?
Solved

Apache2.2 Error Logs - File Does Not Exist

Posted on 2007-10-08
14
Medium Priority
?
7,042 Views
Last Modified: 2012-06-27
On my Apache2.2 error logs for one of my virtual hosts, I am receiving all sorts of "File does not exist" for things like "/blog" which doesn't exist - nor do I want it. What is causing all these files not found? There are A LOT of lines so I will only post some of them. Thanks!

[Mon Oct 08 09:35:44 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/blogs
[Mon Oct 08 09:35:44 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/blogs
[Mon Oct 08 09:35:45 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/phpads
[Mon Oct 08 09:35:45 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/blog
[Mon Oct 08 09:35:46 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/ads
[Mon Oct 08 09:35:47 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/b2evo
[Mon Oct 08 09:35:47 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/phpgroupware
[Mon Oct 08 09:35:48 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/adserver
[Mon Oct 08 09:35:49 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/phpadsnew
[Mon Oct 08 09:35:49 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/Ads
[Mon Oct 08 09:40:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/awstats.pl
[Mon Oct 08 09:40:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/cgi-bin
[Mon Oct 08 09:40:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scgi-bin
[Mon Oct 08 09:40:24 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/awstats
[Mon Oct 08 09:40:24 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/cgi-bin
[Mon Oct 08 09:40:24 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scgi-bin
[Mon Oct 08 09:40:25 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/cgi
[Mon Oct 08 09:40:25 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scripts
[Mon Oct 08 09:40:26 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/cgi-bin
[Mon Oct 08 09:40:26 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scgi-bin
[Mon Oct 08 09:40:27 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scgi-bin
[Mon Oct 08 09:40:27 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/cgi-bin
[Mon Oct 08 09:40:27 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/scgi-bin
[Mon Oct 08 09:40:28 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/stats
[Mon Oct 08 10:47:12 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/phpMyAdmin
[Mon Oct 08 10:47:13 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/pHpMyAdMiN
[Mon Oct 08 10:47:13 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/PHPmyadmin
[Mon Oct 08 10:47:14 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/phpMYadmin
[Mon Oct 08 10:47:14 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/pmamy
[Mon Oct 08 10:47:14 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/PMA
[Mon Oct 08 10:47:15 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/MYADMIN
[Mon Oct 08 10:47:15 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/myADMIN
[Mon Oct 08 10:47:16 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/PMA
[Mon Oct 08 10:47:16 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/mysql
[Mon Oct 08 10:47:19 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/db
[Mon Oct 08 10:47:20 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/web
[Mon Oct 08 10:47:20 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/admin
[Mon Oct 08 10:47:20 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/mysql-admin
[Mon Oct 08 10:47:21 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/site_name/mysqladmin
0
Comment
Question by:damijim
  • 8
  • 4
  • 2
14 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 20037385
Someone (or more people or some web crawler programs, ...) is requesting a file/folder that does not exist. He gets an error 404 and the error is also written to the log. Nothing more to it than that.
0
 
LVL 1

Author Comment

by:damijim
ID: 20037441
Well, even on my development server which is not public, I have the same errors. There is not a spider or crawler looking at those files... or did I misunderstand you?
0
 
LVL 16

Assisted Solution

by:grahamnonweiler
grahamnonweiler earned 600 total points
ID: 20037806
The log entries are common on "public" facing servers - these are caused by "script kiddies" (people with nothing better to do than scan the web looking for sites to attack or crack) . Typically you would see a "burst" of activity all originating from a single IP address and nothing for a day or so and then another attack.

Now provided you have 404 errors there is nothing to much to worry about as the attacker didn't get anywhere - but you should learn from it - as they will keep trying until they find somewhere to "break in". Good advice never leave "admin" folders or "phpmyadmin" lying around open on the net.

Moving to your development server - if you are 100% sure that no public traffic is entering your network - then it is possible someone within your network is trying to find "holes" in your system - that someone could be a "virus" or other form of malware running on a local machine.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:damijim
ID: 20037879
Well, the 192.168.*.* is a static IP on the internal LAN... all our internal IPs start that way. I do not run phpmyadmin, mysql, or any of those other "not found" things. My dev server is Windows 2003 Server Edition with tight security. It has backup software, virus scanners, etc. My dev server IP is the 192.168.12.1. Additionally, I only get these errors when I restart Apache (or reboot - start Apache). I am 100% confident that no one is accessing the server other than through HTTP. I access it through Remote Desktop, Shared Folders, or - most commonly - VM Infrastructure as the machine is really just a VM. The only other people who access that server are the project managers who use the HTTP protocol to connect and they aren't searching for things like <root>/blog - trust me.

The development server is behind the corporate firewall which is strict as... well it's strict/annoying. The only users who have security to the server are the administrators (which is our network admins and myself). I also can access it using my network login to the local domain through Shared Folders (i.e. CompanyDomain\UserID).

The "attacks" are on the development server and my redundant "live web servers" in the DMZ. So, there's firewalls infront and behind.

It seems unlikely that it is a "script kiddie", but ... any suggestions?

Thanks!
0
 
LVL 16

Expert Comment

by:Blaz
ID: 20039015
You didn't quite understand what grahamnonweiler and I were suggesting. OK, because it is happening on the LAN makes it a bit different but anyhow:
- no mater how tight security you have on your server (virus scanners, firewalls, ...) you are letting through all http traffic, right?
- the errors suggest that someone is probing various urls - possibly probing for server vulnerabilities
- the someone could be a virus or spyware on any machine in the network which has http access to this server
- the someone could even be a security vulnerability scanner on your network or some other product.

Could you describe more:
- from which server were the error logs you posted? What IP does it have? Is it in DMZ or on your LAN?
- what does Apache access log say for the times you get that errors?

0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20039551
Based on the description from damijim - in that as soon as he starts Apache these entries appear - and that he is running under VMWare - then it is most probably a "security vulnerability scanner" that is being run by the network admins.

If this is the case then the scanner will have access to both "public" and "local" servers - regardless of whether they are virtual or live.

The most important this to understand damijim - is that both Blaz and myself are trying to tell you that this traffic is based on HTTP access to Apache - so if someone typed in http://192.168.12.1/phpMyAdmin then it would show up as a 404 error in your Apache logs.

A security vulnerability scanner sends out these type of requests continually (or a periodic basis) to ensure that no one has created a "security hole" on the company's server. If the scanner is mis-configured it could be running constantly and in which case find the network administrator who installed it and get them to configure it correctly.

0
 
LVL 1

Author Comment

by:damijim
ID: 20039768
I appreciate the help you all. I will talk to the network admins and see if they run a "vunerability scanner".

Blaz - I will provide you with the information in about an hour. I'm about to leave for work once I get my new PC up and going. (It's a sweet Core 2 Duo, 2GB 800Mhz DDR2, ASUS mobo, cheap video card, 7200rpm SATA WD. I had to build it on a budget, but it beats my 2 year old Sony Vaio VGN-A290 like crazy. Sorry, had to gloat for a moment... just woke up. ;P)
0
 
LVL 1

Author Comment

by:damijim
ID: 20040198
Blaz -
1) The error logs I posted were from one of the DMZ servers. It's VM-IP is 192.168.12.80, but under network connections in Windows it is assigned the static ip of 65.83.xx.xx . (Sorry for the .xx.xx, but the site is live, but under development and marketing wouldn't like me posting the site yet.)
2) 192.168.12.1 is the Default Gateway for that web server. I'm confused now.

On my development (internal) server.
1) The error logs look a little different, example:
"[Fri Sep 28 09:45:39 2007] [error] [client 172.16.56.44] File does not exist: D:/Apache2.2/htdocs/procore_solutions/global/flash/procore.swf, referer: http://prowebdev-vm/index.shtml"
 -which is standard/normal. 172.16.56.44 is my static IP on the LAN/domain.
So, I guess  the problem is mainly my DMZ servers.


DMZ Error Log:
[Mon Oct 08 10:47:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.5.4
[Mon Oct 08 10:47:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.2.3
[Mon Oct 08 10:47:23 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.9.0
[Mon Oct 08 10:47:24 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.9.0.1
[Mon Oct 08 10:47:24 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.8.2.2
[Mon Oct 08 10:47:26 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.7.0-pl2
[Mon Oct 08 10:47:29 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.6.4-pl4
[Mon Oct 08 10:47:29 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.8.1
[Mon Oct 08 10:47:30 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.2.7
[Mon Oct 08 10:47:30 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpMyAdmin-2.2.0
[Mon Oct 08 10:47:31 2007] [error] [client 192.168.12.1] File does not exist: D:/Apache2.2/htdocs/procore_solutions/phpmyadmin


The last line in my access.log is:
192.168.12.1 - - [28/Sep/2007:16:07:18 -0400] "GET / HTTP/1.0" 403 202
192.168.12.1 - - [28/Sep/2007:16:07:20 -0400] "GET / HTTP/1.0" 403 202
192.168.12.1 - - [28/Sep/2007:16:07:22 -0400] "GET / HTTP/1.0" 403 202
192.168.12.1 - - [28/Sep/2007:16:07:34 -0400] "GET / HTTP/1.0" 403 202


Maybe I should review my httpd.conf again or check out the other redundant server in the DMZ.

Any suggestions would be appreciated!
0
 
LVL 1

Author Comment

by:damijim
ID: 20040369
Also, I checked the other two DMZ servers that host cobbenergy.com and cobbemc.com that I configured as well, and they do not have the same problem. They have different IPs, but use the same gateway. If that information helps at all. Thanks.
0
 
LVL 16

Accepted Solution

by:
Blaz earned 1400 total points
ID: 20040399
About the DMZ machine:
The machine has an IP 192.168.12.80 and default gateway 192.168.12.1.
I presume that the gateway 192.168.12.1 does NAT. Probably all trafic to the DMZ VM server from your internal LAN appears to come from 192.168.12.1.
0
 
LVL 1

Author Comment

by:damijim
ID: 20040525
Correct.

So, any ideas why it is searching for paths on my 2 redundant DMZ VM servers? It doesn't do this on the other DMZ VM servers hosting our other sites.
0
 
LVL 1

Author Comment

by:damijim
ID: 20040721
Alright, I talked to IT of our parent company who hosts the VMs/servers. He said it's the load balancer running health checks on the system. Is there anyway to configure httpd.conf to ignore these 404 requests from the 192.168.12.1?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 20040808
In general - no. But it is quite easy to configure yourself to ignore these 404 errors in the log :-)

Maybe you could do some rewrites to check for these standard probing URLs and redirect them to a page (see mod_rewrite). But probably this would cause an alarm in your IT department - a security leak URL address would respond to the requests.
0
 
LVL 1

Author Comment

by:damijim
ID: 20040880
yeah, too bad they gave me a Windows 2003 Server edition this time. If I got Linux I could just strip out those lines before reviewing the log.

I want to see the 404 errors incase there really is an issue at some point. Anyway, thanks again for your help! :)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you discover the power of the R programming language, you are going to wonder how you ever lived without it! Learn why the language merits a place in your programming arsenal.
Tech giants such as Amazon and Google have sold Alexa and Echo to such an extent that they have become household names. And soon they are expected to be used by commoners in their homes, ordering takeout, picking out a song, answering trivia questio…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question