Possible server attacks
49 views
Skip to first unread message
Miracle
May 3, 2020, 4:43:54 PM5/3/20
to django...@googlegroups.com
Hello django developers,
Invalid HTTP_HOST header: '35.192.28.182'. You may need to add '35.192.28.182' to ALLOWED_HOSTS.
Request Method: GET
Request URL: https://35.192.28.182/SQlite/main.php
Django Version: 2.2.8
Python Executable: /home/hello/wsp/env/bin/python3
Python Version: 3.6.9
Python Path: ['/home/hello/wsp', '/home/hello/wsp/env/bin', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/home/hello/wsp/env/lib/python3.6/site-packages']
Server time: Sun, 3 May 2020 19:22:55 +0000
HTTP_SEC_FETCH_DEST = 'document'
HTTP_SEC_FETCH_MODE = 'navigate'
HTTP_SEC_FETCH_SITE = 'none'
HTTP_UPGRADE_INSECURE_REQUESTS = '1'
HTTP_USER_AGENT = 'Mozilla/5.0 (Linux; Android 9; SM-A307FN) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.117 Mobile Safari/537.36'
HTTP_X_FORWARDED_FOR = '197.211.61.210'
HTTP_X_FORWARDED_PROTO = 'https'
HTTP_X_REAL_IP = '197.211.61.210'
PATH_INFO = '/SQlite/main.php'
QUERY_STRING = ''
RAW_URI = '/SQlite/main.php'
REMOTE_ADDR = ''
REQUEST_METHOD = 'GET'
SCRIPT_NAME = ''
SERVER_NAME = '35.192.28.182'
SERVER_PORT = '443'
SERVER_PROTOCOL = 'HTTP/1.0'
SERVER_SOFTWARE = 'gunicorn/20.0.4'
gunicorn.socket = <socket.socket fd=9, family=AddressFamily.AF_UNIX, type=SocketKind.SOCK_STREAM, proto=0, laddr=/home/hello/wsp/app.sock>
wsgi.errors = <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7f20fa4288d0>
wsgi.file_wrapper = ''
wsgi.input = <gunicorn.http.body.Body object at 0x7f20fa4280f0>
I might be experiencing a possible attack on my web server, but I am not sure yet.
Below is the email I got from my django.
I've gotten over 50 similar emails over the past 3 days.
Please, help me with this.
Invalid HTTP_HOST header: '35.192.28.182'. You may need to add '35.192.28.182' to ALLOWED_HOSTS.
Report at /SQlite/main.phpInvalid HTTP_HOST header: '35.192.28.182'. You may need to add '35.192.28.182' to ALLOWED_HOSTS.
Request Method: GET
Django Version: 2.2.8
Python Executable: /home/hello/wsp/env/bin/python3
Python Version: 3.6.9
Python Path: ['/home/hello/wsp', '/home/hello/wsp/env/bin', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/home/hello/wsp/env/lib/python3.6/site-packages']
Show quoted text
HTTP_ACCEPT = 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
HTTP_ACCEPT_ENCODING = 'gzip, deflate, br'
HTTP_ACCEPT_LANGUAGE = 'en-GB,en-US;q=0.9,en;q=0.8,ig;q=0.7'
HTTP_CONNECTION = 'close'
HTTP_COOKIE = 'csrftoken=mX6nNccvMIycyGeE4tF0hciqwfsccdaK8X8ZDt8YgimJeQYTjQFjxfB4YGNCZ9Ik; sessionid=mbmg0dvoz2tebman7ereia9eue59wto7'
HTTP_HOST = '35.192.28.182'
HTTP_SAVE_DATA = 'on'HTTP_ACCEPT_ENCODING = 'gzip, deflate, br'
HTTP_ACCEPT_LANGUAGE = 'en-GB,en-US;q=0.9,en;q=0.8,ig;q=0.7'
HTTP_CONNECTION = 'close'
HTTP_COOKIE = 'csrftoken=mX6nNccvMIycyGeE4tF0hciqwfsccdaK8X8ZDt8YgimJeQYTjQFjxfB4YGNCZ9Ik; sessionid=mbmg0dvoz2tebman7ereia9eue59wto7'
HTTP_HOST = '35.192.28.182'
HTTP_SEC_FETCH_DEST = 'document'
HTTP_SEC_FETCH_MODE = 'navigate'
HTTP_SEC_FETCH_SITE = 'none'
HTTP_UPGRADE_INSECURE_REQUESTS = '1'
HTTP_USER_AGENT = 'Mozilla/5.0 (Linux; Android 9; SM-A307FN) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.117 Mobile Safari/537.36'
HTTP_X_FORWARDED_FOR = '197.211.61.210'
HTTP_X_FORWARDED_PROTO = 'https'
HTTP_X_REAL_IP = '197.211.61.210'
PATH_INFO = '/SQlite/main.php'
QUERY_STRING = ''
RAW_URI = '/SQlite/main.php'
REMOTE_ADDR = ''
REQUEST_METHOD = 'GET'
SCRIPT_NAME = ''
SERVER_NAME = '35.192.28.182'
SERVER_PORT = '443'
SERVER_PROTOCOL = 'HTTP/1.0'
SERVER_SOFTWARE = 'gunicorn/20.0.4'
gunicorn.socket = <socket.socket fd=9, family=AddressFamily.AF_UNIX, type=SocketKind.SOCK_STREAM, proto=0, laddr=/home/hello/wsp/app.sock>
wsgi.file_wrapper = ''
wsgi.input = <gunicorn.http.body.Body object at 0x7f20fa4280f0>
kind regards,
Miracle.
Motaz Hejaze
May 3, 2020, 5:24:11 PM5/3/20
to Django users
What is the script main.php ???
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CADZv-jBZojn_UhiYUgPZiP2tvcYnmggOVq24nUbCXCX_D0990A%40mail.gmail.com.
Miracle
May 3, 2020, 5:31:15 PM5/3/20
to django...@googlegroups.com
I don't know honestly.
I got those error messages because I included my email and username in settings.py like this
ADMINS = ['username', 'collin...@gmail.com']
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHV4E-d0iU5tYOPBeAVTuQLUgzVOM4v9Gu4s_rtxLqFFZr71dA%40mail.gmail.com.
Miracle
May 3, 2020, 5:31:54 PM5/3/20
to django...@googlegroups.com
I think the possible attacker thinks I am using PHP
Motaz Hejaze
May 3, 2020, 6:03:09 PM5/3/20
to Django users
I think you have a script somewhere that calls this ip and main.php on that server ..
Do you add any third party addons both on frontend and backend ??
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CADZv-jDTCNZMFy_6gp4X_cx5Vy9vMCWEk_X-GKsYizeTpWEkow%40mail.gmail.com.
Miracle
May 3, 2020, 6:51:46 PM5/3/20
to django...@googlegroups.com
I do not know of any script like that.
Atleast, I didn't write any.
A get these calls on the following paths:
/sqlite/main.php,
/robots.txt,
/,
/owa/auth/logon.aspx,
/cgi-bin/config.exp,
/HNAP1/,
/hudson/script,
/script,
/sqlitemanager/main.php,
/SQLiteManager/main.php,
/SQLite/main.php,
/main.php,
/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php,
Please, what could be the problem?
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHV4E-f_806e5aJ%2BTyPKyPag-5Z4BmX_AyvOfzEoj9xNiSTEzw%40mail.gmail.com.
Ahmed Ishtiaque
May 3, 2020, 7:25:13 PM5/3/20
to django...@googlegroups.com
Observe how your server responds to these requests. Sometimes these requests are sent by attackers hoping that your server might respond with sensitive data that it shouldn't be sending. Generally, ensuring that invalid requests end up with your server sending error responses and not actual sensitive data that your database has is all you need to do.
Hope this helps.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CADZv-jB3wxHUUET%2B64q0jJy9kZL9HarE_XXhmY0ipCAtHuPD-A%40mail.gmail.com.
Motaz Hejaze
May 3, 2020, 8:27:01 PM5/3/20
to Django users
check the log file , what are the acts that invokes the call to those links ????
example , logging in ? upload an image ? any act
also try to check if there is a malicious script installed on your server ,
take a peace from the text above and search for it ..
Example:
grep -lR "/sqlitemanager/main.php" /home
replace /home with the location of your files ..and replace the string by anything from the error message above
example , logging in ? upload an image ? any act
also try to check if there is a malicious script installed on your server ,
take a peace from the text above and search for it ..
Example:
grep -lR "/sqlitemanager/main.php" /home
replace /home with the location of your files ..and replace the string by anything from the error message above
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAKizqR7pmO4LmDN1UPCUag_t1sb-4gvihyQhUACLsA1GbyuBPg%40mail.gmail.com.
Miracle
May 4, 2020, 3:47:20 AM5/4/20
to django...@googlegroups.com
Okay,
I will do all those.
Thank you so much.
I appreciate.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHV4E-cw7rZLVFStWHtrm4y_AH5rNDUknQsQW95zZ6ZWDvHT%2Bw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages