Question

Weird GET and POST requests node

Posted September 2, 2021 163 views
NginxNode.jsSecurity

Good day to you DigitalOcean Community! I’m new here and in the cloud scene so please excuse me if this is a stupid question 🙏

I’ve got a droplet running on Ubuntu 20.04 with nginx. It serves a node.js basic Express API and I’ve seen in the app’s logs that I receive weird requests. I don’t understand where are they coming from and why. The droplet’s been live for about 3 days, the domain is new. I didn’t show it to anyone, didn’t post it anywhere and the only outside services I’m using that are interacting with this domain is the frontend client that uses this API (hosted on netlify) and auth0.

Should I worry about them? Are these attacks? I see they’re looking for wordpress/php files which I obviously don’t have, for .env files, what is going on?

Thank you very much in advance!

2021-09-01 06:55 +00:00: GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 404 0.486 ms - 148
2021-09-01 06:55 +00:00: POST /mifs/.;/services/LogService 404 0.375 ms - 167
2021-09-01 06:55 +00:00: GET /console/ 404 0.449 ms - 147
2021-09-01 06:55 +00:00: GET /wp-content/plugins/wp-file-manager/readme.txt 404 0.308 ms - 
184
2021-09-01 06:55 +00:00: GET / 404 0.473 ms - 139
2021-09-01 06:55 +00:00: POST /Autodiscover/Autodiscover.xml 404 0.526 ms - 169
2021-09-01 06:55 +00:00: GET /_ignition/execute-solution 404 0.493 ms - 165
2021-09-01 07:36 +00:00: GET /.env 404 0.310 ms - 143
2021-09-01 07:36 +00:00: POST / 404 0.543 ms - 140
2021-09-01 08:26 +00:00: GET / 404 0.527 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.456 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.576 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.295 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.431 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.455 ms - 139
2021-09-01 08:26 +00:00: GET / 404 0.264 ms - 139
2021-09-01 08:27 +00:00: GET / 404 0.526 ms - 139
2021-09-01 08:27 +00:00: GET / 404 0.329 ms - 139
2021-09-01 08:46 +00:00: GET / 404 0.317 ms - 139
2021-09-01 08:49 +00:00: GET / 404 0.446 ms - 139
2021-09-01 08:50 +00:00: GET / 404 0.373 ms - 139
2021-09-01 08:54 +00:00: GET / 404 0.298 ms - 139
2021-09-01 09:03 +00:00: GET / 404 0.398 ms - 139
2021-09-01 09:07 +00:00: GET / 404 0.470 ms - 139
2021-09-01 10:18 +00:00: GET / 404 0.470 ms - 139
2021-09-01 10:18 +00:00: GET //wp-includes/wlwmanifest.xml 404 0.293 ms - 167
2021-09-01 10:18 +00:00: GET //xmlrpc.php?rsd 404 0.457 ms - 150
2021-09-01 10:18 +00:00: GET / 404 0.383 ms - 139
2021-09-01 10:18 +00:00: GET //blog/wp-includes/wlwmanifest.xml 404 0.715 ms - 172
2021-09-01 10:18 +00:00: GET //web/wp-includes/wlwmanifest.xml 404 0.487 ms - 171
2021-09-01 10:18 +00:00: GET //wordpress/wp-includes/wlwmanifest.xml 404 0.414 ms - 177    
2021-09-01 10:18 +00:00: GET //website/wp-includes/wlwmanifest.xml 404 0.542 ms - 175      
2021-09-01 10:18 +00:00: GET //wp/wp-includes/wlwmanifest.xml 404 0.436 ms - 170
2021-09-01 10:18 +00:00: GET //news/wp-includes/wlwmanifest.xml 404 0.405 ms - 172
2021-09-01 10:18 +00:00: GET //2020/wp-includes/wlwmanifest.xml 404 0.377 ms - 172
2021-09-01 10:18 +00:00: GET //2019/wp-includes/wlwmanifest.xml 404 0.274 ms - 172
2021-09-01 10:18 +00:00: GET //shop/wp-includes/wlwmanifest.xml 404 0.414 ms - 172
2021-09-01 10:18 +00:00: GET //wp1/wp-includes/wlwmanifest.xml 404 0.412 ms - 171
2021-09-01 10:18 +00:00: GET //test/wp-includes/wlwmanifest.xml 404 0.312 ms - 172
2021-09-01 10:18 +00:00: GET //wp2/wp-includes/wlwmanifest.xml 404 0.380 ms - 171
2021-09-01 10:18 +00:00: GET //site/wp-includes/wlwmanifest.xml 404 0.284 ms - 172
2021-09-01 10:18 +00:00: GET //cms/wp-includes/wlwmanifest.xml 404 0.521 ms - 171
2021-09-01 10:18 +00:00: GET //sito/wp-includes/wlwmanifest.xml 404 0.277 ms - 172
2021-09-01 10:29 +00:00: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 404 0.393 ms - 158
2021-09-01 11:31 +00:00: GET / 404 0.355 ms - 139
2021-09-01 12:52 +00:00: GET / 404 0.397 ms - 139
2021-09-01 13:59 +00:00: GET / 404 0.312 ms - 139
2021-09-01 13:59 +00:00: GET /favicon.ico 404 0.419 ms - 150
2021-09-01 13:59 +00:00: GET /favicon.ico 404 0.289 ms - 150
2021-09-01 13:59 +00:00: GET / 404 0.446 ms - 139
2021-09-01 13:59 +00:00: GET /favicon.ico 404 0.546 ms - 150
2021-09-01 13:59 +00:00: GET /favicon.ico 404 0.447 ms - 150
2021-09-01 13:59 +00:00: GET / 404 0.419 ms - 139
2021-09-01 13:59 +00:00: GET / 404 0.457 ms - 139
2021-09-01 14:57 +00:00: GET / 404 0.326 ms - 139
2021-09-01 16:00 +00:00: GET / 404 0.329 ms - 139
2021-09-01 17:00 +00:00: GET / 404 0.487 ms - 139
2021-09-01 17:00 +00:00: GET //wp-includes/wlwmanifest.xml 404 0.502 ms - 167
2021-09-01 17:00 +00:00: GET //xmlrpc.php?rsd 404 0.574 ms - 150
2021-09-01 17:00 +00:00: GET / 404 0.446 ms - 139
2021-09-01 17:00 +00:00: GET //blog/wp-includes/wlwmanifest.xml 404 0.453 ms - 172
2021-09-01 17:00 +00:00: GET //web/wp-includes/wlwmanifest.xml 404 0.357 ms - 171
2021-09-01 17:00 +00:00: GET //wordpress/wp-includes/wlwmanifest.xml 404 0.444 ms - 177    
2021-09-01 17:00 +00:00: GET //website/wp-includes/wlwmanifest.xml 404 0.434 ms - 175      
2021-09-01 17:00 +00:00: GET //wp/wp-includes/wlwmanifest.xml 404 0.286 ms - 170
2021-09-01 17:00 +00:00: GET //news/wp-includes/wlwmanifest.xml 404 0.337 ms - 172
2021-09-01 17:00 +00:00: GET //2018/wp-includes/wlwmanifest.xml 404 0.469 ms - 172
2021-09-01 17:00 +00:00: GET //2019/wp-includes/wlwmanifest.xml 404 0.507 ms - 172
2021-09-01 17:00 +00:00: GET //shop/wp-includes/wlwmanifest.xml 404 0.466 ms - 172
2021-09-01 17:00 +00:00: GET //wp1/wp-includes/wlwmanifest.xml 404 0.616 ms - 171
2021-09-01 17:00 +00:00: GET //test/wp-includes/wlwmanifest.xml 404 0.475 ms - 172
2021-09-01 17:00 +00:00: GET //media/wp-includes/wlwmanifest.xml 404 0.558 ms - 173        
2021-09-01 17:00 +00:00: GET //wp2/wp-includes/wlwmanifest.xml 404 0.310 ms - 171
2021-09-01 17:00 +00:00: GET //site/wp-includes/wlwmanifest.xml 404 0.337 ms - 172
2021-09-01 17:00 +00:00: GET //cms/wp-includes/wlwmanifest.xml 404 0.616 ms - 171
2021-09-01 17:00 +00:00: GET //sito/wp-includes/wlwmanifest.xml 404 0.424 ms - 172
2021-09-01 17:37 +00:00: GET /robots.txt 404 0.361 ms - 149
2021-09-01 17:37 +00:00: GET / 404 0.443 ms - 139
2021-09-01 18:01 +00:00: GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com 404 0.437 ms - 169
2021-09-01 19:45 +00:00: GET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp 404 0.308 ms - 169
2021-09-01 19:51 +00:00: GET /wp-login.php 404 0.313 ms - 151
2021-09-01 19:51 +00:00: GET /wp-login.php 404 0.274 ms - 151
2021-09-01 19:51 +00:00: GET /wp-login.php 404 0.380 ms - 151
2021-09-01 19:51 +00:00: GET /wp-login.php 404 0.257 ms - 151
2021-09-01 19:51 +00:00: GET /wp-login.php 404 0.299 ms - 151
2021-09-01 21:08 +00:00: GET /actuator/health 404 0.292 ms - 154
2021-09-01 21:43 +00:00: GET /.env 404 0.407 ms - 143
2021-09-01 21:43 +00:00: POST / 404 0.883 ms - 140
2021-09-01 23:17 +00:00: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application 404 0.372 ms - 214
2021-09-02 00:12 +00:00: GET / 404 0.291 ms - 139
2021-09-02 00:12 +00:00: GET / 404 0.326 ms - 139
2021-09-02 00:26 +00:00: GET / 404 0.279 ms - 139

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

Yes indeed, it looks like a bot is scanning your website for vulnerabilities.

As you are not using WordPress you should be all good, but if you want to be extra safe, as a quick fix, you could use Cloudflare and their Bots protection:

https://www.cloudflare.com/products/bot-management/

Alternatively, you could block the IP addresses of the bots which would work temporarily until the bots change their IPs.

Regards,
Bobby