Web server Access log - bot attacks?

ℹ️ Support
,
1

I have been looking at my web server access logs for my Nexcloud vhost and find a repeated series of GETs from a variety of source IP addresses. None are sources known to me, or have any reason to access my server. All access attempts seem to know that they are probing a Nextcloud server, as will be clear from the logs. When I try the same URL as an attacker, but obviously not logged in, I see the server does indeed return some information, though I am not sure what it is or why it is of interest to the attacker.

This question came up here in 2018 - https://help.nextcloud.com/t/should-i-be-worried-access-log-findings/34098 but sadly there was no response to it.
My question is the same as with the original - I need help understanding what it is the attacker is seeking to do. The probes, as one expects from a scripted attack, take place within a second or so, so fail2ban is not an option, taking too long to respond.

Notice the attempts to access specific core files, as well as specific apps, including theming.

Nextcloud version 20.0.8
Operating system Debian 10
Apache 2.4.38-3+deb10u4
PHP version 7.3.27-1~deb10u1

Sample sanitised log: XXX.XXX.XXX.XXX is the source “attacker” IP, mynexcloud is my server.

XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET / HTTP/1.1” 302 0 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /index.php/login HTTP/1.1” 200 3933 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /apps/files_rightclick/css/app.css?v=46c85d58-12 HTTP/1.1” 200 199 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /core/css/guest.css?v=53781f69-12 HTTP/1.1” 200 5525 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/files_fileinfo.js?v=53781f69-12 HTTP/1.1” 200 8605 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/files_client.js?v=53781f69-12 HTTP/1.1” 200 40997 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_sharing/js/dist/main.js?v=53781f69-12 HTTP/1.1” 200 590 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/core/js/oc.js?v=53781f69 HTTP/1.1” 200 3911 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/styles?v=12 HTTP/1.1” 200 1233 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/js/core/merged-template-prepend.js?v=53781f69-12 HTTP/1.1” 200 2982 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_pdfviewer/js/files_pdfviewer-public.js?v=53781f69-12 HTTP/1.1” 200 7603 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_videoplayer/js/main.js?v=53781f69-12 HTTP/1.1” 200 2945 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_rightclick/js/script.js?v=53781f69-12 HTTP/1.1” 200 3219 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_rightclick/js/files.js?v=53781f69-12 HTTP/1.1” 200 1268 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/theming/js/theming.js?v=53781f69-12 HTTP/1.1” 200 60 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/image/logo?v=12 HTTP/1.1” 200 12097 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/main.js?v=53781f69-12 HTTP/1.1” 200 437680 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/image/logo?useSvg=1&v=12 HTTP/1.1” 200 12097 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/accessibility/css/user-a82fd95db10ff25dfad39f07372ebe37 HTTP/1.1” 200 26899 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/login.js?v=53781f69-12 HTTP/1.1” 200 244107 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/img/actions/confirm-white.svg?v=2 HTTP/1.1” 200 405 “http://mynextcloud/core/css/guest.css?v=53781f69-12” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:39:00 +0000] “GET /core/img/loading-dark.gif HTTP/1.1” 200 4683 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:39:00 +0000] “GET /core/img/actions/toggle.svg HTTP/1.1” 200 308 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”

2

Any time you have a server exposed to the internet, it’s going to get scanned and peppered with random access attempts. This is completely normal.

What you want to look out for is any sign that user data has been accessed or that one of these attackers has authenticated as a user.

1 Like
3

Thanks, Karl. I wasn’t sure whether there was method in the bot’s madness. Good to know it’s just opportunistic.

4

I don’t know what you mean with “taking too long to respond” but if your server is exposed to the Internet it is vital that you use “fail2ban” or a similar tool. It’s possible to configure “fail2ban” in such a way that it will ban each and every ip-address after the first attempt to intrude.

5

Clumsy wording on my part. The problem here is that those could be legit urls the badbot is trying to access, so creating a suitable fail2ban filter would be difficult or impossible anyway. I don’t believe fail2ban would be aware whether a client is logged in to nextcloud or not.
The attack bot also seems to fire off multiple GETs at once, so while the IP may be banned by a suitably aggressive fail2ban filter, a number of responses will already have been received by the attacker. I was wondering whether the attacker could be gleaning any further attack information from those urls or whether, as Karl noted, it’s just the joys of having an internet-facing server.
But yes I agree, a server without fail2ban is a scary place to be.

6

And definitely use NC’s TOTP plugin if you aren’t already.

Another thing that I do is I block all non-ARIN addresses except scan.nextcloud.com. I’ve found that drastically reduces the number of access attempts.

1 Like
7

Thanks for the idea. I hadn’t bothered with TOTP on this instance, as there is one guest access to a TALK session, but of course, the two are not mutually exclusive. Now enabled with FreeOTP+.
Not sure what you mean about non-ARIN addresses - a new term to me. This instance needs to be internet accessible, and if I understand you correctly, blocking non-ARIN addresses will make it only accessible via private address spaces. That can’t be what you mean, so I am missing something.

8

Someone is just visiting your domain and is redirected to the login page that loads a lot of stuff. Not even a login attempt. It’s a bit like everbody looking at your new car is a car thief, now you need a cover for protection!

Just lock your car (use good passwords/authentication), close the windows (use “secure” configuration, keep everything updated) and if you are still afraid, put it in a garage (put it behind a VPN).

1 Like
9

Do you know, I didn’t think to check what landing on the login page would retrieve. But on checking, you are absolutely right - those URLs are all GET’ed when the home page is accessed, and there is nothing untoward that’s happening.
That’s the explanation I was after. Much appreciated.
Re the additional comments, I’m not afraid, thanks, but just needed to understand what was going on to mitigate against any possible bad trends.

1 Like