What can I do after an attack to our system that hit our login route?

Since you have the logs I suggest that you look for usage of the login form. Did the try to login at all?

Most often this is just a scan that looks for interesting sites and stores them for later use. This behaviour is extremely common and is common place in almost every http log with a internet facing web service.

  1. First of all you should look at the weblogs and see if they actually tried to use the login form at all. If they did, I guess there is some logging done in the web application of that login form?
  2. In the log you posted there is only GET requests. Look for POST requests.
  3. Jorgee is part of the user agent field and is easily customisable by the web client.

This looks like an open HTTP proxy scan to me. The HEAD or GET request is not normally followed by http://, but only by the local path.

If your server acts as an open HTTP proxy, the attacker is trying to hide behind it and you should close it. This will get your server blacklisted pretty soon.

Make sure your server is not acting as an open proxy, then just ignore it. Any public-facing server gets scanned all the time.

  1. Test if your server is acting as an open proxy. You can use the http-open-proxy from nmap:

    sudo nmap -sS -sV -p 8080 --script http-open-proxy.nse X.X.X.X

  2. The easiest way is to test with telnet:

    telnet X.X.X.X 80

    Wait a few seconds until the connection is established, and then type in your HTTP request:

    GET /login HTTP/1.1
Host:

    Hit return twice and look at the result

    Now most likely anyone can get your login page. That doesn't mean they are in: for that they need to do a POST request with the right username/password parameters. Look out for that request, or successful requests on resources that are behind your login wall.

  3. Jorgee is a vulnerability scanner. You can see the notice on CheckPoint. Basically, it scans the whole internet for vulnerabilities. Your server gets scanned too, but unless you are vulnerable there is nothing to worry about.


What I see there are two different users, one (139.x.x.x network) presumably being a script kiddie running an exploit scanner, and the other (46.x.x.x network) being a presumably legitimate user.

That, and you forgot to anonymize your server's address (45.x.x.x network) in the last line.

Bottom line: Given no other signs of intrusion, no reason to panic.

Tags:

Nginx

Bot

Recent Posts