1

Some dude is running some exploit scanner on my server. I'm getting weird requests like:

IP ADDRESS: ::ffff:127.0.0.1
www-0 (out): POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

The IP is showing 127.0.0.1 using this code from another Stackoverflow answer:

app.use(function(req, res, next) {
    var ip = req.headers['x-forwarded-for'] || 
     req.connection.remoteAddress || 
     req.socket.remoteAddress ||
     req.connection.socket.remoteAddress;
    console.log('IP ADDRESS: ', ip);
    next();
});

Looking to block this person on Cloudflare so it won't clutter my logs.

I'm running this on a Mac Mini server, it was freshly installed a couple of weeks ago, so I don't think my server has been compromised (or has it?) and running exploit scans locally.

Community
  • 1
  • 1
ninjaneer
  • 6,551
  • 8
  • 58
  • 103
  • Here is his request decrypted. `-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env="yes" -d cgi.fix_pathinfo=1 -d auto_prepend_file=php://input -n ` – Bijan May 04 '15 at 22:52
  • 5
    `x-forwarded-for` is a header everybody can just set to anything and is useless for what you are trying to do. I would go as far as saying trying to track down random scanner / skiddy / freedom cyberfighter of some country on the east is useless and not worth your effort – PeeHaa May 04 '15 at 22:53
  • what about the others: req.connection.remoteAddress and etc...? I guess I'll try removing the headers way and see what others provide. – ninjaneer May 04 '15 at 22:55
  • Are you running nginx or a similar proxy in front of your node server? If so, that's the thing terminating the internet connection from the outside. – Joe May 05 '15 at 00:38
  • I am running nginx in front. What do you mean terminating the internet connection from the outside? – ninjaneer May 05 '15 at 19:29

1 Answers1

0

You can call req.connection.remoteAddress to get the real IP address of the person (or their proxy, which is what they need to make the request) and then you can store the different banned IPs in an array.

app.use(function(req, res, next) {
    var ip = req.connection.remoteAddress;
    if (bannedips.indexof(ip) > -1) {
        req.abort();
    }
    console.log("IP ADDRESS: ", ip);
    next();
});

EDIT

Now that I know you're using CloudFlare, the CF-Connecting-IP header would be more applicable to your situation.

app.use(function(req, res, next) {
    var ip = req.headers["CF-Connecting-IP"];
    if (bannedips.indexof(ip) > -1) {
        req.abort();
    }
    console.log("IP ADDRESS: ", ip);
    next();
});
dylanweber
  • 476
  • 6
  • 16
  • 1
    `req.connection.remoteAddress` is showing my remote test call as: `::ffff:127.0.0.1`. I am not making the call locally, so it should show my external IP address. – ninjaneer May 05 '15 at 00:09
  • You said you're using Cloudflare? I'm not familiar with the platform, but I feel like that could be the issue. Cloudflare is getting all of the raw requests and is passing them on second hand to Node.js. – dylanweber May 05 '15 at 00:42
  • I found a Node.js module that can get the Cloudflare IP address for you. https://github.com/keverw/node_CloudFlare Try this out to see if it works. – dylanweber May 05 '15 at 00:50
  • i have cloudflare caching disabled. i can see my remote IP address when i make a request, just not this dude that's scanning my server – ninjaneer May 05 '15 at 04:42
  • Using what method can you obtain your remote IP address through Cloudflare? The one above or in my answer? – dylanweber May 05 '15 at 04:43
  • Cloudflare passes the IP address of the person who makes a request through the `x-forwarded-for` header, but that can also be spoofed, so you'll need a new method for obtaining the correct IP. – dylanweber May 05 '15 at 04:44
  • my original code (from another StackOverflow answer) is able to detect normal remote IP addresses. – ninjaneer May 05 '15 at 19:27
  • @Ninja Yes, because Cloudflare purposefully passes the IP over that header if there is no header there already. This won't work for people who spoof that header. You need to try another option. – dylanweber May 05 '15 at 23:26
  • so it's not possible to do this in node.js? – ninjaneer May 06 '15 at 03:08
  • Did you try using the node_CloudFlare module? – dylanweber May 06 '15 at 03:09
  • Read this article by CloudFlare. https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-CloudFlare-handle-HTTP-Request-headers- Try using the `CF-Connecting-IP` header. – dylanweber May 06 '15 at 03:12
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/77057/discussion-between-dylanweber-and-ninja). – dylanweber May 06 '15 at 03:15
  • ok so it looks like there's no way to do this. i think the "hacker" is connecting directly to the IP. i'll have to resort to the logs of nginx. – ninjaneer May 06 '15 at 07:49
  • You need to specify these things... you're using nginx?! That changes everything. – dylanweber May 06 '15 at 13:21
  • preferrably i don't want to modify nginx. the node.js app may be behind an apache proxy later. but it looks like that answer might help for now. – ninjaneer May 09 '15 at 01:20