Understanding host value in nginx error log files
Ruslan Ermilov
ru at nginx.com
Mon Apr 2 06:28:11 UTC 2012
On Mon, Apr 02, 2012 at 10:19:12AM +1000, Kevan Stannard wrote:
> I typically see entries in my error.log files of hack attempts where the
> host entry is the IP address of my server, but I also see some entries with
> host values that are domain names I don't recognise.
>
> Example 1:
>
> 012/04/01 06:12:49 [error] 644#0: *882
> "/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html"
> is not found (2: No such file or directory), client: 150.70.75.37, server:
> localhost, request: "GET
> /ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/
> HTTP/1.0", host: "deepspacer.com"
>
> Example 2:
>
> 2012/02/03 01:38:41 [error] 592#0: *14019 open()
> "/var/www/nginx-default/home.php" failed (2: No such file or directory),
> client: 216.104.15.130, server: localhost, request: "GET
> /home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4
> HTTP/1.0", host: "www.au.mytelecomsurvey.com"
>
> Example 3:
>
> 2012/02/03 11:57:56 [error] 592#0: *18075 open()
> "/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js"
> failed (2: No such file or directory), client: 150.70.64.197, server:
> localhost, request: "GET
> /sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js
> HTTP/1.0", host: "www.formalites-juridiques.net"
>
> I was hoping someone could explain what it means if I'm seeing these domain
> names as host values and if it's something I need to be concerned about.
It is just a value of the Host request header field. This could happen
due to client's DNS misconfiguration. This could equally be a sign of
malicious entity probing your site.
More information about the nginx
mailing list