Why is my /var/log/nginx/error.log filled with traffic that doesn’t have anything to do with my domain? Does my error.log track every other site you host on the same server as my domain? I have thousands of these error messages in a couple of days. Thanks!

2019/07/16 15:15:30 [error] 26949#0: *3117 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.113.119.54, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:15:30 [error] 26948#0: *3118 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.113.119.54, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingblackjack.com"
2019/07/16 15:15:50 [error] 26949#0: *3119 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:50 [error] 26949#0: *3120 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:51 [error] 26949#0: *3121 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:52 [error] 26949#0: *3122 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:15:59 [error] 26949#0: *3123 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 217.118.64.42, server: _, request: "GET /wp-login.php HTTP/1.1", host: "newsfafrica.com"
2019/07/16 15:16:11 [error] 26949#0: *3124 open() "/usr/share/nginx/html/robots.txt" failed (2: No such file or directory), client: 66.249.64.95, server: _, request: "GET /robots.txt HTTP/1.1", host: "shoppingbaseball.com"
2019/07/16 15:16:13 [error] 26949#0: *3125 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:16:19 [error] 26949#0: *3126 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "POST /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
2019/07/16 15:16:19 [error] 26948#0: *3127 open() "/usr/share/nginx/html/wp-login.php" failed (2: No such file or directory), client: 142.93.214.242, server: _, request: "GET /wp-login.php HTTP/1.1", host: "shoppingapartment.com"
edited by MattIPv4
1 comment
  • I should add my /var/log/nginx/access.log has a similar array of traffic. This is all happening while my DO firewall is highly limited to only traffic from my IP range (xx.xx.xx.00/24) - [my office ip in first three positions]. But, the access and error logs indicate I’m still getting traffic? Thanks.

    66.112.178.69 - - [16/Jul/2019:15:24:21 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:21 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.112.178.69 - - [16/Jul/2019:15:24:21 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://shoppingbaseball.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:22 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://shoppingblackjack.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.112.178.69 - - [16/Jul/2019:15:24:22 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://shoppingbaseball.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    66.159.33.5 - - [16/Jul/2019:15:24:22 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://shoppingblackjack.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:22 -0700] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:23 -0700] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://newsfafrica.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    49.44.78.231 - - [16/Jul/2019:15:24:23 -0700] "GET /poweredby.png HTTP/1.1" 200 2811 "http://newsfafrica.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
    
    edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hello,

It looks like that someone is trying to bruteforce your website by making a lot of POST requests to your /wp-login.php file.

This is the login page for Wordpress websites, but in your case I guess that you are not using Wordpress so there is nothing to worry about.

Those requests are usually made by bots which are targeting random websites.

This actually is happening to me as well, I have a lot of wp-login hits but I’m not using Wordpress neither.

Hope that this helps!
Bobbby

  • Thanks Bobby. I just can’t figure how they’re making it to my server because I thought I was blocking all traffic except from my own ip using xx.xx.xx.00/24 (where x = actual ip) to cover my entire ip block. Guess I’ll keep digging.

    • In this case I would suggest using CSF for example to lock down all of your ports for the world, and then allow only your own IP range.

      That way you would be sure that there would be no other traffic hitting the server.

      Regards,
      Bobby

Submit an Answer