NGINX error.log returning many different virtual-host error messages

July 16, 2019 266 views
Nginx Logging CentOS

Why is my /var/log/nginx/error.log filled with traffic that doesn’t have anything to do with my domain? Does my error.log track every other site you host on the same server as my domain? I have thousands of these error messages in a couple of days. Thanks!

2019/07/16 15:15:30 [error] 26949#0: *3117 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.113.119.54, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:15:30 [error] 26948#0: *3118 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.113.119.54, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingblackjack.com"
2019/07/16 15:15:50 [error] 26949#0: *3119 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:50 [error] 26949#0: *3120 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:51 [error] 26949#0: *3121 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:52 [error] 26949#0: *3122 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:59 [error] 26949#0: *3123 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.118.64.42, server: _, request: "GET /wp-login.php HTTP/1.1", host: "newsfafrica.com"
2019/07/16 15:16:11 [error] 26949#0: *3124 open() "/usr/share/nginx/html/robots.txt" failed (2: No such file or directory), client: 66.249.64.95, server: _, request: "GET /robots.txt HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:16:13 [error] 26949#0: *3125 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:16:19 [error] 26949#0: *3126 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:16:19 [error] 26948#0: *3127 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
1 comment
  • I should add my /var/log/nginx/access.log has a similar array of traffic. This is all happening while my DO firewall is highly limited to only traffic from my IP range (xx.xx.xx.00/24) - [my office ip in first three positions]. But, the access and error logs indicate I’m still getting traffic? Thanks.

    66.112.178.69 - - [16/Jul/2019:15:24:21 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:21 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.112.178.69 - - [16/Jul/2019:15:24:21 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://shoppingbaseball.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:22 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://shoppingblackjack.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.112.178.69 - - [16/Jul/2019:15:24:22 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://shoppingbaseball.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:22 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://shoppingblackjack.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:22 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:23 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://newsfafrica.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:23 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://newsfafrica.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    
    edited by MattIPv4
1 Answer

Hello,

It looks like that someone is trying to bruteforce your website by making a lot of POST requests to your /wp-login.php file.

This is the login page for Wordpress websites, but in your case I guess that you are not using Wordpress so there is nothing to worry about.

Those requests are usually made by bots which are targeting random websites.

This actually is happening to me as well, I have a lot of wp-login hits but I’m not using Wordpress neither.

Hope that this helps!
Bobbby

  • Thanks Bobby. I just can’t figure how they’re making it to my server because I thought I was blocking all traffic except from my own ip using xx.xx.xx.00/24 (where x = actual ip) to cover my entire ip block. Guess I’ll keep digging.

    • In this case I would suggest using CSF for example to lock down all of your ports for the world, and then allow only your own IP range.

      That way you would be sure that there would be no other traffic hitting the server.

      Regards,
      Bobby

Have another answer? Share your knowledge.