I have an Express.js server running on a Windows server, in my tests to put it into production I received a strange call that I did not make, from what I understand it is an attempt to access my server, what I do not understand is if these calls are normal for all server / webpages online.
My server is running with Https with certificates created in Certbot, I have helmet enabled and x-power-by disabled. I have the server listening on port 443, but I plan to change this to another port.
Previously I received many calls like the following:
138.197.190.182 - - [01/Jun/2022:21:00:40 +0000] "HEAD / HTTP/1.0" 404 140 "-" "-"
138.197.190.182 - - [01/Jun/2022:21:00:46 +0000] "GET /system_api.php HTTP/1.1" 404 153 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
138.197.190.182 - - [01/Jun/2022:21:00:48 +0000] "GET /c/version.js HTTP/1.1" 404 151 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
138.197.190.182 - - [01/Jun/2022:21:00:50 +0000] "GET /streaming/clients_live.php HTTP/1.1" 404 165 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
138.197.190.182 - - [01/Jun/2022:21:00:52 +0000] "GET /stalker_portal/c/version.js HTTP/1.1" 404 166 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
138.197.190.182 - - [01/Jun/2022:21:00:54 +0000] "GET /stream/live.php HTTP/1.1" 404 154 "-" "VLC/3.0.8 LibVLC/3.0.8"
138.197.190.182 - - [01/Jun/2022:21:00:57 +0000] "GET /flu/403.html HTTP/1.1" 404 151 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
138.197.190.182 - - [01/Jun/2022:21:00:59 +0000] "GET / HTTP/1.1" 404 139 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
92.226.2.139 - - [11/May/2022:16:14:45 +0000] "GET /anaesthetist/goddaughters/betterment/Colombias.jsp HTTP/1.1" 404 189 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)"
92.226.2.139 - - [11/May/2022:16:14:45 +0000] "GET /Yorkshires/TKO/chromes/limestone.jsp HTTP/1.1" 404 175 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; BOIE8;ENUS)"
82.102.17.180 - - [11/May/2022:16:25:19 +0000] "GET http://dyn.epicgifs.net/test6956.php HTTP/1.1" 404 151 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
103.178.236.40 - - [22/Apr/2022:22:17:20 +0000] "GET http://example.com/ HTTP/1.1" 404 139 "-" "Go-http-client/1.`1"
92.118.160.1 - - [23/Apr/2022:14:23:00 +0000] "GET / HTTP/1.0" 404 139 "-" "NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com"
I understand that as long as I don't have anything in the addresses they are trying to access there is no problem, or am I wrong?
My concern is that I received several identical calls in a short period of time from the same IP, like this:
193.19.109.230 - - [26/Jul/2022:22:59:03 +0000] "GET / HTTP/1.1" 404 139 "-" "python-requests/2.22.0"
My question is,
With the security that I currently have, should I be very concerned about these calls?
Public Servers often get spammed with Requests like these. Attackers try to get Informations about your server by scanning for specific Sites. So they can find attack vectors (for example old PHP/Wordpress Versions with known issues).
Other Requests can come from Scanners searching indexing security leaks or sites in general.
This is completely normal for Servers exposed to the Internet.
Another Question like this can be found here
Reviewing access logs we've noticed Google PageSpeed Insights crops long URLs at around 70 chars and an ellipsis is appended. This results in a 404. Example:
8.8.8.8 - - [17/Sep/2020:10:32:22 +0200] "GET /wp-content/uploads/2016/06/petey-peeking-through-d%E2%80%A6 HTTP/1.1" 404 4650 "https://example.com/" "Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4143.7 Mobile Safari/537.36 Chrome-Lighthouse"
On sites with many long URLs this causes a lot of 404s, which negatively impacts WordPress sites for example as they handle 404s via PHP. I presume it will also result in incomplete/incorrect test analysis and results. I can't seem to find any information about this online. Is it intended behavior?
Additional examples:
66.249.93.34 - - [17/Sep/2020:14:15:20 +0200] "GET /wp-content/uploads/2020/09/test-picture-with-a-very-very-very-long-name-1024x402.jpg HTTP/1.1" 200 17896 "https://wpland.se/" "Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4143.7 Mobile Safari/537.36 Chrome-Lighthouse"
66.249.93.34 - - [17/Sep/2020:14:17:33 +0200] "GET /wp-content/uploads/2020/09/test-picture-with-a-very-very%E2%80%A6 HTTP/1.1" 404 4925 "http://wpland.se/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4143.7 Safari/537.36 Chrome-Lighthouse"
We have the same issue, this function seems to truncate the urls:
function getOuterHTMLSnippet(element,ignoreAttrs=[],snippetCharacterLimit=500){const ATTRIBUTE_CHAR_LIMIT=75;try{if(element instanceof ShadowRoot){element=element.host;}
const clone=element.cloneNode();ignoreAttrs.forEach(attribute=>{clone.removeAttribute(attribute);});let charCount=0;for(const attributeName of clone.getAttributeNames()){if(charCount>snippetCharacterLimit){clone.removeAttribute(attributeName);}else{let attributeValue=clone.getAttribute(attributeName);if(attributeValue.length>ATTRIBUTE_CHAR_LIMIT){attributeValue=attributeValue.slice(0,ATTRIBUTE_CHAR_LIMIT-1)+'…';clone.setAttribute(attributeName,attributeValue);}
charCount+=attributeName.length+attributeValue.length;}}
const reOpeningTag=/^[\s\S]*?>/;const[match]=clone.outerHTML.match(reOpeningTag)||[];if(match&&charCount>snippetCharacterLimit){return match.slice(0,match.length-1)+' …>';}
return match||'';}catch(_){return`<${element.localName}>`;}};
https://github.com/GoogleChrome/lighthouse/issues/11465
I upgraded gitlal omnibus from gitlab-ce-12.0.2-ce.0.el7.x86_64 to gitlab-ce-12.0.3-ce.0.el7.x86_64.
Post which when I launch the URL http://10.28.19.103:8080 it redirects to http://10.28.19.103:8080/users/sign_in.
In that I only see a sign in btn. Upon clicking nothing happens. I have no space to enter to enter username and password.
The logs are as below:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/" for 10.28.208.19 at 2019-07-05 01:02:15 +0800
Processing by RootController#index as HTML
Redirected to http://10.28.19.103:8080/users/sign_in
**Filter chain halted as :redirect_unlogged_user rendered or redirected**
Completed 302 Found in 16ms (ActiveRecord: 0.5ms)
Started GET "/users/sign_in" for 10.28.208.19 at 2019-07-05 01:02:16 +0800
Processing by SessionsController#new as HTML
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/","format":"html","controller":"RootController","action":"index","status":302,"duration":17.38,"view":0.0,"db":0.54,"location":"http://10.28.19.103:8080/users/sign_in","time":"2019-07-04T17:02:15.975Z","params":[],"remote_ip":"10.28.208.19","user_id":null,"username":null,"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36","queue_duration":3.56,"correlation_id":"fqMPRtqjdO3"}
==> /var/log/gitlab/gitlab-rails/production.log <==
Completed 200 OK in 52ms (Views: 32.5ms | ActiveRecord: 2.2ms)
Started GET "/uploads/-/system/appearance/header_logo/1/ytlc.png" for 10.28.208.19 at 2019-07-05 01:02:16 +0800
Processing by UploadsController#show as HTML
Parameters: {"model"=>"appearance", "mounted_as"=>"header_logo", "id"=>"1", "filename"=>"ytlc.png"}
Sent file /opt/gitlab/embedded/service/gitlab-rails/public/uploads/-/system/appearance/header_logo/1/ytlc.png (0.3ms)
Completed 200 OK in 16ms (ActiveRecord: 1.5ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/users/sign_in","format":"html","controller":"SessionsController","action":"new","status":200,"duration":54.1,"view":32.47,"db":2.17,"time":"2019-07-04T17:02:16.020Z","params":[],"remote_ip":"10.28.208.19","user_id":null,"username":null,"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36","queue_duration":5.03,"correlation_id":"T9vwNeRZZZ6"}
{"method":"GET","path":"/uploads/-/system/appearance/header_logo/1/ytlc.png","format":"html","controller":"UploadsController","action":"show","status":200,"duration":17.42,"view":0.0,"db":1.47,"time":"2019-07-04T17:02:16.768Z","params":[{"key":"model","value":"appearance"},{"key":"mounted_as","value":"header_logo"},{"key":"id","value":"1"},{"key":"filename","value":"ytlc.png"}],"remote_ip":"10.28.208.19","user_id":null,"username":null,"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36","queue_duration":4.3,"correlation_id":"Wsuv3JkKIj2"}
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/-/metrics" for 127.0.0.1 at 2019-07-05 01:02:18 +0800
Processing by MetricsController#index as HTML
Completed 200 OK in 5ms (Views: 0.7ms | ActiveRecord: 0.0ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/-/metrics","format":"html","controller":"MetricsController","action":"index","status":200,"duration":6.82,"view":0.67,"db":0.0,"time":"2019-07-04T17:02:18.715Z","params":[],"remote_ip":null,"user_id":null,"username":null,"ua":null,"queue_duration":null,"correlation_id":"2e2fdaf8-4f81-4075-b9b5-1c34055bafba"}
==> /var/log/gitlab/gitlab-rails/sidekiq_exporter.log <==
[2019-07-05 01:02:18] 127.0.0.1 - - [05/Jul/2019:01:02:18 +08] "GET /metrics HTTP/1.1" 200 3501 "-" "Prometheus/2.8.1"
I took a backup of the current repositories, installed a new GIT on temp VM. Imported the above repository.
But again I faced the same problem.
Please help.
You should not be accessing GitLab via port 8080. That's Unicorn, and it shouldn't be listening externally by default. You should access GitLab via port 80 or 443 through Nginx.
If you've set Unicorn to listen on port 8080 on something other than localhost, I suggest setting that back to default and accessing via the configured external URL (which should be port 80 or 443).
I've managed to migrate gitlab-CE 8.1 to 8.2, but I get an annoying issue.
Everytime I try to create an issue, I get this error:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started POST "/api/api/issues" for 93.93.xx.xxx at 2015-12-15 15:05:13 +0100
==> /var/log/gitlab/nginx/gitlab_access.log <==
93.93.xx.xxx - - [15/Dec/2015:15:05:13 +0100] "POST /api/api/issues HTTP/1.1" 405 2 "https://git.myhost.name/api/api/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36"
It only occurs on this project. Do you have any idea where it comes from?
For information, I use a custom nginx.
Thanks,
Edit: To give more details, I have a white page like this when creating the issue.
I have built and run Rendr's example apps on Ubuntu 13.10 using Node v0.8.6. When I click on the Repos or Users links, I get an HTTP 502 - Bad Gateway error, but when I refresh page (load from server) it works (200 - OK) and the repos or users are displayed
Here is server output for the working case - (page refresh):
127.0.0.1 - - [Fri, 31 Jan 2014 22:47:56 GMT] "GET /repos HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/32.0.1700.102 Chrome/32.0.1700.102
Safari/537.36"
And here is the failure case - (link navigation):
127.0.0.1 - - [Fri, 31 Jan 2014 22:48:07 GMT] "GET /api/-/users HTTP/1.1" 502 - "http://localhost:3030/users" "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu
Chromium/32.0.1700.102 Chrome/32.0.1700.102 Safari/537.36"
Any ideas or pointers to what the problem might be?
Thanks.
The solution for this problem is here: https://github.com/airbnb/rendr/issues/266