Strange log on my EC2 machine. Hack attempt?

I have to admit that I am quite new to DevOps (and I was very happy that mupx made it so easy for me to get my app running on an EC2 instance!). Today I had a look at the server logs and was a bit puzzled when I saw entries like these:

Error: url must be a relative URL:
     at [object Object]._.extend.classify (packages/routepolicy/routepolicy.js:107:1)
     at IsAppUrl (packages/meteorhacks_fast-render/lib/server/utils.js:19:1)
     at [object Object].filterFunction (packages/meteorhacks_fast-render/lib/server/routes.js:6:1)
     at [object Object].PickerImp._dispatch (packages/meteorhacks_picker/packages/meteorhacks_picker.js:44:1)
     at processNextSubRouter (packages/meteorhacks_picker/packages/meteorhacks_picker.js:80:1)
     at processNextRoute (packages/meteorhacks_picker/packages/meteorhacks_picker.js:73:1)
     at processNextMiddleware (packages/meteorhacks_picker/packages/meteorhacks_picker.js:56:1)
     at [object Object].PickerImp._dispatch (packages/meteorhacks_picker/packages/meteorhacks_picker.js:50:1)
     at Object.Package [as handle] (packages/meteorhacks_picker/packages/meteorhacks_picker.js:140:1)
     at next (/bundle/bundle/programs/server/npm/webapp/node_modules/connect/lib/proto.js:190:15)

The URLs vary, but they are all coming from strange domains (mostly from Poland). Does anyone with more experience than me have an explanation what might be happening here. For my noob eyes, it looks like a hacker / injection attempt.

BTW: Is there any guide / tutorial out there on how to “harden” a mupx/Ubuntu based Meteor set-up?

Definitely a hack attempt, but too bad they don’t realize you’re running a Node.js server. :wink:

You could edit your nginx config to block requests like these. I guess if it were me in your position, I’d make it so any requests that end in “.php” would be redirected to a website full of popup ads. :smiling_imp:

1 Like

Probably just bots that try some often occuring exploits. Nothing to worry about.

That’s normal, we are also having such logs from bots that try to access /phpmyadmin or other typical urls from plugins or frameworks that maybe have a vulnerability.

If you’re using nginx, add this to your server block:

  # Begone, hackers!
  # urls ending in .php or .pl will be bounced elsewhere
  location ~* \.(php|pl)$ {
    rewrite .*;

You could, instead of rewrite, just do return 404;, or use return 301 url_here; to do HTTP 301 redirect. Lots of options.

And that raises the question: what’s the worst possible website you can redirect someone to? :wink:

1 Like

Thanks @all for your quick replies. Nice idea to redirect them to a funny website, maybe some honeypot :smile:

Can post the url here - but the word “eel soup” and first hit on Google. There is no coming back from that.

I wouldn’t mess with these guys, just block the requests and that’s it, don’t try to taichi or aikido it.

I had a friend who did something like this and next thing he knows, his sys admin asks him the next day, “uh… who did you piss off?”

He got DDOS’d.

Googled it. Thought about clicking on it. Decided not to.

1 Like

Googled it. Thought about clicking on it. Decided not to.

Good, good choice. I still think you should know that it is about well, eels, a funnel, bodily exits and two japanese women trying to bring the deep space program for other organisms available by launching them. Happy dreaming!