0

One of my clients suddenly started seeing ~40k requests a day for "/server.txt" to their webserver that result in an HTTP 404. This is expected behavior as the file doesn't exist and isn't part of the website. However, it appears at the top of the Application Insights Failures tab - which bothers them:

graph depicting 39.56k requests for server.txt

My question is: What is the purpose of "server.txt"?

  • Is it a file like "robots.txt" that we should include on the website?
  • Is there any reason we shouldn't make a 0 byte file called server.txt to resolve the 404s?

It could be due to the name of the file being so generic, but I couldn't find any definitive information on the web about it. Hoping someone here can share some insight. Thank you.

Patrick Jones
  • 101
  • 3
  • 2
    AFAIK there is no generic `server.txt` purpose. You may want to look at the source IP of the requests and check if it is for example your load balancer making http requests for that file (to determine the health of your node) - Otherwise a zero byte file or a specific rule triggering a particular response might be suitable to prevent the 404 responses – diya Oct 26 '22 at 20:51
  • Thanks @diya - we will do some investigation on the source IP of the requests as a next step. – Patrick Jones Oct 27 '22 at 17:37

1 Answers1

1

As mentioned by Diya, you will want to check where these requests are coming from. If they come from the same IP's as legitimate users then it may be something in the applicaiton or similar that is looking for this file. If the traffic is coming from locations that don't corrolate to customers then it may be an indicator of a more malicious process scanning the server to find vulnerabilities.

This is a fairly common occuruance, and generally these sort of requests are attempting to find servers running vulnerable applications or web servers. I'm not sure what specifically server.txt relates to, but I would imagine it is a file which when exposed indicates the presence of something that may be vulnerable.

You could create a 0 byte file with this name, however this would then return a 200 response to the requests, which if it is something malicious looking for something to attack, may point further attention in your direction.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114