Nginx.exe connected to an external server after Local was shut down

Nginx.exe connected to an external (potentially malicious) server after Local was shut down. I have verified that nginx.exe continues to run on my system after shutting down Local. The first time GlassWire detected nginx.exe connecting to (27.222.243.53 on Sep. 22 2020, from: China - CHINA UNICOM China169 Backbone). This connection was not blocked for some reason. This happened a few hours after I had used Local, closed the application, did not restart my system and my browser was open and streaming a video. I have not had this type of security trigger before this as far as I can recall.

The bigger security concern is that later, on three separate occasions over a week, my firewall blocked exploit attempts. One of them from the same network in China with a different IP address. I believe this occurred after working with Local and shutting down the application without a system restart or manually closing nginx.exe in the task manager. All of this began the day after installing and using Local. This has not recurred after not running local for a few days.

The following are abbreviated notifications from Bitdefender and the associated attacking IP addresses:

Exploit attempt blocked. An attempt to inject a command towards your system through a dangerous URL was made by (27.7.0.228 on Sep. 23 2020 from: Bengaluru, Karnataka, India - Hathway IP Over Cable Internet,ORG-HCAD1-AP), (27.202.51.191 on Sep. 29 2020 from China - CHINA UNICOM China169 Backbone), (176.113.115.214 on Sep. 30 2020 from: Russian Federation - OOO Network of data-centers Selectel).

1.Does nginx.exe regularly connect to servers by itself for functional reasons?

2.How can I secure Local better from exploits like this?

3.Should I be concerned that what I have been working on in Local could be compromised?

4.What other actions should be taken?

Thank you for making this awesome software and for any help in this matter.

Local Version 5.7.5+4909

Operating System Windows 10 Pro

@ben.turner

Hey @12PM- – thanks for using Local as well as letting us know about these messages from Bitdefender!

I’d be curious to know a bit more about the kind of site that is being used as some of the ways in which the Local network is set up.

At a quick glance, I don’t think you have anything to worry about since it seems like BitDefender is doing its job of protecting your system by blocking external requests.

My first assumption is that these outside/malicious requests are blindly sending HTTP requests to random IPs. Because Local’s router (the nginx process that converts a Site Domain to the actual WordPress site listening on a custom port) is running on port 80, it could hypothetically accept requests from outside of the private network, but only if the network router isn’t configured to block inbound traffic.

A couple of questions to help zero in on what exactly might be going on:

  • Does your router have any sort of port forwarding enabled - especially for port 80?
  • Do you have any network configuration that would attempt to expose your local machine to the larger network? I’m thinking of some sort of service that allows you to access your home machine from anywhere.

One other aspect of this is that there is a known issue under Windows where the nginx process sometimes has trouble shutting down (hence why you might still see that process running after Local quits)

To your specific questions:

This process shouldn’t be making connections to a remote server. Is the site in question a plain site that was built only in Local, or has it been imported from some other location or have any “obscure” plugins installed?

It’s tough to say with certainty but odds are no, especially if you can see within Bitdefender that the requests were blocked. In addition to that, if the incoming request is coming from a service that is blindly sending requests to an IP without a host header, Local’s router will return a 404 because it won’t know how to respond.

For #2 and #4, It looks like Bitdefender is doing its job, though it’s just doing it in a more “noisy” fashion that what the built-in Windows Defender would do.

If you do want to further improve security, I recommend going into Windows firewall settings (if enabled) and disallow inbound requests to any of Local’s binaries like nginx.exe and mysqld.exe Additionally, checking their network/router config and enabling a firewall there if possible would be wise.

Thank you for your response @ben.turner! I agree, it was most likely a superfluous request being made that triggered the firewall. Essentially, it came down to not being aware of nginx.exe running in the background and a misconfigured port. After I noticed the problem, I ensured all ports were closed. I had discovered that port 80 was accidentally left open from a prior network configuration that was made during some trouble shooting on other software.

I just end the Local or nginx background process in task manager after closing the Local application or restart the computer. Is there a better or proper way to do that? If not, It’s not that big of a problem.

Again, thank you so much for your assistance. Local really is an awesome local development solution, keep up the great work!

Until we get a better idea and a fix for why this nginx process keeps lingering, I think that killing the nginx process should be fine. The only thing it’s doing is taking incoming requests for a Local site domain and directing it to the appropriate port that WordPress is listening on.

Thanks! I’m glad you’re finding it useful!