securitylogfiles

Server log file HEAD requests


I found some entries in my log file that I don't understand. Besides all the expected GET requests I found quite a large number of HEAD requests that I know for sure my application is not making.

I don't have phpmyadmin, SQL or any of the other resources requested installed on my server (pure Node.js app running Mongo DB).

Could this be automated software scanning my server for vulnerabilities?

[0mHEAD http://54.xxx.xxx.xxx:80/2phpmyadmin/ [36m301 [0m2.044 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/3phpmyadmin/ [36m301 [0m1.789 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/4phpmyadmin/ [36m301 [0m1.749 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/MyAdmin/ [36m301 [0m1.770 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA/ [36m301 [0m1.705 ms - 83[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA2011/ [36m301 [0m1.762 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA2012/ [36m301 [0m1.470 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA2013/ [36m301 [0m1.316 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA2014/ [36m301 [0m1.605 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/PMA2015/ [36m301 [0m1.282 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/ [36m301 [0m1.194 ms - 85[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/db/ [36m301 [0m1.307 ms - 88[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/pMA/ [36m301 [0m1.236 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/phpMyAdmin/ [36m301 [0m1.299 ms - 96[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/phpmyadmin/ [36m301 [0m1.534 ms - 96[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/sqladmin/ [36m301 [0m1.218 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/sysadmin/ [36m301 [0m1.523 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/admin/web/ [36m301 [0m1.612 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/PMA/ [36m301 [0m1.410 ms - 97[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/admin/ [36m301 [0m1.302 ms - 99[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/db/ [36m301 [0m1.466 ms - 96[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/phpMyAdmin/ [36m301 [0m1.625 ms - 104[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/phpmyadmin/ [36m301 [0m1.781 ms - 104[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/pma/ [36m301 [0m1.277 ms - 97[0m
[0mHEAD http://54.xxx.xxx.xxx:80/administrator/web/ [36m301 [0m1.392 ms - 97[0m
[0mHEAD http://54.xxx.xxx.xxx:80/database/ [36m301 [0m1.217 ms - 88[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/ [36m301 [0m1.250 ms - 82[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/db-admin/ [36m301 [0m1.349 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/dbadmin/ [36m301 [0m1.240 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/dbweb/ [36m301 [0m1.347 ms - 88[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/myadmin/ [36m301 [0m1.365 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/phpMyAdmin-3/ [36m301 [0m1.257 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/phpMyAdmin/ [36m301 [0m1.304 ms - 93[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/phpMyAdmin3/ [36m301 [0m1.337 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/phpmyadmin/ [36m301 [0m1.280 ms - 93[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/phpmyadmin3/ [36m301 [0m1.217 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/webadmin/ [36m301 [0m1.378 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/webdb/ [36m301 [0m1.600 ms - 88[0m
[0mHEAD http://54.xxx.xxx.xxx:80/db/websql/ [36m301 [0m1.321 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/dbadmin/ [36m301 [0m1.367 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/myadmin/ [36m301 [0m1.318 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/myadminphp/ [36m301 [0m1.318 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql-admin/ [36m301 [0m1.464 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/ [36m301 [0m1.254 ms - 85[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/admin/ [36m301 [0m1.270 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/db/ [36m301 [0m1.318 ms - 88[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/dbadmin/ [36m301 [0m1.344 ms - 93[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/mysqlmanager/ [36m301 [0m1.276 ms - 98[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/pMA/ [36m301 [0m1.405 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/pma/ [36m301 [0m1.236 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/sqlmanager/ [36m301 [0m1.212 ms - 96[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysql/web/ [36m301 [0m1.381 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysqladmin/ [36m301 [0m1.214 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/mysqlmanager/ [36m301 [0m1.218 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/php-my-admin/ [36m301 [0m1.287 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/php-myadmin/ [36m301 [0m1.315 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin-2/ [36m301 [0m1.199 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin-3/ [36m301 [0m1.183 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin-4/ [36m301 [0m1.218 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin/ [36m301 [0m1.155 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin2/ [36m301 [0m1.231 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin3/ [36m301 [0m1.337 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyAdmin4/ [36m301 [0m1.669 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpMyadmin/ [36m301 [0m1.290 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmanager/ [36m301 [0m1.241 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmy-admin/ [36m301 [0m1.279 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmy/ [36m301 [0m1.503 ms - 85[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyAdmin/ [36m301 [0m1.351 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyadmin/ [36m301 [0m1.400 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyadmin1/ [36m301 [0m1.346 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyadmin2/ [36m301 [0m1.320 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyadmin3/ [36m301 [0m1.317 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phpmyadmin4/ [36m301 [0m1.518 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/phppma/ [36m301 [0m1.286 ms - 86[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma/ [36m301 [0m2.188 ms - 83[0m
[0mGET /brothel [32m200 [0m1198.006 ms - -[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma2011/ [36m301 [0m1.599 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma2012/ [36m301 [0m1.481 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma2013/ [36m301 [0m1.373 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma2014/ [36m301 [0m1.283 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/pma2015/ [36m301 [0m1.546 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/program/ [36m301 [0m1.324 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/shopdb/ [36m301 [0m1.276 ms - 86[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/myadmin/ [36m301 [0m1.348 ms - 91[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/php-myadmin/ [36m301 [0m1.309 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpMyAdmin/ [36m301 [0m1.907 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpMyAdmin2/ [36m301 [0m1.353 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpMyAdmin3/ [36m301 [0m1.350 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpMyAdmin4/ [36m301 [0m1.431 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpmanager/ [36m301 [0m1.327 ms - 94[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpmy-admin/ [36m301 [0m1.263 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpmyadmin2/ [36m301 [0m1.293 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpmyadmin3/ [36m301 [0m1.213 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/phpmyadmin4/ [36m301 [0m1.410 ms - 95[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/sql-admin/ [36m301 [0m1.337 ms - 93[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/sql/ [36m301 [0m1.225 ms - 87[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/sqladmin/ [36m301 [0m1.254 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/sqlweb/ [36m301 [0m1.196 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/webadmin/ [36m301 [0m1.336 ms - 92[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/webdb/ [36m301 [0m1.507 ms - 89[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sql/websql/ [36m301 [0m1.216 ms - 90[0m
[0mHEAD http://54.xxx.xxx.xxx:80/sqlmanager/ [36m301 [0m1.521 ms - 90[0m

Solution

  • Those records are most likely from hackers that want to scan for an admin controlpanel on your server, although those IP addresses of scanning sources are often victims' machine controlled by hackers.

    You may want to set up fail2ban as a solution. If you have some free time, you can also use whois service to look up the email address of abuse admin for the IP address that scanned your server and send a complaint to them so that they can take an appropriate action on the malicious IP address.