esm-g6t8

Why you should monitor your Nginx logs

AWS IP address ranges are public information

It’s documented by Amazon! You can check out this post and this JSON file by Amazon to see for yourself. This also means that anyone can write a bot to iterate through the IP addresses, and try all the common username and password combinations.

Have you tried incrementing/decrementing your assigned AWS IP address to see if you can see anyone else’s web server? 😮

Analyse your logs

And this is why you should also monitor your access.log files! There are some other really cool monitoring products like Datadog (btw, they come free with your GitHub Student Developer Pack just like the free domain name) that you can use to analyse your Nginx logs.

We used GoAccess and within a day from our deployment, we saw some interesting stuff.

Do you think these files actually exist on our web server? What’s this HelloThinkPHP and why is someone attempting to invoke this call_user_func_array function? Why are people trying to find if an eval-stdin.php file exists on our server?

Well, they don’t exist but what do you think would happen if they did? 🤔

Further readings

If you’d like to know more, here are some links for further readings:

• ThinkPHP remote code execution vulnerability article #1
• ThinkPHP article #2
• CVE-2017-9841 that explains the vulnerability in eval-stdin.php

With ❤️,

g6t8

This site is open source. Improve this page.