Since setting up the Zurvur and registering its domain with Cloudflare, I have had numerous different HTTP requests that attempt to exploit certain vulnerabilities with web servers.
They seem to come from common IP addresses; that is, a small number of bots have been crafted to scan the entire IPv4 address space (or just recently registered domains for major providers), looking for openings for them to exploit. Most of them come from the same 20-hour initial period of the domain being live.
Here is an incomplete list of some of the gems (actual .log entries for Zurvur).
***.***.***.*** - - [18/Nov/2025:01:43:11 +0000] "GET /console/ HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Gives developers an endpoint for access to the lightweight Java SQL database that is preloaded with Spring Boot. Shouldn't be accessible in prod, but often forgotten about when deploying, allowing for malicious SQL statement execution and therefore RCE.
***.***.***.*** - - [18/Nov/2025:01:19:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 819 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Another dev solution that is often forgotten about and deployed to prod. Opens a PHP debugging session through the attacker's IP allowing RCE through the debugger on the server. One thing to notice is that this request returned 200: successfully returned the landing page despite the ignored query that starts the debug session.
***.***.***.*** - - [18/Nov/2025:03:10:24 +0000] "GET /cgi-bin/luci/;stok=/locale HTTP/1.1" 404 162 "-" "-"
This HTTP request attempts to exploit a vulnerability in LuCI (OpenWrt) routers via privilege escalation. This doesn't work in the vast majority of cases, and would only be dangerous if you exposed the admin console for your router to WAN for some reason.
***.***.***.*** - - [18/Nov/2025:03:00:02 +0000] "GET /actuator/gateway/routes HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
This is an attempt to see if Spring Boot is being used and if Cloud Gateway is enabled. Allows RCE via maliciously crafted routing rules added via a POST request.
***.***.***.*** - - [18/Nov/2025:02:06:32 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
A Laravel exploit which allows RCE via crafting a malicious "error solution" which is then run by the server. Usually only enabled in dev environments but occasionally is left enabled in prod.
***.***.***.*** - - [18/Nov/2025:00:28:54 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Another tool intended only for developer use, literally executes PHP code with no safeguards. Meant for unittesting, but if deployed to prod, hands hackers the keys to your system.
***.***.***.*** - - [18/Nov/2025:00:17:24 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
A Microsoft Exchange Server path sanitization bug allows for carefully crafted HTTP headers which, through achain of attacks, allows full access to the server via privilege escalation.
***.***.***.*** - - [17/Nov/2025:16:52:51 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Multiple vulnerabilities exist in Apache Solr's Admin API. The /admin/info/system endpoint exposes version and configuration details, enabling attackers to select targeted exploits. Combined with vulnerabilities like CVE-2019-17558 (Velocity template injection), this recon step often precedes RCE attempts.
***.***.***.*** - - [18/Nov/2025:14:36:21 +0000] "GET /aws.config.js HTTP/1.1" 404 134 "-" "Python/3.10 aiohttp/3.13.1"
If the Zurvur were an AWS (Amazon Web Services) instance, and had its config file mistakenly deployed to the web root, this request could have exposed API keys allowing attackers access to the AWS host account, allowing them do to malicious things such as incurring charges for spinning up more infrastructure to mine cryptocurrency.
Most of these requests return 404 (File Not Found) or 400 (Bad Request). This is the 2011 Dell laptop doing its job, rejecting attempts to request nonexistent files and correctly handling any path traversal syntax trickery. It has none of the required software for these vulnerabilities installed, and serves only static .html files.
Despite its simplicity, the nginx access.log has provided significant insight into modern attack vectors that IP crawlers use to gain root access to web servers all over the Internet. Hopefully this page serves as a reminder to ensure your configuration for your web server and all sensitive files are NOT VISIBLE FROM THE WEB ROOT.