BotNet Attacks & boaform/admin/formLogin

ragrao · August 10, 2022, 1:48pm

1. Output of `caddy version`:

./caddy.exe version
v2.5.1

2. How I run Caddy:

As a reverse proxy for my JellyFin Server in Windows 11 with TLS.

a. System environment:

Edition	Windows 11 Pro
Version	21H2
Installed on	‎8/‎8/‎2022
OS build	22000.856
Experience	Windows Feature Experience Pack 1000.22000.856.0

b. Command:

NA

c. Service/unit/compose file:

rrprod.tplinkdns.com {
  log {
    output file access.log {
        roll_size 10mb
        roll_keep 20
        roll_keep_for 720h
      }
  }
reverse_proxy 127.0.0.1:8096
}

d. My complete Caddy config:

rrprod.tplinkdns.com {
  log {
    output file access.log {
        roll_size 10mb
        roll_keep 20
        roll_keep_for 720h
      }
  }
reverse_proxy 127.0.0.1:8096
}

3. The problem I’m having:

Im using caddy as a reverse proxy for my JellyFin media server. Its a public facing setup which I use and ever since my media server has gone publiic to the internet I’m getting the following pop-ups from my antivirus BitDefender almost thrice every 30 mins:

Description of the above message:

Feature: Online Threat Prevention
Activity resembling botnet behavior was made by xx.xx.xx.xx We blocked the connection to prevent the infection of your device which would have been used to propagate the threat.

And the frequent IP addresses from where attack originates are as below:

164.92.105.208
45.141.239.148
45.61.186.139
193.233.179.14
188.166.8.119
45.141.239.135
62.197.136.60

Fed up of these notifications which affect my gameplay while playing games, I raised this with BitDefender support, gave them the logs of the OS they wanted and finally they told me that all the suspicious connections were generated by caddy (for some reason I cant post the entire path to caddy.exe as its not allowing me to post) which dto connect to http://124.123.97.236:80/boaform/admin/formLogin.

4. What I already tried:

Upon searching about boaform/admin/formLogin I came to know thats its a type of attack used to take priviliged access of the OS in a certain manner. Moreover, none of the above IPs are reflected in the access logs of caddy.

5. Need Help in:

a. What is wrong in my setup? Is this nothing but a botnet attack?
b. If yes, then how come the IP addresses aren’t being reflected in the access log. Is bitdefender is detecting these connections before they hit Caddy?
c. If no, then how can I find the user-agents of these requests and block them via caddy itself?
d. What is boaform/admin/formLogin? I never hosted this in caddy. Where is this path coming from?
e. What change shall I do to my media server setup to avoid this? Shall I host it in a subpath instead of / like for e.g rrprod.tplinkdns.com/subpath?

francislavoie · August 11, 2022, 3:51pm

Caddy will ignore requests made with failed TLS handshakes (because it can’t securely do anything with them anyways, because it couldn’t agree on a key to encrypt traffic back to the client).

You can reveal those in your logs by enabling the debug global option. But it’s not really useful to see that noise in your logs other than just to see what’s going on. Add this at the top of your Caddyfile:

{
	debug
}

Nothing wrong. The bots are just failing to connect.

They are already “blocked”, because they fail the TLS handshake (partly because they don’t use a correct hostname, they just try to connect by IP which Caddy can’t do anything with)

No idea. Bots are probably just crawling the internet trying to hit as many different IP addresses as they can until they find something that does respond. Your server isn’t responding, so they just give up.

Honestly, your BitDefender is just being way too noisy. There’s no problem with Caddy.

system · September 9, 2022, 1:48pm

This topic was automatically closed after 30 days. New replies are no longer allowed.