php-fpm.log shows a mass of unusual attempts to open primary script with random filenames

Question

I recently happened to inspect my php-fpm.log and found a lot of suspicious activity that looks like malicious attempts to get access to my host. Here're some of the logs:

[07-Oct-2018 22:01:31] WARNING: [pool www] child 4190 said into stderr: "ERROR: Unable to open primary script: /data/wwwroot/default/1.php (No such file or directory)"
[07-Oct-2018 22:01:31] WARNING: [pool www] child 2955 said into stderr: "ERROR: Unable to open primary script: /data/wwwroot/default/a.php (No such file or directory)"
[07-Oct-2018 22:01:31] WARNING: [pool www] child 3003 said into stderr: "ERROR: Unable to open primary script: /data/wwwroot/default/m.php (No such file or directory)"
[07-Oct-2018 22:01:32] WARNING: [pool www] child 4677 said into stderr: "ERROR: Unable to open primary script: /data/wwwroot/default/conf.php (No such file or directory)"
[07-Oct-2018 22:01:32] WARNING: [pool www] child 4667 said into stderr: "ERROR: Unable to open primary script: /data/wwwroot/default/123.php (No such file or directory)"

It's trying to open various random names in my web folder, and I wonder how can I figure out the source of the activity and how to stop it?

I take it these are coming from access attempts over your web server that return 404? — forest, Oct 20 '18 at 11:58

score 0 · Answer 1 · answered Oct 20 '18 at 22:23

This is an attack OWASP refers to as Forced Browsing. The attacker has a dictionary of words, phrases, etc. that they're going to try on random servers in order to find php files which exist, but aren't directly referenced by links, or other scripts on your site.

The goal of this is to identify potential vulnerable PHP files. Filenames such as a, b, or 123 could indicate code which was still in development that was forgotten about. Code in development could leak information in debug outputs.

Conf.php is looking for scripts which are intended for initial configuration of a web app, which was intended to be removed after configuration, but wasn't.

These types of attacks are extremely easy to perform, and usually don't indicate that you're the target of an advanced threat. I would liken them to port scanning, where an attacker just tries a few common files on everyone and sees if anything interesting is returned.

Depending on the webserver you're using, you may want to install a module or configure it in a manner that limits the number of 404s it returns to a particular IP in a specified time.

Thanks for your prompt reply! That's what I guessed, would you please share the name of the module you mentioned? — michaeledi, Oct 22 '18 at 01:39
@michaeledi this should do what you're looking for https://nichteinschalten.de/apache-nginx-404-fail2ban-regex/ — Daisetsu, Oct 22 '18 at 04:45

php-fpm.log shows a mass of unusual attempts to open primary script with random filenames

1 Answers1