Skip to main content

Attacks to autodiscover.cgi

Comments

7 comments

  • cPRex Jurassic Moderator
    Hey there! Can you let me know which logs you're seeing those entries in? Do you have any tools like Nginx running on the machine that may be hiding the real IP address?
    0
  • Arvy
    Hi @cPRex, these logs are from Apache "default" log file - /var/log/apache2/access_log No tools running, the server is 100% cPanel, no external tools. I think this is related to Apache "proxy" (maybe?), so I cannot detect the real attacker IP fo failt2ban it. Thanks.
    0
  • cPRex Jurassic Moderator
    That's very odd, as Apache doesn't have any type of proxy tools installed by default. Could you open a ticket with our team so we can check this?
    0
  • Arvy
    Maybe something related to websocket? I found in httpd.conf: RewriteCond %{HTTP_HOST} =autodiscover.example.com.br [OR] RewriteCond %{HTTP_HOST} =autodiscover.example.com.br:443 RewriteCond %{HTTP:Upgrade} !websocket [nocase] RewriteRule ^ http://127.0.0.1/cgi-sys/autodiscover.cgi [P] RewriteCond %{HTTP_HOST} =cpanel.example.com.br [OR] RewriteCond %{HTTP_HOST} =cpanel.example.com.br:443 RewriteCond %{HTTP:Upgrade} !websocket [nocase]
    0
  • cPRex Jurassic Moderator
    All cPanel servers have those entries to handle the various rewrites, but I wouldn't expect that to cause an issue.
    0
  • Arvy
    I think they are attacks on autodiscover.cgi in different domains, in the accounts, and the CGI logs them as localhost (due to the rewrite?). The problem is how to monitor and discover the attacker's IP. This is not critical, anyway, because is not affecting the servers performance.
    0
  • cPRex Jurassic Moderator
    I just checked on my personal server by doing to domain.com/cgi-sys/autodiscover.cgi and that does show me the correct IP address in the logs. I also tried autodiscover.domain.com, and that also logged the IP how I would expect. If you're not seeing that, you should put in a ticket so we can check the behavior on the server.
    0

Please sign in to leave a comment.