2 years ago a user submitted a post to /r/sysadmin about a strange poem that showed up in a server's log.

151.217.177.200 - - [30/Dec/2015:00:54:40 -0500] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 226 "-" "masspoem4u/1.0"

The poem in the malformed packet was sent from the Chaos Computer Club in Germany, who were having their 32nd conference at the time, and received by millions of hosts turning up in various log files.

Anything open the the internet will be hit with bad requests everyday, but these are more likely to be bad actors scanning for services they can try to login to or exploit.

Taking a look at the Nginx access logs going back nearly a year on a low traffic site I pulled a list of the most common requests that resulted in a 404 response.

I used zgrep to find all of the lines in the access log files with a 404 error and piped that into a file and then used cut to get just the request and sort and uniq to get a count of each unique request.

Since this is a generally low traffic server its most likely that these requests were not target at it specifically and most likely sent out to everything it could find on the Internet.

Here is a list of the most common requests with the number to the left the number of times it was found.

 296 "POST / HTTP/1.1"
 161 "GET /wp-login.php/ HTTP/1.1"
  68 "GET /a2billing/common/javascript/misc.js/ HTTP/1.1"
  27 "GET /phpmyadmin/ HTTP/1.1"
  25 "GET /manager/media/script/mootools/mootools.js/ HTTP/1.1"
  20 "POST /index-ajax.php HTTP/1.1"
  18 "GET /apple-touch-icon.png/ HTTP/1.1"
  18 "GET /apple-touch-icon-precomposed.png/ HTTP/1.1"
  17 "GET /xmlrpc.php/ HTTP/1.1"
  17 "GET /manager/ HTTP/1.1"
  16 "GET /a2billing/customer/templates/default/footer.tpl/ HTTP/1.1"
  15 "GET /manager/assets/modext/core/modx.js/ HTTP/1.1"
  14 "GET /noghead/?from=oGate HTTP/1.1"
  14 "GET /nogfoot/ HTTP/1.1"
  13 "GET /wp-login.php/?action=register HTTP/1.1"
  12 "GET /user/register/ HTTP/1.1"
  12 "GET /recordings/ HTTP/1.1"
  12 "GET /index.php/?option=com_user&task=register HTTP/1.1"
  12 "GET /a2billing/admin/public/index.php/ HTTP/1.1"
  12 "GET /.well-known/assetlinks.json HTTP/1.1"
  12 "GET /.well-known/apple-app-site-association HTTP/1.1"
  11 "GET /sftp-config.json/ HTTP/1.1"
  11 "GET /noghead/ HTTP/1.1"
  11 "GET /current_config/account1/ HTTP/1.1"
  11 "GET /connectors/resource/index.php/?ctx[rank%60+IN+(666)+UNION+SELECT+id,username,password+FROM+modx_users+WHERE+id+IN(1);/*]=fuckyoumodxrevolutionagain2 HTTP/1.1"
  11 "GET /assets/snippets/ajaxsearch/js/cleardefault/cleardefault.js/ HTTP/1.1"
  10 "GET /apple-app-site-association/ HTTP/1.1"

First off we can see that 3 of these (/apple-touch-icon.png, /apple-touch-icon-precomposed.png and /apple-app-site-association) are from Safari looking for site thumbnails or iOS devices looking for a Universal Link.

The most common request was a POST request to the root directory. Since by default a lot of webservers aren't configured to limit these requests, they can take up server resources and expose vulnerabilities.

Wordpress, as of May 2018, is running on 30% of the web according to W3Techs so its not to surprising to see /wp-login.php, /wp-login.php and /wp-login.php/?action=register all targeted.

phpMyAdmin is a popular web tool for managing MySQL databases and is another popular target at /phpmyadmin/.

I am not familiar with A2Billing, but it looks like some sort of billing solution for Asterisk. This was another popular target looking for a few resources behind /a2billing/.

/noghead and /nogfoot are a little more cryptic. It could be related to this socket log reciever.

Some requests could be looking for commonly name resources like /manager/, /user/register/ and /recordings/.

/connectors/resource/index.php/?ctx[rank%60+IN+(666)+UNION+SELECT+id,username,password+FROM+modx_users+WHERE+id+IN(1);/*]=fuckyoumodxrevolutionagain2 looks to be trying to inject a SQL query in a specific php page.

The main take away is to review your logs and secondly that if you are running something on this list you should should white list the resource using allow statements for the addresses you need followed by deny all.

    ...
    location /phpmyadmin {

    allow 127.0.0.1;
    allow 10.10.0.50;
    deny all;
    ...

If you aren't running these resources you can return a 444 to save the processing power of the request getting sent all the way down the application stack and prevent the script from knowing the request was received. If is evil in Nginx but we can safely use it in the location statement with return.

    ...
    location / {

    if ($request ~ "/phpmyadmin/") { return 444; }
    ...

If you have a static site that doesn't need to accept Post requests you can block these as well.

    ...
    location / {

    if ($request_method ~ "POST") { return 444; }
    ...