your ip range to find vulnerable systems. In that case, it’s just the usual background noise. What you can do is to check on your system if you see any unusual processes (that possible create traffic), perhaps scan from a different device the open ports on your system and close those that are not used. Chrootkit or rkhunter can help you on to find possible rootkits on your system.

alfred · December 15, 2018, 1:22pm

Well, do you run either Apache Struts or Tomcat on the same server? If yes, are they updated to the latest version? Do you run SSLv3 on this server?

Maybe you could scan your server with Qualys SSL scanner (https://www.ssllabs.com/ssltest/) and the Mozilla Observatory (https://observatory.mozilla.org/) to see how good your configuration is.