"Invalid HTTP_HOST header" error at /command.php

[yoowul]

Django is sending reports of attempted connections via host's ip address, which is currently not added as an allowed host - some part of code must be trying to use host's ip instead of domain name.
external_ip_error.pdf

Invalid HTTP_HOST header: '217.182.206.229'. You may need to add '217.182.206.229' to ALLOWED_HOSTS.

Report at /command.php
Invalid HTTP_HOST header: '217.182.206.229'. You may need to add '217.182.206.229' to ALLOWED_HOSTS.

Request Method: POST
Request URL: http://217.182.206.229/command.php
Django Version: 1.10.1
Python Executable: /usr/local/bin/python3.6
Python Version: 3.6.1
Python Path: ['/code', '/usr/local/bin', '/usr/local/lib/python36.zip', '/usr/local/lib/python3.6', '/usr/local/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/site-packages']
Server time: Tue, 9 May 2017 07:51:13 +0000
cmd = 'cd /var/tmp && echo -ne \\\\x3610cker > 610cker.txt && cat 610cker.txt'

FILES: No FILES data

COOKIES: No cookie data

META:
CONTENT_LENGTH = '208'
CONTENT_TYPE = 'application/x-www-form-urlencoded'
HTTP_ACCEPT = '*/*'
HTTP_CONNECTION = 'close'
HTTP_HOST = '217.182.206.229'
HTTP_USER_AGENT = 'Wget(linux)'
HTTP_X_FORWARDED_FOR = '177.142.194.219'
HTTP_X_REAL_IP = '177.142.194.219'
PATH_INFO = '/command.php'
QUERY_STRING = ''
RAW_URI = '/command.php'
REMOTE_ADDR = '172.20.0.5'
REMOTE_PORT = '53834'
REQUEST_METHOD = 'POST'
SCRIPT_NAME = ''
SERVER_NAME = '0.0.0.0'
SERVER_PORT = '8000'
SERVER_PROTOCOL = 'HTTP/1.0'
SERVER_SOFTWARE = 'gunicorn/19.6.0'
gunicorn.socket = <socket.socket fd=11, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('172.20.0.3', 8000), raddr=('172.20.0.5', 53834)>
wsgi.errors = <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7f5bdfe6be48>
wsgi.file_wrapper = ''
wsgi.input = <gunicorn.http.body.Body object at 0x7f5bdfe6bda0>

[cameel]

Please paste the text directly instead of using opaque files like PDF.

[cameel]

OK. Now it's better. Please also use literal blocks for such text. Most of it is code and it makes it easier to read it.

This looks like an attack after all. These lines are the most suspicious:

Request URL: http://217.182.206.229/command.php
cmd = 'cd /var/tmp && echo -ne \\\\x3610cker > 610cker.txt && cat 610cker.txt'
HTTP_USER_AGENT = 'Wget(linux)'
PATH_INFO = '/command.php'
RAW_URI = '/command.php'

It's trying to execute a command on your server! By googling 610cker.txt I found this: Observing Large-Scale Router Exploit Attempts.

It's trying to exploit PHP vulnerabilities so it's not dangerous but there are other possible attacks that may succeed. You should block it on the firewall before it even gets to Django. Maybe try something like fail2ban.

[cameel]

@yoowul Also, remove the PDF you uploaded. Remember that this issue tracker is publicly accessible. The PDF contains e-mails and detailed configuration of the server. While most password and key fields are censored with asterisks, there might be something that slipped through. It's not a good idea to post this information openly here.