Hey guys! I need help, my web server (nginx) default page is all messed up, with a very very weird message on it, anyone seen this before?
" Nothing there anymore! But the future’s ever changing, and something might appear there, someday! "
My log is filled with very odd stuff: http://lxp.fr/i3Mx0bbLG0
@Kooda Have you been exploited? I think those \x things in the log are unicode characters. Have you tried decoding them?
@ebarrett I can’t think of any thing else than an exploit yeah… :/
I haven’t tried decoding them, but I found one file in my file system that has this message, and its’s an nginx cache entry.
@Kooda Is it a static site?
@ebarrett It is yes, and this page doesn’t exist in the static files.
@ebarrett Also, this message appears on *every* site I host, when the URL path is "/"
@Kooda That sounds very suspicious indeed. I'd tar up everything for post mortem.
@ebarrett A backup is running as we speak. But I don’t feel really qualified to find out what the problem is. :(
When I disable nginx’s cache, the message disapears.
@Kooda I think you need to speak to the nginx devs. Also perhaps have a look at this: https://www.cvedetails.com/product/17956/Nginx-Nginx.html?vendor_id=10048
@Kooda Searching the message shows up one hit on startpage: your site. https://www.startpage.com/do/dsearch?query=%22Nothing+there+anymore%21+But+the+future%E2%80%99s+ever+changing%2C+and+something+might+appear+there%2C+someday%21%22&cat=web&pl=opensearch&language=english
@ebarrett The resolver for this machine is the local resolver of the network, I didn’t configure anything special for nginx.
@Kooda Well I'm out of ideas, but let us know what happens! Good luck!
@ebarrett I found the cause!!!! Oh my god it’s so silly!
This message is the index.xhtml of an other website I host! For some reason there is a cache collision and it appeared for every "GET /" on the server!
@Kooda Glad you were not compromised!
@ebarrett I’m glad too! It was quite a stressful experience! 😔