Nocobase Security | Recommendations and Best Practices | Suspicious Activity

English Forum
1

Hi Team,

Does Nocobase have an official best practices guide for securing the installation? I was working on a project with Claude AI to analyze log files to create an activity tracking dashboard (pretty cool by the way).

While doing this, Claude identified some suspicious activity in the request logs. Here’s a summary:

Security Analysis Report - NocoBase Application Logs

Executive Summary

The log analysis reveals multiple critical security concerns indicating active reconnaissance and attack attempts against your NocoBase application. While the malicious requests were successfully blocked (returning 404 errors), the patterns suggest automated vulnerability scanning and potential targeted attacks.

:rotating_light: CRITICAL SECURITY FINDINGS

1. PHPUnit Remote Code Execution Attempt - HIGH RISK

  • Time: 2025-11-20 01:41:35
  • Request: GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • Status: 404 (Blocked)
  • Assessment: This is a known critical vulnerability (CVE-2017-9841) targeting PHPUnit’s eval-stdin.php file, which can allow remote code execution.

2. Environment File Disclosure Attempts - HIGH RISK

Multiple attempts to access sensitive configuration files:

  • Times: 05:27:35 and 11:16:20
  • Request: GET /api/.env
  • Status: 404 (Blocked)
  • Assessment: Attackers were attempting to steal environment variables containing database credentials, API keys, and other sensitive configuration data.

3. Git Configuration Exposure Attempt - MEDIUM RISK

  • Time: 2025-11-20 05:27:35
  • Request: GET /api/.git/config
  • Status: 404 (Blocked)
  • Assessment: Attempt to access Git configuration which could reveal repository information, deployment processes, and internal infrastructure details.

4. AWS Credentials Harvesting Attempt - HIGH RISK

  • Time: 2025-11-20 13:02:42
  • Request: GET /api/aws/anmeldeinformationen.json
  • Status: 404 (Blocked)
  • Assessment: Sophisticated attempt targeting AWS credentials. “Anmeldeinformationen” is German for “login information,” suggesting either targeted knowledge of your infrastructure or automated tools with international capability.

:bar_chart: ATTACK PATTERN ANALYSIS

Timeline of Malicious Activity

  1. 01:41:35 - PHPUnit RCE attempt
  2. 05:27:35 - Coordinated file disclosure attempts (.env and .git/config)
  3. 11:16:20 - Second .env access attempt
  4. 13:02:42 - AWS credentials harvesting attempt

Attack Characteristics

  • Unauthenticated requests: All malicious attempts had empty headers "req":{}, indicating external attackers
  • Systematic enumeration: Multiple file types targeted suggests automated scanning tools
  • International targeting: German filename suggests either sophisticated attackers or tools with broad language support
2

Hi @harry , please refer to this security guide: NocoBase Security Guide - NocoBase Documentation

And make sure you are using the latest version.

1 Like