The coronium debug log

Third Party Coronium
#1

Hi dev,

Most log entries are afaik not of my doing.

The first page alone, from the web gui is todays date, and its only lunchtime yet.

2018/01/07 02:33:21 [error] 1591#0: \*158415 failed to load external Lua file "/home/coronium/pages/modules/vtemslideshow/uploadimage.php.lua": cannot open /home/coronium/pages/modules/vtemslideshow/uploadimage.php.lua: No such file or directory, client: XXX, server: , request: "POST /modules/vtemslideshow/uploadimage.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:33:21 [error] 1591#0: \*158416 failed to load external Lua file "/home/coronium/pages/wp-admin/admin-ajax.php.lua": cannot open /home/coronium/pages/wp-admin/admin-ajax.php.lua: No such file or directory, client: XXX, server: , request: "POST /wp-admin/admin-ajax.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:33:35 [error] 1591#0: \*158417 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/wpstorecart/php/upload.php.lua": cannot open /home/coronium/pages/wp-content/plugins/wpstorecart/php/upload.php.lua: No such file or directory, client: XXX, server: , request: "POST /wp-content/plugins/wpstorecart/php/upload.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:34:33 [error] 1591#0: \*158420 failed to load external Lua file "/home/coronium/pages/wp-admin/plugin-editor.php.lua": cannot open /home/coronium/pages/wp-admin/plugin-editor.php.lua: No such file or directory, client: XXX, server: , request: "GET /wp-admin/plugin-editor.php?file=userpro%2Ffunctions%2F\_trial.php&plugin=userpro%2Findex.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:34:35 [error] 1591#0: \*158421 failed to load external Lua file "/home/coronium/pages/modules/pk\_vertflexmenu/uploads/zbYc4.php.lua": cannot open /home/coronium/pages/modules/pk\_vertflexmenu/uploads/zbYc4.php.lua: No such file or directory, client: XXX, server: , request: "GET /modules/pk\_vertflexmenu/uploads/zbYc4.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:34:36 [error] 1591#0: \*158422 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/google-maps-by-daniel-martyn/version.php.lua": cannot open /home/coronium/pages/wp-content/plugins/google-maps-by-daniel-martyn/version.php.lua: No such file or directory, client: XXX, server: , request: "GET /wp-content/plugins/google-maps-by-daniel-martyn/version.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:34:38 [error] 1591#0: \*158423 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/google-maps-by-daniel-martyn/version.php.lua": cannot open /home/coronium/pages/wp-content/plugins/google-maps-by-daniel-martyn/version.php.lua: No such file or directory, client: XXX, server: , request: "GET /wp-content/plugins/google-maps-by-daniel-martyn/version.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:34:40 [error] 1591#0: \*158424 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/cherry-plugin/admin/import-export/jFouA.php.lua": cannot open /home/coronium/pages/wp-content/plugins/cherry-plugin/admin/import-export/jFouA.php.lua: No such file or directory, client: XXX, server: , request: "GET /wp-content/plugins/cherry-plugin/admin/import-export/jFouA.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:35:03 [error] 1591#0: \*158426 failed to load external Lua file "/home/coronium/pages/modules/pk\_vertflexmenu/uploads/zbYc4.php.lua": cannot open /home/coronium/pages/modules/pk\_vertflexmenu/uploads/zbYc4.php.lua: No such file or directory, client: XXX, server: , request: "GET /modules/pk\_vertflexmenu/uploads/zbYc4.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 02:35:50 [error] 1591#0: \*158429 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/dzs-portfolio/upload.php.lua": cannot open /home/coronium/pages/wp-content/plugins/dzs-portfolio/upload.php.lua: No such file or directory, client: XXX, server: , request: "GET /wp-content/plugins/dzs-portfolio/upload.php HTTP/1.1", host: "body-essentials.info", referrer: "XXX" 2018/01/07 02:36:16 [error] 1591#0: \*158430 failed to load external Lua file "/home/coronium/pages/wp-content/plugins/dzs-videogallery/upload.php.lua": cannot open /home/coronium/pages/wp-content/plugins/dzs-videogallery/upload.php.lua: No such file or directory, client: XXX, server: , request: "POST /wp-content/plugins/dzs-videogallery/upload.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 03:38:52 [error] 1591#0: \*158499 failed to load external Lua file "/home/coronium/pages/wp-admin/admin-ajax.php.lua": cannot open /home/coronium/pages/wp-admin/admin-ajax.php.lua: No such file or directory, client: XXX, server: , request: "POST /wp-admin/admin-ajax.php HTTP/1.1", host: "body-essentials.info" 2018/01/07 04:27:16 [error] 1591#0: \*158555 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info" 2018/01/07 06:18:14 [error] 1591#0: \*158678 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info" 2018/01/07 07:24:37 [error] 1591#0: \*158781 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info" 2018/01/07 08:55:15 [error] 1591#0: \*158882 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info" 2018/01/07 09:44:45 [warn] 1591#0: \*159108 a client request body is buffered to a temporary file /usr/local/coronium/nginx/client\_body\_temp/0000000126, client: XXX, server: , request: "POST / HTTP/1.1", host: "XXX" 2018/01/07 09:56:56 [error] 1591#0: \*159262 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info" 2018/01/07 09:59:55 [error] 1591#0: \*159286 failed to load external Lua file "/home/coronium/pages/w00tw00t.at.blackhats.romanian.anti-sec:).lua": cannot open /home/coronium/pages/w00tw00t.at.blackhats.romanian.anti-sec:).lua: No such file or directory, client: XXX, server: , request: "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1", host: "XXX" 2018/01/07 09:59:55 [error] 1591#0: \*159287 failed to load external Lua file "/home/coronium/pages/phpMyAdmin/scripts/setup.php.lua": cannot open /home/coronium/pages/phpMyAdmin/scripts/setup.php.lua: No such file or directory, client: XXX, server: , request: "GET /phpMyAdmin/scripts/setup.php HTTP/1.1", host: "XXX" 2018/01/07 09:59:55 [error] 1591#0: \*159288 failed to load external Lua file "/home/coronium/pages/phpmyadmin/scripts/setup.php.lua": cannot open /home/coronium/pages/phpmyadmin/scripts/setup.php.lua: No such file or directory, client: XXX, server: , request: "GET /phpmyadmin/scripts/setup.php HTTP/1.1", host: "XXX" 2018/01/07 09:59:55 [error] 1591#0: \*159289 failed to load external Lua file "/home/coronium/pages/pma/scripts/setup.php.lua": cannot open /home/coronium/pages/pma/scripts/setup.php.lua: No such file or directory, client: XXX, server: , request: "GET /pma/scripts/setup.php HTTP/1.1", host: "XXX" 2018/01/07 09:59:55 [error] 1591#0: \*159290 failed to load external Lua file "/home/coronium/pages/myadmin/scripts/setup.php.lua": cannot open /home/coronium/pages/myadmin/scripts/setup.php.lua: No such file or directory, client: XXX, server: , request: "GET /myadmin/scripts/setup.php HTTP/1.1", host: "XXX" 2018/01/07 09:59:55 [error] 1591#0: \*159291 failed to load external Lua file "/home/coronium/pages/MyAdmin/scripts/setup.php.lua": cannot open /home/coronium/pages/MyAdmin/scripts/setup.php.lua: No such file or directory, client: XXX, server: , request: "GET /MyAdmin/scripts/setup.php HTTP/1.1", host: "XXX" 2018/01/07 11:04:56 [error] 1591#0: \*159541 failed to load external Lua file "/home/coronium/pages/ogShow.aspx.lua": cannot open /home/coronium/pages/ogShow.aspx.lua: No such file or directory, client: XXX, server: , request: "GET /ogShow.aspx?name=ogFoot&line=0&from=oGateeu HTTP/1.1", host: "body-essentials.info"

I’ve removed IP addresses 

I assue the warn is because I upload or download a larger batch, and it all works, so how come I get a warn for it? 

The blackhat entry is very much disturbing me, any idea what this is? An attempt to check if I’ve been infected perhaps?

And whats up with all the failed to load external lua files? 

I havent implemented any the security layer (SSL) yet since I’m only developing at this point. Could that be the reason for the blackhat thing? If so, should I just implement it and/or make a clean install?

This is my first (successful) attempt at a cloud server so bare with me for my ignorance, but arent most of these attacks or attempts to exploit known frameworks?

Thanks for your support!

#2

Hi,

These are common on most cloud servers, it’s basically just recording attempts at trying to gain access through known exploits. Generally these are “script-kiddies” trying to hack a server with automated scripts. Once an attempt at returning a valid page fails they usually move on. As noted in the log, the attempts to locate any of the specific pages fails. 

Because the Pages module uses Lua files, as opposed to HTML files, you are seeing the “failed to load external Lua file” which is the same as a 404 if it was HTML, or some other resource.

Additionally, because DigitalOcean (and other providers) reuse IP addresses, you can get calls from existing known IPs (or old sites that were using the IP). What I usually do when creating a new instance is immediately check my log file to look for these entries. You can usually start seeing them within a few minutes. If so, I will try with another instance until I find a “clean” IP.

The “a client request body is buffered to a temporary file” message means that the payload you sent up to the server was larger then the memory allotted for a single payload, so it is buffered to a file so it can be read. You could either up the cache for the request, or just let it be. If you up the cache, it will require more memory per request on the server, even on smaller payloads. The downside of buffering the file is a slight speed hit. If you constantly see this message you will want to either lower the data on each payload, or decide on increasing the cache request memory.

Overall, these messages are nothing to worry about, though they are annoying (thats why I usually search for a “clean” IP). The log file will rotate after reaching a certain size. The logging is set to basically display any and all messages, which is needed for debugging. There is a way to adjust the logging flag to decrease what is logged, but you would do that after a production deployment. It is better just to find a “clean” IP.

As a side note, I am considering creating a Coronium MySQL deployment that is specifically tuned for MySQL usage only; in essence stripping away all the extras like Pages, Mongo, Users, Webmin, etc.

I hope that explains everything. If you have any other questions, let me know.

-dev

#3

Hi dev,

Thanks for the awesome explanation and tip on getting a clean ip.

The buffered payload is very seldom so based on your explanation, i’ll use defaults, besides its also not very time sensitive.

I’m curious what you see being the advantages to a pure MySQL deployment, besides the obvious CPU and RAM?

Anything security related?

My main reason for a cloud server is using the MySQL so, this could very well be interesting for me.

#4

Hi,

Having a dedicated Coronium MySQL deployment would just lower some overhead. If a developers main interest is using MySQL, then there really isn’t any reason to be using up memory and resources for the other aspects.

-dev

#5

Hi,

These are common on most cloud servers, it’s basically just recording attempts at trying to gain access through known exploits. Generally these are “script-kiddies” trying to hack a server with automated scripts. Once an attempt at returning a valid page fails they usually move on. As noted in the log, the attempts to locate any of the specific pages fails. 

Because the Pages module uses Lua files, as opposed to HTML files, you are seeing the “failed to load external Lua file” which is the same as a 404 if it was HTML, or some other resource.

Additionally, because DigitalOcean (and other providers) reuse IP addresses, you can get calls from existing known IPs (or old sites that were using the IP). What I usually do when creating a new instance is immediately check my log file to look for these entries. You can usually start seeing them within a few minutes. If so, I will try with another instance until I find a “clean” IP.

The “a client request body is buffered to a temporary file” message means that the payload you sent up to the server was larger then the memory allotted for a single payload, so it is buffered to a file so it can be read. You could either up the cache for the request, or just let it be. If you up the cache, it will require more memory per request on the server, even on smaller payloads. The downside of buffering the file is a slight speed hit. If you constantly see this message you will want to either lower the data on each payload, or decide on increasing the cache request memory.

Overall, these messages are nothing to worry about, though they are annoying (thats why I usually search for a “clean” IP). The log file will rotate after reaching a certain size. The logging is set to basically display any and all messages, which is needed for debugging. There is a way to adjust the logging flag to decrease what is logged, but you would do that after a production deployment. It is better just to find a “clean” IP.

As a side note, I am considering creating a Coronium MySQL deployment that is specifically tuned for MySQL usage only; in essence stripping away all the extras like Pages, Mongo, Users, Webmin, etc.

I hope that explains everything. If you have any other questions, let me know.

-dev

#6

Hi dev,

Thanks for the awesome explanation and tip on getting a clean ip.

The buffered payload is very seldom so based on your explanation, i’ll use defaults, besides its also not very time sensitive.

I’m curious what you see being the advantages to a pure MySQL deployment, besides the obvious CPU and RAM?

Anything security related?

My main reason for a cloud server is using the MySQL so, this could very well be interesting for me.

#7

Hi,

Having a dedicated Coronium MySQL deployment would just lower some overhead. If a developers main interest is using MySQL, then there really isn’t any reason to be using up memory and resources for the other aspects.

-dev