Understanding host value in nginx error log files

Kevan Stannard kevanstannard at gmail.com
Mon Apr 2 23:15:25 UTC 2012 

Thanks Ruslan

On 2 April 2012 16:28, Ruslan Ermilov <ru at nginx.com> wrote:

> On Mon, Apr 02, 2012 at 10:19:12AM +1000, Kevan Stannard wrote:
> > I typically see entries in my error.log files of hack attempts where the
> > host entry is the IP address of my server, but I also see some entries
> with
> > host values that are domain names I don't recognise.
> >
> > Example 1:
> >
> > 012/04/01 06:12:49 [error] 644#0: *882
> >
> "/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html"
> > is not found (2: No such file or directory), client: 150.70.75.37,
> server:
> > localhost, request: "GET
> >
> /ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/
> > HTTP/1.0", host: "deepspacer.com"
> >
> > Example 2:
> >
> > 2012/02/03 01:38:41 [error] 592#0: *14019 open()
> > "/var/www/nginx-default/home.php" failed (2: No such file or directory),
> > client: 216.104.15.130, server: localhost, request: "GET
> >
> /home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4
> > HTTP/1.0", host: "www.au.mytelecomsurvey.com"
> >
> > Example 3:
> >
> > 2012/02/03 11:57:56 [error] 592#0: *18075 open()
> >
> "/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js"
> > failed (2: No such file or directory), client: 150.70.64.197, server:
> > localhost, request: "GET
> > /sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js
> > HTTP/1.0", host: "www.formalites-juridiques.net"
> >
> > I was hoping someone could explain what it means if I'm seeing these
> domain
> > names as host values and if it's something I need to be concerned about.
>
> It is just a value of the Host request header field.  This could happen
> due to client's DNS misconfiguration.  This could equally be a sign of
> malicious entity probing your site.
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Kevan Stannard
Mob: 0411 757 433
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20120403/f5972b54/attachment.html>

More information about the nginx mailing list