The system logs are getting bombarded with File Not Found Error

0
Hi Reader   Our application is hosted in Mendix Cloud and for all the environments including acceptance and production we are receiving multiple entries of File Not Found Errors. I have also analyzed the HTTP Request logs for those but didnt found the source of these requests:   1:38:28 PMREQINFOtestsite.mendixcloud.com - [2022-08-29T08:08:28.112308586Z] "POST /php/upload.php HTTP/1.1" 404 541 548 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" "10.20.11.52:46670" "10.20.136.41:61035" x_forwarded_for:"47.89.167.31, 10.20.11.22, 10.10.11.52" x_forwarded_proto:"https" vcap_request_id:"8c1e2c55-9a4f-4c19-4cfc-d0ef70b52af1" response_time:0.007049 gorouter_time:0.000135 app_id:"887bf4de-8e35-418e-a140-fe612be54c00" app_index:"0" instance_id:"4ec3edd7-c988-4f3e-6de8-0e51" x_cf_routererror:"-" x_b3_traceid:"27be04d9e54ee5e97a6e4d316157f3c2" x_b3_spanid:"7a6e4d316157f3c2" x_b3_parentspanid:"-" b3:"27be04d9e54ee5e97a6e4d316157f3c2-7a6e4d316157f3c2"   Are these requests triggering from within the Mend
asked
1 answers
1

Those are requests generated by automated vulnerability scanners. Anyone (good and bad actors) can scan websites/apps and try to find vulnerabilities. For example by scanning for known security vulnerabilities or common misconfigurations.

These tools seem to have found the mendixcloud as well =) and many apps will show these log messages. It just means that an automated vulnerability scanner tried to find wordpress/admin.php (for example) and did not find it.

I know Mendix is working on some sort of application firewall, I believe based on the  AWS WAF (Web application firewall) https://aws.amazon.com/waf/ to block requests like these.

These requests are in itself not harmful, though if there are many they might cause an impact on the Mendix servers processing all these requests. But the numbers I've seen today are quite low (in terms of traffic, like 500 a day per app).

The requests don't seem to be Mendix specific but just general scans for vulnerabilities and exposed sensitive information (like sql and password files).

It is still important to keep your app secure (Mendix continuously works on keeping the platform secure), like check your entity access, exposed constants, integrations etc.

 

tldr: No they are not triggered by Mendix, but from external sources (automated vulnerability scanners)

 

 

answered