Django talk: Possible hack attempt

I'm working on launching a site which currently is still linked to only an IP and thanks to how digitalocean recommends setting it up and how I built it I feel it's relatively safe provided that the security I implemented on ubuntu as recommended and Django's inbuilt security avoiding file browsing outside set path's and accessing info is maintained.

Still though getting this emails thanks to error handling shows someone is trying to access my sock file and I think it's only right this is pointed out to know if there's a known vulnerability.

Invalid HTTP_HOST header: '/home/sammy/webapp/decomagna/deco.sock:'. The domain name provided is not valid according to RFC 1034/1035.

Report at /

Invalid HTTP_HOST header: '/home/sammy/webapp/decomagna/deco.sock:'. The domain name provided is not valid according to RFC 1034/1035.

Request Method: GET

Request URL: http:///home/sammy/webapp/decomagna/deco.sock:/

Django Version: 2.0

Python Executable: /home/sammy/webapp/envs/deco/bin/python3

Python Version: 3.5.2

Python Path: ['/home/sammy/webapp/decomagna', '/home/sammy/webapp/envs/deco/bin', '/home/sammy/webapp/envs/deco/lib/python35.zip', '/home/sammy/webapp/envs/deco/lib/python3.5', '/home/sammy/webapp/envs/deco/lib/python3.5/plat-x86_64-linux-gnu', '/home/sammy/webapp/envs/deco/lib/python3.5/lib-dynload', '/usr/lib/python3.5', '/usr/lib/python3.5/plat-x86_64-linux-gnu', '/home/sammy/webapp/envs/deco/lib/python3.5/site-packages']

Server time: Thu, 31 Jan 2019 21:16:48 +0000

Installed Applications:

['django.contrib.admin',

'django.contrib.auth',

'django.contrib.contenttypes',

'django.contrib.sessions',

'django.contrib.messages',

'django.contrib.staticfiles',

'location_field.apps.DefaultConfig',

'mptt',

'ckeditor',

'ckeditor_uploader',

'inventory',

'common',

'pages']

Installed Middleware:

['django.middleware.security.SecurityMiddleware',

'django.contrib.sessions.middleware.SessionMiddleware',

'django.middleware.common.CommonMiddleware',

'django.middleware.csrf.CsrfViewMiddleware',

'django.contrib.auth.middleware.AuthenticationMiddleware',

'django.contrib.messages.middleware.MessageMiddleware',

'django.middleware.clickjacking.XFrameOptionsMiddleware']

Request information:

USER: [unable to retrieve the current user]

GET: No GET data

POST: No POST data

FILES: No FILES data

COOKIES: No cookie data

META:

HTTP_ACCEPT = '*/*'

HTTP_CONNECTION = 'close'

HTTP_USER_AGENT = 'Mozilla/5.0(WindowsNT6.1;rv:31.0)Gecko/20100101Firefox/31.0'

HTTP_X_FORWARDED_FOR = '196.52.43.114'

HTTP_X_FORWARDED_PROTO = 'http'

HTTP_X_REAL_IP = '196.52.43.114'

PATH_INFO = '/'

QUERY_STRING = ''

RAW_URI = '/'

REMOTE_ADDR = ''

REQUEST_METHOD = 'GET'

SCRIPT_NAME = ''

SERVER_NAME = '/home/sammy/webapp/decomagna/deco.sock'

SERVER_PORT = ''

SERVER_PROTOCOL = 'HTTP/1.0'

SERVER_SOFTWARE = 'gunicorn/19.9.0'

gunicorn.socket = <socket.socket fd=10, family=AddressFamily.AF_UNIX, type=SocketKind.SOCK_STREAM, proto=0, laddr=/home/sammy/webapp/decomagna/deco.sock>

wsgi.errors = <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7fa284bcea90>

wsgi.file_wrapper = ''

wsgi.input = <gunicorn.http.body.Body object at 0x7fa284bdbe10>

wsgi.multiprocess = True

wsgi.multithread = False

wsgi.run_once = False

wsgi.url_scheme = 'http'

wsgi.version = '(1, 0)'

Settings:

Using settings module decomagna.settings

ABSOLUTE_URL_OVERRIDES = {}

ADMINS = [('Samuel Muiruri', 'muiruri.samuel@gmail.com')]

ALLOWED_HOSTS = ['68.183.98.238']

APPEND_SLASH = True

AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend']

AUTH_PASSWORD_VALIDATORS = '********************'

AUTH_USER_MODEL = 'auth.User'

BASE_DIR = '/home/sammy/webapp/decomagna'

CACHES = {'default': {'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'}}

CACHE_MIDDLEWARE_ALIAS = 'default'

CACHE_MIDDLEWARE_KEY_PREFIX = '********************'

CACHE_MIDDLEWARE_SECONDS = 600

CKEDITOR_BASEPATH = '/static/ckeditor/ckeditor/'

CKEDITOR_CONFIGS = {'default': {'toolbar': None, 'allowedContent': True}, 'disableNativeSpellChecker': False, 'basic_ckeditor': {'toolbar': 'Basic'}}

CKEDITOR_UPLOAD_PATH = 'ckeditor/'

CONTACT_ADMINS = []

CSRF_COOKIE_AGE = 31449600

CSRF_COOKIE_DOMAIN = None

CSRF_COOKIE_HTTPONLY = False

CSRF_COOKIE_NAME = 'csrftoken'

CSRF_COOKIE_PATH = '/'

CSRF_COOKIE_SECURE = False

CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure'

CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'

CSRF_TRUSTED_ORIGINS = []

CSRF_USE_SESSIONS = False

DATABASES = ...

DATABASE_ROUTERS = []

DATA_UPLOAD_MAX_MEMORY_SIZE = 2621440

DATA_UPLOAD_MAX_NUMBER_FIELDS = 1000

DATETIME_FORMAT = 'N j, Y, P'

DATETIME_INPUT_FORMATS = ['%Y-%m-%d %H:%M:%S', '%Y-%m-%d %H:%M:%S.%f', '%Y-%m-%d %H:%M', '%Y-%m-%d', '%m/%d/%Y %H:%M:%S', '%m/%d/%Y %H:%M:%S.%f', '%m/%d/%Y %H:%M', '%m/%d/%Y', '%m/%d/%y %H:%M:%S', '%m/%d/%y %H:%M:%S.%f', '%m/%d/%y %H:%M', '%m/%d/%y']

DATE_FORMAT = 'N j, Y'

DATE_INPUT_FORMATS = ['%Y-%m-%d', '%m/%d/%Y', '%m/%d/%y', '%b %d %Y', '%b %d, %Y', '%d %b %Y', '%d %b, %Y', '%B %d %Y', '%B %d, %Y', '%d %B %Y', '%d %B, %Y']

DEBUG = False

DEBUG_PROPAGATE_EXCEPTIONS = False

DECIMAL_SEPARATOR = '.'

DEFAULT_CHARSET = 'utf-8'

DEFAULT_CONTENT_TYPE = 'text/html'

DEFAULT_EXCEPTION_REPORTER_FILTER = 'django.views.debug.SafeExceptionReporterFilter'

DEFAULT_FILE_STORAGE = 'django.core.files.storage.FileSystemStorage'

DEFAULT_FROM_EMAIL = 'webmaster@localhost'

DEFAULT_INDEX_TABLESPACE = ''

DEFAULT_TABLESPACE = ''

DISALLOWED_USER_AGENTS = []

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'

EMAIL_HOST = 'smtp.gmail.com'

EMAIL_HOST_PASSWORD = '********************'

EMAIL_HOST_USER = 'no-reply@decomagna.com'

EMAIL_PORT = 587

EMAIL_SSL_CERTFILE = None

EMAIL_SSL_KEYFILE = '********************'

EMAIL_SUBJECT_PREFIX = '[Django] '

EMAIL_TIMEOUT = None

EMAIL_USE_LOCALTIME = False

EMAIL_USE_SSL = False

EMAIL_USE_TLS = True

FILE_CHARSET = 'utf-8'

FILE_UPLOAD_DIRECTORY_PERMISSIONS = None

FILE_UPLOAD_HANDLERS = ['django.core.files.uploadhandler.MemoryFileUploadHandler', 'django.core.files.uploadhandler.TemporaryFileUploadHandler']

FILE_UPLOAD_MAX_MEMORY_SIZE = 2621440

FILE_UPLOAD_PERMISSIONS = None

FILE_UPLOAD_TEMP_DIR = None

FIRST_DAY_OF_WEEK = 0

FIXTURE_DIRS = []

FORCE_SCRIPT_NAME = None

FORMAT_MODULE_PATH = None

FORM_RENDERER = 'django.forms.renderers.DjangoTemplates'

GOOGLE_MAPS_API_KEY = '********************'

IGNORABLE_404_URLS = []

INSTALLED_APPS = ['django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'location_field.apps.DefaultConfig', 'mptt', 'ckeditor', 'ckeditor_uploader', 'inventory', 'common', 'pages']

INTERNAL_IPS = []

LANGUAGES = ...

LANGUAGES_BIDI = ['he', 'ar', 'fa', 'ur']

LANGUAGE_CODE = 'en-us'

LANGUAGE_COOKIE_AGE = None

LANGUAGE_COOKIE_DOMAIN = None

LANGUAGE_COOKIE_NAME = 'django_language'

LANGUAGE_COOKIE_PATH = '/'

LOCALE_PATHS = []

LOCATION_FIELD = {'provider.google.map_type': 'ROADMAP', 'provider.mapbox.id': 'mapbox.streets', 'resources.media': {'js': ['/static/location_field/js/jquery.livequery.js', '/static/location_field/js/form.js']}, 'map.provider': 'google', 'provider.mapbox.access_token': '********************', 'provider.mapbox.max_zoom': 18, 'search.suffix': '', 'search.provider': 'google', 'map.zoom': 13, 'provider.google.api': '********************', 'resources.root_path': '/static/location_field', 'provider.google.api_key': '********************', 'provider.openstreetmap.max_zoom': 18}

LOGGING = {}

LOGGING_CONFIG = 'logging.config.dictConfig'

LOGIN_REDIRECT_URL = '/accounts/profile/'

LOGIN_URL = '/sign-up'

LOGOUT_REDIRECT_URL = None

MANAGERS = []

MEDIA_ROOT = '/home/sammy/webapp/decomagna/media'

MEDIA_URL = '/media/'

MESSAGE_STORAGE = 'django.contrib.messages.storage.fallback.FallbackStorage'

MIDDLEWARE = ['django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware']

MIGRATION_MODULES = {}

MONTH_DAY_FORMAT = 'F j'

NUMBER_GROUPING = 0

PASSWORD_HASHERS = '********************'

PASSWORD_RESET_TIMEOUT_DAYS = '********************'

PREPEND_WWW = False

ROOT_URLCONF = 'decomagna.urls'

SECRET_KEY = '********************'

SECURE_BROWSER_XSS_FILTER = False

SECURE_CONTENT_TYPE_NOSNIFF = False

SECURE_HSTS_INCLUDE_SUBDOMAINS = False

SECURE_HSTS_PRELOAD = False

SECURE_HSTS_SECONDS = 0

SECURE_PROXY_SSL_HEADER = None

SECURE_REDIRECT_EXEMPT = []

SECURE_SSL_HOST = None

SECURE_SSL_REDIRECT = False

SERVER_EMAIL = 'no-reply@decomagna.com'

SESSION_CACHE_ALIAS = 'default'

SESSION_COOKIE_AGE = 1209600

SESSION_COOKIE_DOMAIN = None

SESSION_COOKIE_HTTPONLY = True

SESSION_COOKIE_NAME = 'sessionid'

SESSION_COOKIE_PATH = '/'

SESSION_COOKIE_SECURE = False

SESSION_ENGINE = 'django.contrib.sessions.backends.db'

SESSION_EXPIRE_AT_BROWSER_CLOSE = False

SESSION_FILE_PATH = None

SESSION_SAVE_EVERY_REQUEST = False

SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'

SETTINGS_MODULE = 'decomagna.settings'

SHORT_DATETIME_FORMAT = 'm/d/Y P'

SHORT_DATE_FORMAT = 'm/d/Y'

SIGNING_BACKEND = 'django.core.signing.TimestampSigner'

SILENCED_SYSTEM_CHECKS = []

SITE_NAME = 'DecoMagna'

STATICFILES_DIRS = "('/home/sammy/webapp/decomagna/static',)"

STATICFILES_FINDERS = ['django.contrib.staticfiles.finders.FileSystemFinder', 'django.contrib.staticfiles.finders.AppDirectoriesFinder']

STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.StaticFilesStorage'

STATIC_ROOT = None

STATIC_URL = '/static/'

TEMPLATES = [{'BACKEND': 'django.template.backends.django.DjangoTemplates', 'APP_DIRS': True, 'DIRS': ['/home/sammy/webapp/decomagna/templates'], 'OPTIONS': {'context_processors': ['django.template.context_processors.debug', 'django.template.context_processors.request', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', 'pages.context_processors.pages']}}]

TEST_NON_SERIALIZED_APPS = []

TEST_RUNNER = 'django.test.runner.DiscoverRunner'

THOUSAND_SEPARATOR = ','

TIME_FORMAT = 'P'

TIME_INPUT_FORMATS = ['%H:%M:%S', '%H:%M:%S.%f', '%H:%M']

TIME_ZONE = 'UTC'

UPLOADCARE = {'pub_key': '********************', 'secret': '********************'}

UPLOAD_DIR = '/home/sammy/webapp/decomagna/media/uploads'

USE_ETAGS = False

USE_I18N = True

USE_L10N = True

USE_THOUSAND_SEPARATOR = False

USE_TZ = True

USE_X_FORWARDED_HOST = False

USE_X_FORWARDED_PORT = False

WSGI_APPLICATION = 'decomagna.wsgi.application'

X_FRAME_OPTIONS = 'SAMEORIGIN'

YEAR_MONTH_FORMAT = 'F Y'

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/8d14d16c-4dce-4ddf-9e6f-7396ef8cf997%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Django talk

Thursday, January 31, 2019

Possible hack attempt

No comments:

Post a Comment

Followers

Blog Archive

About Me