NGINX error - iPhone sending request

newberger · Dec 1, 2018, 4:10 PM

Hi - I was checking my System log and noticed a number of nginx errors that look like they are generated by a request coming from one of our iPhone's IP address. I'm not sure exactly when it started, but it's within the last 3-4 weeks max.

They all are almost all identical to this (except the *632, which increases each time):

Dec 1 09:34:06	pfsense.localdomain		nginx: 2018/12/01 09:34:06 [error] 85794#100144: *632 open() "/usr/local/www/cgi-bin/authLogin.cgi" failed (2: No such file or directory), client: 192.168.1.145, server: , request: "GET /cgi-bin/authLogin.cgi? HTTP/1.1", host: "xx.xxx.x.xxx"

I'm not familiar with nginx and, of course did some searches, but couldn't find anything that was applicable. The host is my external WAN IP address. The only forum post mentioned Avast, which I don't run. Thanks for any assistance!

stephenw10 · Dec 1, 2018, 4:46 PM

Something running on your iphone is trying to access that page at what it sees as it's public IP address, the pfSense WAN.
That request is allowed through the firewall by default as it comes from LAN but that page doesn't exist in pfSense so nginx shows that error trying to serve the request.

The question is why is your iphone doing that?

Steve

newberger · Dec 1, 2018, 4:56 PM

Hi Steve - thanks for the reply, that is a helpful explanation. Yes, I am also wondering why it's trying to do that. I'll see if I can narrow down which app is sending the request via trial and error.

I wonder if an app (or even the phone) is trying to verify some account login information? If I can identify the app, it may clarify what's going on.

tim.mcmanus · Dec 1, 2018, 6:16 PM

Are you running services on your internal network that are accessible to the internet, like a mail server? If you do not have internal DNS mapping to internal IP addresses, the DNS lookup will return your internet-facing IP address, and that might be causing this situation.

stephenw10 · Dec 1, 2018, 6:47 PM

Yes, there's a good chance it's that. In which case:

https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

Steve

newberger · Dec 1, 2018, 10:39 PM

Tim, thanks for the reply, but no, I don't have anything on the internal system that's available to the internet - definitely not running a mail server.

Steve - I looked at the article and none of my NAT settings are enabled as described in the document. However, I haven't installed anything that would require these changes and this nginx error is fairly new.

Also the error is listing the IP of the iPhone?

stephenw10 · Dec 2, 2018, 1:50 PM

You have no portforwards setup?

What it looks like is you had something running on you internal network that is resolved to your external WAN address, with dyndns maybe. Your phone was connecting to it externally and now it's inside the network it's still trying.

Steve

newberger · Dec 2, 2018, 6:02 PM

Hi Steve - sorry, I do have two port forwards: one external port forward setup, so I can access a specific device (ISY Home Control device) and one internal port forward (NUT control).

However, the iPhone that is sending this request does not have the ISY control app installed.

stephenw10 · Dec 2, 2018, 6:47 PM

@newberger said in NGINX error - iPhone sending request:

/usr/local/www/cgi-bin/authLogin.cgi

That looks most likely to be a QNAP login page. Do you have a QNAP device?

If not it also appears to be known exploit vector that something may be attempting to use. Maybe spoofing the IP of your iphone.

Steve

newberger · Dec 3, 2018, 5:03 PM

Steve - Yes, I do have a QNAP NAS. The phone does backup to the QNAP via the QFile app, but the app was not running when these requests were sent.

The requests are only occurring when the phone is in the home, on wifi, so I don't think it's another device spoofing.

I didn't see anything in online search results that indicated that this is QNAP-related. However, after your post, when I search online for only "authLogin.cgi", I see the exploit you are describing. I had just run QNAPs malware scanner yesterday (due to a different email) and the NAS showed to be clean.

stephenw10 · Dec 3, 2018, 5:17 PM

Ok, if your phone is backing up to the QNAP it's likely legitimate traffic rather than something trying to exploit the NAS.
However it's running at the wrong time then as it's trying to connect via what the QNAP sees as it's external address and instead hitting the pfSense GUI.
It's probably harmless but you could block access to the WAN address on port 443 from the LAN subnet to prevent it.

Steve