Access logs errors "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" when using Nginx without PHP

I'm using Nginx as a web server and haven't install any PHP and any module on the machines. When I analyzed the access logs, I got:

- - [26/Sep/2021:20:13:30 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:32 +0000] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:33 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 1298 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

The above appear multiple times in the logs.

Does anyone have idea why I'm getting this?


Solution 1:

Just because something isn't there, doesn't mean people can't ask for it anyway ;)

If a client (a web browser or something else) requests something from your web server, this request gets logged in the access log - regardless whether the request was sucessfully answered or not.

Say, for example, you misstype and request https://www.some-site.tld/newes instead of https://www.some-site.tld/news. Chances are that the server behind some-site.tld will answer with the response code 404 (meaning "Not found"), and will note your request to newes in its access log. Then, this server's admin will see newes in their logs, even though this path probably doesn't exist on their server.

Two of your three log entries came from such failed requests:

[26/Sep/2021:20:13:32 +0000] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

means there was a GET request on 26/Sep/2021:20:13:32 +0000, asking for /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21. Your server answered with the response code 401 (meaning "Unauthorized", or in laymans terms "You're not allowed to go there").

Similar for

[26/Sep/2021:20:13:33 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Here, somebody asked your server on 26/Sep/2021:20:13:33 +0000 for /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. Your server answered, again, with code 401.

The third request

[26/Sep/2021:20:13:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 1298 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

means that somebody asked your server on 26/Sep/2021:20:13:33 +0000 for /?XDEBUG_SESSION_START=phpstorm. This request, in contrast to the first two, was answered successfully, your server sent the code 200 (meaning "OK").

Getting requests like this in itself doesn't have to be a problem. Attackers use automated systems to scan large portions of the internet for possible vulnerabilities. For example, because WordPress is so widespread, such systems try to access internal WordPress paths on about any server they can get their hands on - regardless whether this server has ever seen a WordPress installation or not. It's like a would-be burglar going along the street and checking every house for an open window. As long as your windows are properly closed, you're probably fine.

It starts to be a problem when your windows aren't properly closed. So you still have to comb through your logs on a regular basis and check whether there are requests for potentially problematic addresses you actually do have on your server.