Question

Should I be worried about incoming traffic from localhost?

I have set up a production Nodejs app broadly following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-ubuntu-16-04.

However I have noticed that we are getting some intermittent downtime. At the same time I have noticed some strange traffic incoming from localhost. Here’s a snippet of the logs to give you an idea:

[Thu, 09 Feb 2023 17:42:32 GMT] 127.0.0.1 POST //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.459 ms - 23
[Thu, 09 Feb 2023 17:42:32 GMT] 127.0.0.1 POST //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.298 ms - 23
[Thu, 09 Feb 2023 17:42:33 GMT] 127.0.0.1 POST //lib/phpunit/Util/PHP/eval-stdin.php 404 0.328 ms - 23
[Thu, 09 Feb 2023 17:42:33 GMT] 127.0.0.1 POST //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.311 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.363 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 3.516 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.410 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.310 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.294 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.307 ms - 23
[Thu, 09 Feb 2023 17:42:34 GMT] 127.0.0.1 POST //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 404 0.335 ms - 23
[Thu, 09 Feb 2023 17:56:53 GMT] 127.0.0.1 GET / 404 3.443 ms - 23
[Thu, 09 Feb 2023 18:40:21 GMT] 127.0.0.1 GET /_ignition/execute-solution 404 0.325 ms - 23
[Thu, 09 Feb 2023 19:20:38 GMT] 127.0.0.1 GET /apis/apps/v1/namespaces/kube-system/daemonsets 404 0.401 ms - 23
[Thu, 09 Feb 2023 19:55:42 GMT] 127.0.0.1 GET /robots.txt 404 0.347 ms - 23
[Thu, 09 Feb 2023 20:20:40 GMT] 127.0.0.1 GET /metrics 404 0.495 ms - 23
[Thu, 09 Feb 2023 20:20:40 GMT] 127.0.0.1 GET /v2/ 404 0.499 ms - 23
[Thu, 09 Feb 2023 20:26:01 GMT] 127.0.0.1 GET / 404 0.457 ms - 23
[Thu, 09 Feb 2023 20:26:01 GMT] 127.0.0.1 GET /metrics 404 0.388 ms - 23
[Thu, 09 Feb 2023 21:26:57 GMT] 127.0.0.1 GET /favicon.ico 404 0.337 ms - 23
[Thu, 09 Feb 2023 21:55:57 GMT] 127.0.0.1 GET /bootstrap-2.min.js 404 0.338 ms - 23
[Thu, 09 Feb 2023 21:55:59 GMT] 127.0.0.1 GET /api/x 404 0.420 ms - 23
[Thu, 09 Feb 2023 22:16:45 GMT] 127.0.0.1 GET /.env 404 0.379 ms - 23
[Thu, 09 Feb 2023 22:16:45 GMT] 127.0.0.1 POST / 404 1.353 ms - 23
[Fri, 10 Feb 2023 03:57:01 GMT] 127.0.0.1 GET /_asterisk/ 404 0.435 ms - 23
[Fri, 10 Feb 2023 04:44:29 GMT] 127.0.0.1 GET /ab2g 404 0.370 ms - 23
[Fri, 10 Feb 2023 04:44:30 GMT] 127.0.0.1 GET /ab2h 404 0.506 ms - 23
[Fri, 10 Feb 2023 05:10:15 GMT] 127.0.0.1 GET /dns-query?name=dnsscan.shadowserver.org&type=A 404 0.563 ms - 23
[Fri, 10 Feb 2023 05:12:55 GMT] 127.0.0.1 GET /.git/config 404 0.312 ms - 23
[Fri, 10 Feb 2023 05:21:44 GMT] 127.0.0.1 GET / 404 0.369 ms - 23
[Fri, 10 Feb 2023 08:46:09 GMT] 127.0.0.1 GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 404 0.338 ms - 23
[Fri, 10 Feb 2023 09:08:23 GMT] 127.0.0.1 GET /favicon.ico 404 0.637 ms - 23
[Fri, 10 Feb 2023 09:08:24 GMT] 127.0.0.1 GET /robots.txt 404 0.319 ms - 23
[Fri, 10 Feb 2023 09:08:26 GMT] 127.0.0.1 GET /.well-known/security.txt 404 0.437 ms - 23
[Fri, 10 Feb 2023 09:53:51 GMT] 127.0.0.1 GET /showLogin.cc 404 0.298 ms - 23
[Fri, 10 Feb 2023 10:18:05 GMT] 127.0.0.1 GET /autodiscover/autodiscover.json?@zdi/Powershell 404 0.270 ms - 23
[Fri, 10 Feb 2023 15:48:41 GMT] 127.0.0.1 GET /?XDEBUG_SESSION_START=phpstorm 404 0.302 ms - 23
[Fri, 10 Feb 2023 16:26:28 GMT] 127.0.0.1 GET /actuator/health 404 0.361 ms - 23

To be clear the IP addresses of external traffic are showing up as expected (ie most traffic does not come from 127.0.0.1), and the app is a REST API, so I’m not sure where these requests are coming from.

As you can see the API is responding with a 404 request so I’m not really sure how much impact it’s having on the app, and even if it has anything to do with the intermittent downtime we’re experiencing.

So I guess my questions are: why would my app (which is running on a port on localhost) be receiving incoming traffic from localhost? Should I blocklist 127.0.0.1 from my app? Where would these requests be coming from and why would they know to send requests to a specific port on localhost?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
February 11, 2023

Hey @mikehayden,

When using a reverse proxy, in your case Nginx, the traffic always appears as localhost due to the proxy itself.

The requests itself seem to be for wordpress so what you can do is add a deny block in your Nginx config for any requests that have a wordpress path in them.

Bobby Iliev
Site Moderator
Site Moderator badge
February 10, 2023

Hi there,

You would usually see the requests coming from localhost in a reverse proxy setup. The requests seem to be coming from crawler bot and are trying to hit some common routes for WordPress websites, but as you are not using WordPress they should be harmless.

Can you share your complete Nginx server block here so I could take a quick look at the setup?

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.