Chaotic amount of notification since Django Update (Docker)

Using Django
1

I have upgraded my Django-Docker to 3.1.3 and notice an unusual burst of messages since that.

I’m usually watching the the logs of my Django-Docker by using docker logs django_web_1 -f.
Which would only display the set logging and errors, yet (probably due to the upgrade) I’m receiving an overly unusual amount of all kinds of messages which won’t stop being outputted and I have difficulties to categorize.

The Django-Docker is only used by me and not to be accessed from the internet. At this point it’s just running idle, so there’s no request coming from me. I can’t post the entire log as it exceeds a few Megabytes on each call.

Doing an ordinariy start-up of the docker by docker-compose up gives me the regular logs which I would expect:

web_1  | INFO:django.utils.autoreload:Watching for file changes with StatReloader
web_1  | Performing system checks...
web_1  | 
web_1  | System check identified no issues (0 silenced).
web_1  | January 22, 2021 - 20:07:39
web_1  | Django version 3.1.3, using settings 'DjangoMoP.settings'
web_1  | Starting development server at http://0.0.0.0:9900/
web_1  | Quit the server with CONTROL-C.

The new logs printed by docker logs django_web_1 -f are also present in the specified Django-Handlers and they are crowdy,
What is the background of these logs and why am I getting them?

INFO:django.server:"GET / HTTP/1.1" 200 33226
WARNING:django.request:Not Found: /client/
----------------------------------------
Exception happened during processing of request from ('172.20.0.168', 60864)
WARNING:django.server:"GET /client/ HTTP/1.1" 404 8213
Traceback (most recent call last):
  File "/usr/lib64/python3.7/socketserver.py", line 650, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib64/python3.7/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib64/python3.7/socketserver.py", line 720, in __init__
    self.handle()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 174, in handle
    self.handle_one_request()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 182, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/usr/lib64/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------
WARNING:django.request:Not Found: /cgi-bin/tombstone.cfm
WARNING:django.server:"GET /cgi-bin/tombstone.cfm?ProfileID=<script>foo</script> HTTP/1.1" 404 8289

Or:

INFO:django.server:"GET / HTTP/1.1" 200 33226
WARNING:django.request:Not Found: /cgi-bin/pfdispaly
WARNING:django.server:"GET /cgi-bin/pfdispaly?../../../../../../etc/passwd HTTP/1.1" 404 8272
WARNING:django.request:Not Found: /cgi-bin/pfdispaly.cgi
WARNING:django.server:"GET /cgi-bin/pfdispaly.cgi?../../../../../../etc/passwd HTTP/1.1" 404 8284
WARNING:django.request:Not Found: /scripts/pfdispaly
WARNING:django.server:"GET /scripts/pfdispaly?../../../../../../etc/passwd HTTP/1.1" 404 8272
INFO:django.server:"GET / HTTP/1.1" 200 33226
WARNING:django.request:Not Found: /scripts/pfdispaly.cgi
WARNING:django.server:"GET /scripts/pfdispaly.cgi?../../../../../../etc/passwd HTTP/1.1" 404 8284
WARNING:django.request:Not Found: /cgi-bin/logs/HCDiskQuotaService.csv
WARNING:django.request:Not Found: /DjangoGraphen/pfdispaly
WARNING:django.server:"GET /cgi-bin/logs/HCDiskQuotaService.csv HTTP/1.1" 404 8297
WARNING:django.server:"GET /DjangoGraphen/pfdispaly?../../../../../../etc/passwd HTTP/1.1" 404 12161
WARNING:django.request:Not Found: /scripts/logs/HCDiskQuotaService.csv
WARNING:django.server:"GET /scripts/logs/HCDiskQuotaService.csv HTTP/1.1" 404 8297
WARNING:django.request:Not Found: /DjangoGraphen/pfdispaly.cgi
WARNING:django.request:Not Found: /DjangoGraphen/logs/HCDiskQuotaService.csv
WARNING:django.request:Not Found: /logs/HCDiskQuotaService.csv
----------------------------------------WARNING:django.server:"GET /logs/HCDiskQuotaService.csv HTTP/1.1" 404 8273

Exception happened during processing of request from ('172.20.0.168', 37310)
Traceback (most recent call last):
  File "/usr/lib64/python3.7/socketserver.py", line 650, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib64/python3.7/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib64/python3.7/socketserver.py", line 720, in __init__
    self.handle()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 174, in handle
    self.handle_one_request()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 182, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/usr/lib64/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------
WARNING:django.request:Not Found: /pfdispaly
WARNING:django.server:"GET /pfdispaly?../../../../../../etc/passwd HTTP/1.1" 404 8248
WARNING:django.request:Not Found: /pfdispaly.cgi
----------------------------------------
Exception happened during processing of request from ('172.20.0.168', 35728)
INFO:root:http://insv01979.v2c2.at:8112
Traceback (most recent call last):
  File "/usr/lib64/python3.7/socketserver.py", line 650, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib64/python3.7/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib64/python3.7/socketserver.py", line 720, in __init__
    self.handle()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 174, in handle
    self.handle_one_request()
  File "/usr/local/lib/python3.7/site-packages/django/core/servers/basehttp.py", line 182, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/usr/lib64/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------
WARNING:django.server:"GET /pfdispaly.cgi?../../../../../../etc/passwd HTTP/1.1" 404 8260

Here even some of the files are mentioned:

---------------------------------------
WARNING:django.request:Not Found: /cgi-bin/af.cgi
WARNING:django.request:Not Found: /cgi-bin/alienform.cgi
WARNING:django.server:"GET /cgi-bin/alienform.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd HTTP/1.1" 404 8372
WARNING:django.request:Not Found: /scripts/af.cgi
WARNING:django.server:"GET /scripts/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd HTTP/1.1" 404 8351
WARNING:django.request:Not Found: /scripts/alienform.cgi
WARNING:django.server:"GET /scripts/alienform.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd HTTP/1.1" 404 8372
INFO:django.server:"GET / HTTP/1.1" 200 33226
WARNING:django.request:Not Found: /samba/smbshr.pl
WARNING:django.request:Not Found: /DjangoGraphen/af.cgi
WARNING:django.server:"GET /DjangoGraphen/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd HTTP/1.1" 404 12240
WARNING:django.request:Not Found: /cgi-bin/smbshr.pl
WARNING:django.request:Not Found: /DjangoGraphen/alienform.cgi
WARNING:django.request:Not Found: /af.cgi
WARNING:django.request:Not Found: /cgi-bin/samba/smbshr.pl
WARNING:django.server:"POST /cgi-bin/samba/smbshr.pl HTTP/1.1" 404 8262
WARNING:django.request:Not Found: /alienform.cgi
WARNING:django.server:"GET /alienform.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd HTTP/1.1" 404 8348
WARNING:django.request:Not Found: /scripts/smbshr.pl
WARNING:django.server:"POST /scripts/smbshr.pl HTTP/1.1" 404 8244
WARNING:django.request:Not Found: /scripts/samba/smbshr.pl
WARNING:django.request:Not Found: /DjangoGraphen/smbshr.pl
INFO:root:[FrameInfo(frame=<frame at 0x7f8698012000, file './POM/WebDBTools.py', line 314, code getAllGraphSelect>, filename='./POM/WebDBTools.py', lineno=314, function='getAllGraphSelect', code_context=['        logging.info(inspect.stack())\n'], index=0),
2

Assuming your site is available to the public internet, what has happened is that someone (or ones) have detected your website and are trying to penetrate it.

Some attacker is running a script that is testing your site for a set of known vulnerabilities. What you’re seeing here are the requests being issued by that attacker.

It comes & goes in bursts, but I’d say I’ve had months where 99+% of all requests to one particular web-site I manage have been attacks like this.

See CVE-2002-0934 : Directory traversal vulnerability in Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) allows remot as one set of details of one of the attacks.

3

No, it’s not available to the public internet. Also I keep rebuilding the Docker a few times every day as I can’t use the logs-command any more and have to use docker-compose up instead.

But I will give it a shot. Where would I find these scripts or traces of it? Is there a way to fetch it?

4

Then it’s possible that another machine within your network has been infected with some type of malware. What you need to do is find the IP address of the machine issuing these requests and then determine whether or not this is coming from inside or outside.

I don’t keep such software around - and since I’m not in the Information Security field any more, I don’t have any direct resources to point you to. But if you’re really interested, you can probably find some if you dig around a bit on Google.

1 Like
5

Sorry for doubting you. You were right.
I started digging and asked around. Apparently lately there had been an internal security-examination where potential vulnerabilities should be discovered.
It was in fact a testing script and seems I configured the Django correctly.

Thank you!