Home » Nodejs » HTTP GET requests being made to my website for unknown .php files. Why and how to prevent this

HTTP GET requests being made to my website for unknown .php files. Why and how to prevent this

Posted by: admin November 30, 2017 Leave a comment

Questions:

I have an application deployed on a digital ocean droplet. About 1 day after deploying, my server crashed, the final logs look like this:

GET /vehicle/tank/all/1 304 2.965 ms - -
GET /vehicle/tank/all/1 304 2.582 ms - -
GET /vehicle/tank/all/1 304 1.735 ms - -
GET /vehicle/tank/all/1 304 1.566 ms - -
GET http://dhg.pisz.pl/httptest.php 404 1.771 ms - 43
GET http://dhg.pisz.pl/httptest.php 404 3.271 ms - 43
GET http://dhg.pisz.pl/httptest.php 404 1.051 ms - 43
GET http://24x7-allrequestsallowed.com/?  PHPSESSID=aab45f4f00143PWZJTVBY%40DXJFV%5D 200 1.777 ms - 1878
GET / 200 2.794 ms - 1878
GET http://testp4.pospr.waw.pl/testproxy.php 404 2.617 ms - 52
HEAD /robots.txt 404 2.946 ms - 24
HEAD / 200 1.751 ms - 1878
GET http://dhg.pisz.pl/httptest.php 404 9.679 ms - 43

Error: Connection lost: The server closed the connection.
at Protocol.end (/root/tycho/node_modules/mysql/lib/protocol/Protocol.js:109:13)
at Socket.<anonymous> (/root/tycho/node_modules/mysql/lib/Connection.js:102:28)
at Socket.EventEmitter.emit (events.js:117:20)
at _stream_readable.js:920:16
at process._tickCallback (node.js:415:13)
[nodemon] app crashed - waiting for file changes before starting...

Is this an attack? If so, what can I do to prevent a client from making these types of get requests in the first place?

Answers:

You could block their IP addresses with your firewall. Searching for “fail2ban” and the name of your server should turn up some tutorials on how to automate this process. If you notice the majority of the attacks are from a certain area, blocking IP addresses by region (geoIP) is also an option.