Title: Apache Struts2 remote code execution Last modified: December 19, 2017 --- # Apache Struts2 remote code execution * Resolved [newwper3](https://wordpress.org/support/users/newwper3/) * (@newwper3) * [8 years, 5 months ago](https://wordpress.org/support/topic/apache-struts2-remote-code-execution/) * Hi, * Does it mean the attack was from my server? Because I saw the IP is my server IP. * `127.0.0.1 GET /index.php - Apache Struts2 remote code execution CVE-2017-5638-[ SERVER:CONTENT_TYPE = %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(# _memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2. ActionContext.co...] - xxx.xxx.xxx (my server ip)` * Is my website safe? Thanks 🙂 - This topic was modified 8 years, 5 months ago by [newwper3](https://wordpress.org/support/users/newwper3/). Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 5 months ago](https://wordpress.org/support/topic/apache-struts2-remote-code-execution/#post-9795544) * Hi, * Your site is safe, but 127.0.0.1 is the localhost IP. Do you see it anywhere else in the firewall log, or there is only this occurrence? Is there any warning in the firewall “Overview” page about your IP? * Thread Starter [newwper3](https://wordpress.org/support/users/newwper3/) * (@newwper3) * [8 years, 5 months ago](https://wordpress.org/support/topic/apache-struts2-remote-code-execution/#post-9795848) * Hi, * I also found these: `127.0.0.1 GET /index.php - Bogus user-agent signature -[ SERVER:HTTP_USER_AGENT = User-Agent:Mozilla/4.0` `09/Dec/17 02:27:07 127.0.0.1 GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/ 5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)]` `10/Dec/17 04: 10:45 127.0.0.1 GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0/cc-prepass-https; +info@netcraft. com)]` `15/Dec/17 00:14:56 127.0.0.1 GET /index.php - Suspicious bots/scanners-[ SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0/cc- prepass-https; +info@netcraft.com)]` * I put the .htninja in /home/user/public_html/.htninja, because my hosting not allow to put into /home/user/.htninja. I guess maybe cause by Cloudflare, Cleantalk spam firewall or Varnish. * The most important is website is safe, haha * Thanks:) * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 5 months ago](https://wordpress.org/support/topic/apache-struts2-remote-code-execution/#post-9796395) * There’s something wrong with your configuration and/or the .htninja. You can click on “About…” and then on the “System Info” button. It will show you which IP (REMOTE_ADDR) is detected by NinjaFirewall. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Apache Struts2 remote code execution’ is closed to new replies. * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137) * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/) * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/) * 3 replies * 2 participants * Last reply from: [nintechnet](https://wordpress.org/support/users/nintechnet/) * Last activity: [8 years, 5 months ago](https://wordpress.org/support/topic/apache-struts2-remote-code-execution/#post-9796395) * Status: resolved