Kevan Stannard | 2 Apr 02:19 2012
Picon

Understanding host value in nginx error log files

I typically see entries in my error.log files of hack attempts where the host entry is the IP address of my server, but I also see some entries with host values that are domain names I don't recognise.

Example 1:

012/04/01 06:12:49 [error] 644#0: *882 "/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html" is not found (2: No such file or directory), client: 150.70.75.37, server: localhost, request: "GET /ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/ HTTP/1.0", host: "deepspacer.com"

Example 2:

2012/02/03 01:38:41 [error] 592#0: *14019 open() "/var/www/nginx-default/home.php" failed (2: No such file or directory), client: 216.104.15.130, server: localhost, request: "GET /home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4 HTTP/1.0", host: "www.au.mytelecomsurvey.com"

Example 3:

2012/02/03 11:57:56 [error] 592#0: *18075 open() "/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js" failed (2: No such file or directory), client: 150.70.64.197, server: localhost, request: "GET /sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js HTTP/1.0", host: "www.formalites-juridiques.net"

I was hoping someone could explain what it means if I'm seeing these domain names as host values and if it's something I need to be concerned about.

Thanks


_______________________________________________
nginx mailing list
nginx@...
http://mailman.nginx.org/mailman/listinfo/nginx
Ruslan Ermilov | 2 Apr 08:28 2012

Re: Understanding host value in nginx error log files

On Mon, Apr 02, 2012 at 10:19:12AM +1000, Kevan Stannard wrote:
> I typically see entries in my error.log files of hack attempts where the
> host entry is the IP address of my server, but I also see some entries with
> host values that are domain names I don't recognise.
> 
> Example 1:
> 
> 012/04/01 06:12:49 [error] 644#0: *882
> "/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html"
> is not found (2: No such file or directory), client: 150.70.75.37, server:
> localhost, request: "GET
> /ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/
> HTTP/1.0", host: "deepspacer.com"
> 
> Example 2:
> 
> 2012/02/03 01:38:41 [error] 592#0: *14019 open()
> "/var/www/nginx-default/home.php" failed (2: No such file or directory),
> client: 216.104.15.130, server: localhost, request: "GET
> /home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4
> HTTP/1.0", host: "www.au.mytelecomsurvey.com"
> 
> Example 3:
> 
> 2012/02/03 11:57:56 [error] 592#0: *18075 open()
> "/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js"
> failed (2: No such file or directory), client: 150.70.64.197, server:
> localhost, request: "GET
> /sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js
> HTTP/1.0", host: "www.formalites-juridiques.net"
> 
> I was hoping someone could explain what it means if I'm seeing these domain
> names as host values and if it's something I need to be concerned about.

It is just a value of the Host request header field.  This could happen
due to client's DNS misconfiguration.  This could equally be a sign of
malicious entity probing your site.
Kevan Stannard | 3 Apr 01:15 2012
Picon

Re: Understanding host value in nginx error log files

Thanks Ruslan

On 2 April 2012 16:28, Ruslan Ermilov <ru <at> nginx.com> wrote:
On Mon, Apr 02, 2012 at 10:19:12AM +1000, Kevan Stannard wrote:
> I typically see entries in my error.log files of hack attempts where the
> host entry is the IP address of my server, but I also see some entries with
> host values that are domain names I don't recognise.
>
> Example 1:
>
> 012/04/01 06:12:49 [error] 644#0: *882
> "/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html"
> is not found (2: No such file or directory), client: 150.70.75.37, server:
> localhost, request: "GET
> /ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/
> HTTP/1.0", host: "deepspacer.com"
>
> Example 2:
>
> 2012/02/03 01:38:41 [error] 592#0: *14019 open()
> "/var/www/nginx-default/home.php" failed (2: No such file or directory),
> client: 216.104.15.130, server: localhost, request: "GET
> /home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4
> HTTP/1.0", host: "www.au.mytelecomsurvey.com"
>
> Example 3:
>
> 2012/02/03 11:57:56 [error] 592#0: *18075 open()
> "/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js"
> failed (2: No such file or directory), client: 150.70.64.197, server:
> localhost, request: "GET
> /sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js
> HTTP/1.0", host: "www.formalites-juridiques.net"
>
> I was hoping someone could explain what it means if I'm seeing these domain
> names as host values and if it's something I need to be concerned about.

It is just a value of the Host request header field.  This could happen
due to client's DNS misconfiguration.  This could equally be a sign of
malicious entity probing your site.

_______________________________________________
nginx mailing list
nginx-jCiJ2l+ov5bYtjvyW6yDsg@public.gmane.org
http://mailman.nginx.org/mailman/listinfo/nginx



--
Kevan Stannard
Mob: 0411 757 433


_______________________________________________
nginx mailing list
nginx@...
http://mailman.nginx.org/mailman/listinfo/nginx

Gmane