I typically see entries in my error.log files of hack attempts where the
host entry is the IP address of my server, but I also see some entries
with
host values that are domain names I don’t recognise.
Example 1:
012/04/01 06:12:49 [error] 644#0: *882
“/var/www/nginx-default/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/index.html”
is not found (2: No such file or directory), client: 150.70.75.37,
server:
localhost, request: “GET
/ab1e27867d53d8f4942095a891183ce0cacd3dbf/0d4fc9bfe7c5f26b02522d088dd98da95a9ed8d7/074977cbb342d6ffa7743ae477a5c0054fef5512/
HTTP/1.0”, host: “deepspacer.com”
Example 2:
2012/02/03 01:38:41 [error] 592#0: *14019 open()
“/var/www/nginx-default/home.php” failed (2: No such file or directory),
client: 216.104.15.130, server: localhost, request: “GET
/home.php?SES=517a4bfc0137889f05d67314df2715a1&from_diary=1&cpl=1&from=102_4
HTTP/1.0”, host: “www.au.mytelecomsurvey.com”
Example 3:
2012/02/03 11:57:56 [error] 592#0: *18075 open()
“/var/www/nginx-default/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js”
failed (2: No such file or directory), client: 150.70.64.197, server:
localhost, request: “GET
/sites/default/files/js/js_b3ffc00633d66887fcb4ecdfc2d1c13a.jsmin.js
HTTP/1.0”, host: “www.formalites-juridiques.net”
I was hoping someone could explain what it means if I’m seeing these
domain
names as host values and if it’s something I need to be concerned about.
Thanks