Git-Auto-Deploy
Git-Auto-Deploy copied to clipboard
olipo186
mstshash=administr explained
Guys, I know this repo isn't directly involved with the issue, but if you don't mind much I'll put this here (since there's no appropropriate place for this online anyway). So hopefully you can keep this sort of thing here. And yes, you guys come up first when I look this up online
related, #199
There are a handful of people complaining about the "mstshash=administr" attacks. Some even had their printers 'randomly' print out this string. Turns out someone runs a script trying to abuse some javascript based vulnerability which Flask might (but is likely not) be vulnerable to this sort of attack (although most of reports are on the Flask platform)
I've managed to find the source code the script online (lol), https://pastebin.com/PSbQXJYL
The attacks seem to originate from Russia, https://www.abuseipdb.com/check/95.213.184.180 https://blackhat.directory/ip/77.72.83.111
I personally gotten an attack from a {something}.49 ip address originating from Nizhnovgrovd Russia. 2 attempts, 2 days apart from the same IP address. Shall post the full IP address once I get home
Question (if the post remains on), those who experience the same thing and perhaps find this post, mind you answer the questionnaire, to see if there's a pattern present (and there likely is)
- What OS is your Flask instance run on
- What server deployment system is used
- Did you use a custom port? (Cause I did and yet I someone still tried to attack)
I saw some of these on a Flask 1.0.2 server spun up a few days ago on port 4000.
Requests look like:
77.72.83.28 - - [21/Nov/2018 23:47:31] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cookie:')
77.72.83.28 - - [21/Nov/2018 23:47:31] "/*Cookie: mstshash=Administr" 400 -
Which appears to be a bot attempting to open an RDP connection by sending something similar to a (Connection Request PDU). It's nothing to worry about, especially if you are running a locked-down Linux box.
I'm also seeing this. I think it then causes my flask process to exit. Is this the behavior you were seeing also? If so, how did you resolve this, or any suggestion for best way to deal with this?
I'm also seeing this. I think it then causes my flask process to exit. Is this the behavior you were seeing also? If so, how did you resolve this, or any suggestion for best way to deal with this?
I switched a port to a non-trivial one, so the requests became rare.
But with that said, it did seemingly nothing to the stability or performance
If i may ask, what system did you run the Flask server on?
Thanks. I should have followed up on this. I also switched ports but I do not think it was exiting because of this. It was just the last thing in my log file. I think the exit was due to a different problem (running in a process that got terminated when losing ssh connection).
mstshash may refer to RDP. This is surely an attack (scanning) attempt, but the target should be some sort of rdp vulnerability instead of your flask server.
If you are running Windows, you can construct such a request using Remote Desktop Connection client mstsc.exe:
- start mstsc.exe
- in the Computer box, put IP:port of your server.
- click Show Options and put whatever you like in User Name.
- click Connect and it will pop up an error box.
- check your server access log and there will be a Cookie: mstshash=[the username you entered]" HTTPStatus.BAD_REQUEST record.
Hi there, although I tried really hard to understand what you guys are saying, I am no guy that understands any code. Today, my printer self printed the following line 10AM here in the west coast:
/ *aCookie: mstshash=Administr
I am just a university student living with parents with a desktop pc and a few laptops in the household. We don't have any servers or anything like that (no personal cloud drives no NAS) and my printer is connected to our computers through wifi, not a single wired connection (epson 2750). I am tbh scared as you guys mentioned this is a hacking attack. Though I have no data of ransom value on my computer, I have some 60 steam games and personal photos + homework, I would like to know why is this happening, what will happen to me next and what am I supposed to do.
I spent a lot of money on this gaming rig that I built myself lol, will they fry my stuff? Damn I sound silly. Please help!!!
I saw ppl saying that this is related to the remote desktop protocol. I checked and I am on windows 10 home which no RDP feature. The remote desktop i use to access my computer from school is chrome's remote desktop app. Are these related?? Thanks.
Hi dfsssssssgg,
I make the assumption your printer is somehow exposed to the internet, and probably not updated with the latest firmware update. Minimum solution is to update your firewall router, so the bad-guy cant reach your printer, i guess there is something in your NAT-configuration. Update the firmware on your router, and printer if possible, and check the NAT-rules you have applied to reach our computer.
I got the same RDP access from 198.98.57.246 while running Flask on Windows with the default Flask deployment on a custom port. The flask process logged it as below but did not crash\stop. Looks like they are constantly scanning all ports for vulnerabilities because these connection attempts repeated dozens of times from different IPs over the course of several weeks.
code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') /*à Cookie: mstshash=Administr" HTTPStatus.BAD_REQUEST -
Getting the same thing on my flask app. Guessing they looking for vulnerabilities.
185.202.2.147 - - [28/May/2020 23:53:16] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') 185.202.2.147 - - [28/May/2020 23:53:16] "/*àCookie: mstshash=Administr" HTTPStatus.BAD_REQUEST - 80.82.64.46 - - [28/May/2020 20:24:54] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') 80.82.64.46 - - [28/May/2020 20:24:54] "/*àCookie: mstshash=Administr" HTTPStatus.BAD_REQUEST -
Just got a similar attack to what @youseq had. However it stemmed from Russia, Pakistan, and even the UK. That's the last time I'm exposing a flask server to the internet...ended up installing OpenVPN on a Raspberry Pi and used that to access It when needed. Is there any way to block these other than just not exposing to the internet?
looked at my nginx logs:
79.124.62.254 - - [20/Aug/2020:14:40:59 -0400] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-"
https://whatismyipaddress.com/ip/79.124.62.254 -> Country: | Bulgaria
I got this in my squid server log:
1598008385.412 170 84.38.185.29 TAG_NONE/400 3930 mstshash=Administr - HIER_NONE/- text/html
Runing flask on Ubuntu OS Invalid request from ip=185.153.199.49: Invalid HTTP request line: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr'
Running a C# tcp server on a random port exposed externally so it seems the targets are sort of random.
Running a C# tcp server on a random port exposed externally so it seems the targets are sort of random.
Same here
i got the same thing in cowrie. 2020-12-24T19:37:58.007815Z [HoneyPotSSHTransport,561,193.29.13.67] Remote SSH version: b'\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cookie: mstshash=Administr'
Also receiving similar logs on my server. I'm using Flask as a backend for an Android app. Is this something I need to worry about? If so, what should I do?
[03/Mar/2021 12:46:52] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') [03/Mar/2021 12:46:52] "/*àCookie: mstshash=Administr" 400 -
Getting this on Django OS: Ubuntu.
The Internet Crime Complaint Center (IC3) issued an alert back in 2018 ( https://us-cert.cisa.gov/ncas/current-activity/2018/09/28/IC3-Issues-Alert-RDP-Exploitation ) regarding these types of attacks.
The IC3 suggests to "Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389... Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall"
You can read all the other suggestions here on their website (https://www.ic3.gov/Media/Y2018/PSA180927)
I hope that helps
I am on Django and everyday my service get attack by these sort of attacks. Even though, it's not a production but still it worries me a bit
here are the logs for Today
01/Jul/2021:23:32:46 +0000 INFO [ FROM: 91.241.19.99 - - ]"\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-" - TO: - [\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr] upstream_response_time - msec 1625182366.061 request_time 2.750
01/Jul/2021:23:45:33 +0000 INFO [ FROM: 161.189.134.11 - - ]"\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd" 400 166 "-" "-" - TO: - [\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd] upstream_response_time - msec 1625183133.341 request_time 0.245
02/Jul/2021:02:52:15 +0000 INFO [ FROM: 161.189.134.11 - - ]"\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd" 400 166 "-" "-" - TO: - [\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd] upstream_response_time - msec 1625194335.607 request_time 0.340
02/Jul/2021:03:06:21 +0000 INFO [ FROM: 172.105.65.157 - - ]"" 400 0 "-" "-" - TO: - [] upstream_response_time - msec 1625195181.693 request_time 1.509 02/Jul/2021:05:43:58 +0000 INFO [ FROM: 87.251.67.156 - - ]"\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-" - TO: - [\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr] upstream_response_time - msec 1625204638.805 request_time 0.179
I am also getting something very similar to this
I am on Django and everyday my service get attack by these sort of attacks. Even though, it's not a production but still it worries me a bit
here are the logs for Today
01/Jul/2021:23:32:46 +0000 INFO [ FROM: 91.241.19.99 - - ]"\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-" - TO: - [\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr] upstream_response_time - msec 1625182366.061 request_time 2.750
01/Jul/2021:23:45:33 +0000 INFO [ FROM: 161.189.134.11 - - ]"\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd" 400 166 "-" "-" - TO: - [\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd] upstream_response_time - msec 1625183133.341 request_time 0.245
02/Jul/2021:02:52:15 +0000 INFO [ FROM: 161.189.134.11 - - ]"\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd" 400 166 "-" "-" - TO: - [\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x04\x01.\x05\x00\x00\x00\x00\x81I\xA8\xC0\x00\x0C)\x83z\xBB\x01\x00z\xDAf\x00\x8D\x16\xD2~\x9DU\x05\xF1\x1Fi\xBB\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC3\xD0\xA2|\xA6v\xBD\xF3\x1EO\xD1\xCB\xDC\xAE\xCBd] upstream_response_time - msec 1625194335.607 request_time 0.340
02/Jul/2021:03:06:21 +0000 INFO [ FROM: 172.105.65.157 - - ]"" 400 0 "-" "-" - TO: - [] upstream_response_time - msec 1625195181.693 request_time 1.509 02/Jul/2021:05:43:58 +0000 INFO [ FROM: 87.251.67.156 - - ]"\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-" - TO: - [\x03\x00\x00/\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr] upstream_response_time - msec 1625204638.805 request_time 0.179
I found this by searching. I got a \x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr request on a service that is not flask (custom build as experiment), and it runs on a custom port, and was active for only a few hours before receiving the attack — before that the port wasn’t even forwarded to the machine.
running on an ubuntu 20.04.3 server with
➜ winkeys git:(master) ✗ flask --version Python 3.8.10 Flask 2.0.1 Werkzeug 2.0.1
on port 5000
here is a list of all the ip that tried this attack since the first day of the server being up
[
"162.142.125.58",
"167.248.133.114",
"185.217.1.122",
"222.186.19.235",
"45.227.254.19",
"77.83.36.32",
"80.82.77.227",
"170.130.187.18",
"193.118.55.146",
"167.94.138.115",
"167.94.138.42",
"162.142.125.57",
"170.130.187.14",
"167.248.133.44",
"192.241.210.213",
"23.148.145.206",
"167.94.138.42",
"45.227.254.19",
"185.156.72.2",
"162.142.125.57",
"170.130.187.14",
"47.99.168.169",
"45.129.136.17",
"167.248.133.44",
"27.72.104.138",
"192.241.210.213",
"159.203.171.46",
"92.118.161.1",
"185.173.35.25",
"167.94.138.58",
"35.196.132.85",
"172.58.46.194",
"80.82.77.227",
"139.59.62.130",
"167.248.133.57",
"92.118.160.49",
"162.142.125.60",
"167.248.133.113",
"167.248.133.113",
"37.172.10.93",
"37.172.10.93",
"162.142.125.43",
"162.142.125.43",
"185.173.35.45",
"23.148.145.206",
"3.101.143.63",
"162.142.125.41",
"167.94.138.114",
"192.241.201.135",
"143.198.138.213"
]
and here a few of the requests
12 results - 2 files
logs/06-10-2021_13:30:46.log:
2 INFO:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:49] "[33mGET http://fuwu.sogou.com/404/index.html HTTP/1.1[0m" 404 -
3: ERROR:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:49] code 400, message Bad request version ('À\x14À')
4 INFO:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:49] "[35m[1mîêUU×oà'GxU£5WznÁk61Ç^lk ðǹ»ü7À 3â¶ÄË#³&Y
6 INFO:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:49] "[33mGET http://fuwu.sogou.com/404/index.html HTTP/1.1[0m" 404 -
7: ERROR:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:56] code 400, message Bad request syntax ('\x05\x01\x00')
8 INFO:werkzeug:222.186.19.235 - - [06/Oct/2021 15:11:56] "[35m[1m[0m" HTTPStatus.BAD_REQUEST -
9: ERROR:werkzeug:185.217.1.122 - - [06/Oct/2021 18:34:52] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
10 INFO:werkzeug:185.217.1.122 - - [06/Oct/2021 18:34:52] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
22 INFO:werkzeug:80.82.77.227 - - [06/Oct/2021 19:13:13] "[35m[1mGET / HTTP/1.1[0m" 500 -
23: ERROR:werkzeug:77.83.36.32 - - [07/Oct/2021 02:51:29] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
24 INFO:werkzeug:77.83.36.32 - - [07/Oct/2021 02:51:29] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
25: ERROR:werkzeug:162.142.125.58 - - [07/Oct/2021 11:13:29] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00{\x01\x00\x00w\x03\x03üW\x11IAU\x9a\x05Î@«¬¨*!á&Ñ8Ë`\x03§@]Dس\x88[\x194\x00\x00\x1aÀ/À+À\x11À\x07À\x13À')
26 INFO:werkzeug:162.142.125.58 - - [07/Oct/2021 11:13:29] "[35m[1m{wüWIAUÎ@«¬¨*!á&Ñ8Ë`§@]Dس[4À/À+ÀÀÀÀ ÀÀ[0m" HTTPStatus.BAD_REQUEST -
50 INFO:werkzeug:162.142.125.58 - - [07/Oct/2021 11:13:30] "[35m[1mGET / HTTP/1.1[0m" 500 -
51: ERROR:werkzeug:45.227.254.19 - - [07/Oct/2021 11:43:58] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
52 INFO:werkzeug:45.227.254.19 - - [07/Oct/2021 11:43:58] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
53: ERROR:werkzeug:45.227.254.19 - - [07/Oct/2021 11:43:58] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
54 INFO:werkzeug:45.227.254.19 - - [07/Oct/2021 11:43:58] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
55: ERROR:werkzeug:167.248.133.114 - - [07/Oct/2021 12:34:51] code 400, message Bad request version ('À\x14À')
56 INFO:werkzeug:167.248.133.114 - - [07/Oct/2021 12:34:51] "[35m[1m{wIv¨I9zWJUþ_1äD=÷0Ìÿ:ö1éÃå6bãÀ/À+ÀÀÀÀ ÀÀ[0m" HTTPStatus.BAD_REQUEST -
80 INFO:werkzeug:167.248.133.114 - - [07/Oct/2021 12:34:52] "[35m[1mGET / HTTP/1.1[0m" 500 -
81: ERROR:werkzeug:94.102.49.159 - - [07/Oct/2021 16:40:25] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
82 INFO:werkzeug:94.102.49.159 - - [07/Oct/2021 16:40:25] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
83: ERROR:werkzeug:94.102.49.159 - - [07/Oct/2021 17:41:51] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
84 INFO:werkzeug:94.102.49.159 - - [07/Oct/2021 17:41:51] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
logs/17-10-2021_17:48:38.log:
59 INFO:werkzeug:192.241.201.135 - - [18/Oct/2021 00:36:34] "[35m[1mGET / HTTP/1.1[0m" 500 -
60: ERROR:werkzeug:87.251.67.40 - - [18/Oct/2021 06:52:10] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
61 INFO:werkzeug:87.251.67.40 - - [18/Oct/2021 06:52:10] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
113 INFO:werkzeug:143.198.138.213 - - [18/Oct/2021 10:21:01] "[35m[1mGET / HTTP/1.0[0m" 500 -
114: ERROR:werkzeug:77.83.36.32 - - [18/Oct/2021 11:39:23] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
115 INFO:werkzeug:77.83.36.32 - - [18/Oct/2021 11:39:23] "[35m[1m/*àCookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
i'll add the user agents next, but they didn't want to save before, just updated my code
rather than pasting the information here, report them to proper blacklisting sites so that everyone are able to blacklist them. This brings no added value to this issue.
193.106.29.74 - - [08/Jun/2022 14:30:32] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') 193.106.29.74 - - [08/Jun/2022 14:30:32] "/*àCookie: mstshash=Administr" 400 -
why there's always fucking idiots want to attack rdp thru a python http.server port? I'm on 11411 port
why there's always fucking idiots want to attack rdp thru a python http.server port? I'm on 11411 port
They are bots. Setup to run Nmap scripts, which scan IP's all day long looking for open RDP ports.... Once you run your app, you're essentially broadcasting a signal on the port you specified. When the bot scans your IP, it sees that you're running an application on said port, but for some reason the 'bot' sees it as an RDP application(?), and tries to run these cockamamie exploits by injecting code into the URL.
For most people it's nothing to really worry about. As long as you have RDP turned off, and have updated firmware/software on your comp/server/application. Just keep an eye on it, and make sure it's not trying to do anything else.
Since it takes longer for network scanners like Nmap to scan ports at higher ranges, (ie. Scanning 1-10,000 ports takes way less time than scanning 1-65,535), it might also help to use a higher(more un-common) port number, as someone above stated.
why there's always fucking idiots want to attack rdp thru a python http.server port? I'm on 11411 port
They are bots. Setup to run Nmap scripts, which scan IP's all day long looking for open RDP ports.... Once you run your app, you're essentially broadcasting a signal on the port you specified. When the bot scans your IP, it sees that you're running an application on said port, but for some reason the 'bot' sees it as an RDP application(?), and tries to run these cockamamie exploits by injecting code into the URL.
For most people it's nothing to really worry about. As long as you have RDP turned off, and have updated firmware/software on your comp/server/application. Just keep an eye on it, and make sure it's not trying to do anything else.
Since it takes longer for network scanners like Nmap to scan ports at higher ranges, (ie. Scanning 1-10,000 ports takes way less time than scanning 1-65,535), it might also help to use a higher(more un-common) port number, as someone above stated.
Thanks for this information. I am kind of a newbie on this. I also got this message. What could the bot do to my machine or my network? Also, how do I prevent these bots or attacks on my server?
