Thanks @silvio and agreed that an unusual log entry does not imply my system has been compromised. I ran bnsupport-tool and here is the code 4a73ebf7-a6b5-c1a0-201c-d6d58e26783f and thanks for reviewing if my system has been hacked.
Are there any command line tools included in Bitnami VMs that I can run to scan my Debian system to see if I have been hacked? If not, do you recommend tools I can install to scan my system to see if it has been compromised? Is there like a Windows Defender tool for Debian that Bitnami can recommend?
Some more questions for you below.
I can confirm you that our systems have the "Shellshock" vulnerability fixed
Thanks for the info about CVE-2014-6271 ("shellshock"), do you have info or a link on the patch that fixes this so I can learn more about this?
Bitnami stacks are up-to-date and secured
This is good, but how am I protected ongoing once I deploy a Bitnami VM and it is running 24/7 and constantly exposed to attacks? Are Bitnami VMs configured to deploy security patches automatically? The VM I have is only a few weeks old but it already a couple versions behind according to the changelog - am I now behind in security patches? How do I check if I am behind on security patches and what does Bitnami recommend I do to keep my systems up to date and secure?
And as a note here are a couple of other suspicious nginx access log entries that have appeared:
22.214.171.124 - - [03/Mar/2018:14:25:29 -0000] "D\x00\x00\x00K\xAC_\xE6\x8B\xC0\x94\x99*^\xCD8\x22\xDE}\x9B\x86k)?\xD3\x89Cf^\x13\xB8/X\xC7F\xE2\xB3\xA7d=\x12\x8B~\xFC\xE5\x991\xDF\x5C\xF1\xAAM" 400 196 "-" "-"
and this one:
126.96.36.199 - - [04/Mar/2018:01:16:19 -0000] "D\x00\x00\x00\x08xFE\x06<\x1B/\xA2\x0B\xA5\x10\xA8\x01i\x98 \x150Z\xF3v\x1B" 400 176 "-" "-"
Are these also "shellshock" hack attempts? There are many more suspicious log entries but just including some obvious ones here for the benefit of those reading this post.
I am also seeing many HTTP requests to "xmlrpc.php" and to "wp-login.php" that are also clearly hacking attempts that I blocked with nginix config tweaks.