0

I've configured a node runtime as a native service using node-windows on Windows Server 2012. In the .out file inside the daemon folder, I've noticed activity that does not originate from my process (examples below). Has anyone elso using node-windows seen this before and have tips on how to research and/or resolve it? Any pointers would be much appreciated.

[0mGET /crm/ [33m404 [0m1.247 ms - 3035[0m
[0mGET / [32m200 [0m18.271 ms - 10488[0m
[0mGET / [32m200 [0m2.844 ms - 10488[0m
[0mGET / [32m200 [0m1.595 ms - 10488[0m
[0mGET / [32m200 [0m3.527 ms - 10488[0m
[0mGET / [32m200 [0m1.847 ms - 10488[0m
[0mGET / [32m200 [0m1.389 ms - 10488[0m
[0mHEAD /selfupdate/wuident.cab [33m404 [0m22.240 ms - 3035[0m
[0mGET / [32m200 [0m1.240 ms - 10488[0m
[0mGET http://Qualys.null/ [32m200 [0m1.223 ms - 10488[0m
[0mGET / [32m200 [0m2.743 ms - 10488[0m
[0mGET / [32m200 [0m1.251 ms - 10488[0m
[0mGET / [32m200 [0m1.135 ms - 10488[0m
[0mGET / [32m200 [0m0.901 ms - -[0m
[0mGET / [32m200 [0m1.253 ms - 10488[0m
[0mGET / [32m200 [0m1.220 ms - 10488[0m
[0mGET /../../../../../../../../../../../ [33m404 [0m1.331 ms - 3035[0m
[0mGET /<script>alert(53416)</script> [33m404 [0m1.616 ms - 3035[0m
[0mGET / [32m200 [0m1.207 ms - 10488[0m
[0mGET / [32m200 [0m1.531 ms - 10488[0m

...

[0mGET /FileN0tEx15T.asmx [33m404 [0m1.103 ms - 3035[0m
[0mGET /new-visitor.inc.php?lvc_include_dir=http://www.qualys.com/ [33m404 [0m0.791 ms - 3035[0m
[0mGET /login/?user=|"`id`"| [36m302 [0m2.668 ms - 23[0m
[0mGET /FileN0tEx15T.aspx [33m404 [0m1.321 ms - 3035[0m
[0mGET /files.inc.php [33m404 [0m1.062 ms - 3035[0m
[0mPOST /pages/index.do [33m404 [0m1.309 ms - 3035[0m
[0mGET /editgroups.cgi [33m404 [0m1.045 ms - 3035[0m
[0mGET /../../../../../../../ [33m404 [0m1.068 ms - 3035[0m
[0mGET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.asmx [33m404 [0m1.057 ms - 3035[0m
[0mPOST /admin.php [33m404 [0m1.514 ms - 3035[0m
[0mPOST /shopadmin.asp [33m404 [0m1.412 ms - 3035[0m
[0mGET /trace.axd [33m404 [0m1.624 ms - 3035[0m
[0mGET /options.inc.php [33m404 [0m1.152 ms - 3035[0m
[0mGET /no3_such9_file5.idc [33m404 [0m1.479 ms - 3035[0m
[0mGET /trace.axd?id=0 [33m404 [0m1.081 ms - 3035[0m
[0mGET /config.inc.php?lvc_include_dir=xxxx [33m404 [0m1.161 ms - 3035[0m
[0mPOST /pages/index.do [33m404 [0m0.877 ms - 3035[0m
[0mGET /startshop.cgi [33m404 [0m1.045 ms - 3035[0m

...

[0mGET /index.jsp [33m404 [0m1.109 ms - 3035[0m
[0mGET /decorators/components/pagecomments.vmd [33m404 [0m1.209 ms - 3035[0m
[0mGET /downloads/pub/TWiki/JSCalendarContrib/lang/calendar-fi.js [33m404 [0m1.086 ms - 3035[0m
[0mGET /login/TODO [33m404 [0m0.897 ms - 3035[0m
[0mGET /images/attributes/a_bugs_life_orange.gif [33m404 [0m1.058 ms - 3035[0m
[0mGET /images/_mmDBScripts/MMHTTPDB.asp [33m404 [0m0.819 ms - 3035[0m
[0mGET /3rdparty/plugins/onyx-rss/todo [33m404 [0m1.086 ms - 3035[0m
[0mGET /downloads/pub/TWiki/ClassicSkin/screenshot.gif [33m404 [0m1.092 ms - 3035[0m
[0mGET /login/Documentation.txt [33m404 [0m0.907 ms - 3035[0m
[0mGET /images/lock.gif [33m404 [0m1.678 ms - 3035[0m
[0mGET /downloads/pub/TWiki/TWikiDocGraphics/mail.gif [33m404 [0m1.067 ms - 3035[0m
[0mGET /login/images/fulltext.png [33m404 [0m1.019 ms - 3035[0m
[0mGET /images/_mmServerScripts/MMHTTPDB.asp [33m404 [0m1.446 ms - 3035[0m
[0mGET /admin/images/icon_purple_on.gif [33m404 [0m1.124 ms - 3035[0m
Colin Cummings
  • 36
  • 3
  • These are scans for known vulnerabilities in certain web-applications. If those requests are coming from a single IP-address, or perhaps a range, block it in your firewall. There's not much else you can do about them, basically all public webservers have to deal with this sort of crap. – robertklep Oct 13 '17 at 20:27
  • Thank you, @robertklep. How can I determine the IP-address? – Colin Cummings Oct 14 '17 at 18:05
  • The logger that's being used can probably be configured to also log the IP-address. – robertklep Oct 14 '17 at 18:31

0 Answers0