Access logs errors "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" when using Nginx without PHP

Raj basnet

2/6/23, 8:33 AM

I'm using Nginx as a web server and haven't install any PHP and any module on the machines. When I analyzed the access logs, I got:

- - [26/Sep/2021:20:13:30 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:32 +0000] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:33 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [26/Sep/2021:20:13:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 1298 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

The above appear multiple times in the logs.

Does anyone have idea why I'm getting this?

793

0 + 0

php

google-chrome

nginx

aws

Raj basnet

2/6/23, 8:37 AM

I read multiple posts on it some are saying its an attack if its an attack how can we protect servers from it. if it's just a process and comes with Nginx default then how can I get the exact path

David

2/6/23, 9:35 AM

Additional info belongs in the question not as a comment.

Score:2

Ubuntu

Henning Kockerbeck

2/6/23, 9:10 AM

Just because something isn't there, doesn't mean people can't ask for it anyway ;)

If a client (a web browser or something else) requests something from your web server, this request gets logged in the access log - regardless whether the request was sucessfully answered or not.

Say, for example, you misstype and request https://www.some-site.tld/newes instead of https://www.some-site.tld/news. Chances are that the server behind some-site.tld will answer with the response code 404 (meaning "Not found"), and will note your request to newes in its access log. Then, this server's admin will see newes in their logs, even though this path probably doesn't exist on their server.

Two of your three log entries came from such failed requests:

[26/Sep/2021:20:13:32 +0000] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

means there was a GET request on 26/Sep/2021:20:13:32 +0000, asking for /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21. Your server answered with the response code 401 (meaning "Unauthorized", or in laymans terms "You're not allowed to go there").

Similar for

[26/Sep/2021:20:13:33 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 401 19 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Here, somebody asked your server on 26/Sep/2021:20:13:33 +0000 for /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. Your server answered, again, with code 401.

The third request

[26/Sep/2021:20:13:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 1298 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

means that somebody asked your server on 26/Sep/2021:20:13:33 +0000 for /?XDEBUG_SESSION_START=phpstorm. This request, in contrast to the first two, was answered successfully, your server sent the code 200 (meaning "OK").

Getting requests like this in itself doesn't have to be a problem. Attackers use automated systems to scan large portions of the internet for possible vulnerabilities. For example, because WordPress is so widespread, such systems try to access internal WordPress paths on about any server they can get their hands on - regardless whether this server has ever seen a WordPress installation or not. It's like a would-be burglar going along the street and checking every house for an open window. As long as your windows are properly closed, you're probably fine.

It starts to be a problem when your windows aren't properly closed. So you still have to comb through your logs on a regular basis and check whether there are requests for potentially problematic addresses you actually do have on your server.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Access logs errors "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" when using Nginx without PHP

TH: ข้อผิดพลาดในการบันทึกการเข้าถึง "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" เมื่อใช้ Nginx โดยไม่มี PHP

RO: Erori de jurnal de acces „/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php” atunci când utilizați Nginx fără PHP

RU: Ошибки журналов доступа "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" при использовании Nginx без PHP

VI: Lỗi nhật ký truy cập "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" khi sử dụng Nginx không có PHP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.