• NGinx: Accidentally DoS'ing yourself

    It turned out to beĀ entirely self-inflicted, but I had a minor security panic recently. Whilst checking access logs I noticed (a lot of) entries similar to this

    127.0.0.1 [01/Jun/2014:13:04:12 +0100] "GET /myadmin/scripts/setup.php HTTP/1.0" 500 193 "-" "ZmEu" "-" "127.0.0.1"
    

    There were roughly 50 requests in the same second, although there were many more in later instances.

    Generally an entry like that wouldn't be too big of a concern, automated scans aren't exactly a rare occurrence, but note the source IP - 127.0.0.1 - the requests were originating from my server!

    I noticed the entries as a result of having received a HTTP 500 from my site (so looked at the logs to try and find the cause). There were also (again, a lot of) corresponding entries in the error log

    2014/06/01 13:04:08 [alert] 19693#0: accept4() failed (24: Too many open files)
    

    After investigation, it turned out not to be a compromise. This post details the cause of these entries.