what is trying to start code.php

wijkkie

New member
Joined
Oct 4, 2018
Messages
3
Hi. I'm having some troubles with my webserver.
in the error og is this:

[Thu Oct 04 16:23:54.986223 2018] [:error] [pid 25318] [client my.server.ip.adres:39458] File does not exist: /var/www/html/code.php
a lot of times

How can i find out what is trying to start code.php?
 
Dont bother, someone is try to start a php file that doesnt exist, you should more worry if the file is really there :)
 
Dont bother, someone is try to start a php file that doesnt exist, you should more worry if the file is really there :)

I do bother, because my VPS is doing strange things so i want to figure out whats going wrong. My CPU load of the VPS is reaching around the 200%

The script is being started about 4 times in a minute en after 4 a 5 minutes again.
 
The script is being started about 4 times in a minute en after 4 a 5 minutes again.
As long as it's saying "error" and "file not found" the script is not being started like Active8 says, somebody is only trying to see if it exists, or trying to start it.

If you have a load of cpu load, there might be another issue or other malware, but it is not this one, or at least not at this location the log is telling you.

You might want to consider (if not already present) to install Maldetect on your VPS.
https://www.rfxn.com/projects/linux-malware-detect/
 
I understand that you know that. But did you also install and use it? That is not really clear to me.
Because if this tool finds something it also points to the directory (and so the user) which has a malicious file. If one is present.

As for the code.php, the "who" is the person with the ip address mentioned in the log. So probably a scriptkiddy or hacker. There is no way to find out who exactly that is.

You don't need to worry about attempts to start things which are not even present. To find the cause of your issue, let go of this code.php which does not even exist, it won't help you find a solution.

P.s. if you are Dutch (Nederlands) send me a pm, it talks a lot easyer in our own language.
 
Hello,

I assume you masked here your server's IP. Correct?
Code:
[COLOR=#333333][client my.server.ip.adres:39458]
[/COLOR]


The client's IP in the logs is the server's IP. And here only the following explanations come to my mind:

- you are using a fron-tend (nginx, varnish) in front of Apache and did not configure the latest to detect a real IP of an user who's vising your server. In this case in logs your server's IP will be written instead of user's IP.

- you have a legit crontask which is trying to connect to code.php over HTTP/HTTPS (probably you removed a domain, but a task exists and DNS of such domain still points to your server), check /var/spool/cron/, /etc/cron.d, /etc/cron.daily, /etc/cron.hourly, /etc/cron.monthly, /etc/crontab, /etc/cron.weekly

- malware, as it was already mentioned. Check home directories for possibly infected files.


If you want to understand who is triggering the file the best way is to create it. So create the file /var/www/html/code.php then and add PHP instructions to save all headers and $_SERVER array into a text file, then I'd add a HTML code to load a JS file. Primitive bots can not load JS files. So if a JS is loaded (check in logs, whether or not you see requests for it), then it might denote the script is requested by a human. JS script could show your email or phone number asking for a feedback.
 
Back
Top