Wednesday, November 24, 2021

[SOLVED] Nginx Cloudflare Wordpress Intermittent 521 Error

November 24, 2021 amazon-ec2, cloudflare, nginx, wordpress

Issue

I have multiple Wordpress sites running on an EC2 instance. The instance runs nginx, and I configure the 2 wordpress sites and three static html sites to folders in /var/www/html.

Every few weeks, the entire thing goes down and I can't figure out why. There are a number of errors in the /var/log/nginx-error.log file. I can always restart the server with service nginx restart.

I'm not sure if this is because I have multiple sites or if someone has been hacking into my server. I have turned off comments on all of my sites to avoid potential issues.

The site receives very little real traffic, but Cloudflare is telling me there have been 17,885 requests in the last month.

Is there a way I can save this server so it doesn't continuously fall over?

Here are the final few rows of the error file from the latest fail. Happy to post more if it will help.

2021/01/05 17:44:19 [error] 15327#0: *43617 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 172.68.239.172, server: coreygarvey.com, request: "GET /up.php HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 18:04:18 [error] 15327#0: *43622 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 172.69.62.221, server: coreygarvey.com, request: "GET /wp-login.php HTTP/1.1", host: "www.coreygarvey.com", referrer: "http://coreygarvey.com/wp-login.php"
2021/01/05 19:34:26 [error] 15327#0: *43674 open() "/var/www/html/home/.env" failed (2: No such file or directory), client: 108.162.216.185, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "coreygarvey.com"
2021/01/05 19:34:26 [error] 15327#0: *43674 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 108.162.216.185, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "coreygarvey.com"
2021/01/05 19:58:22 [error] 15327#0: *43699 open() "/var/www/html/home/owa/auth/logon.aspx" failed (2: No such file or directory), client: 192.241.209.91, server: coreygarvey.com, request: "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1", host: "52.7.66.46"
2021/01/05 19:58:22 [error] 15327#0: *43699 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 192.241.209.91, server: coreygarvey.com, request: "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1", host: "52.7.66.46"
2021/01/05 20:05:39 [error] 15327#0: *43713 open() "/var/www/html/home/.env" failed (2: No such file or directory), client: 162.158.79.160, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 20:05:39 [error] 15327#0: *43713 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 162.158.79.160, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 20:18:46 [error] 15327#0: *43722 open() "/var/www/html/home/robots.txt" failed (2: No such file or directory), client: 108.162.246.22, server: coreygarvey.com, request: "GET /robots.txt HTTP/1.1", host: "coreygarvey.com"
2021/01/05 20:18:46 [error] 15327#0: *43722 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 108.162.246.22, server: coreygarvey.com, request: "GET /robots.txt HTTP/1.1", host: "coreygarvey.com"
2021/01/05 20:25:00 [error] 15327#0: *43725 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 173.245.52.168, server: coreygarvey.com, request: "GET /wp-content/plugins/ioptimizations/IOptimizes.php?hamlorszd HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 20:25:00 [error] 15327#0: *43727 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 162.158.62.203, server: coreygarvey.com, request: "GET /blog/wp-content/plugins/ioptimizations/IOptimizes.php?hamlorszd HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 20:25:03 [error] 15327#0: *43729 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 162.158.154.198, server: coreygarvey.com, request: "GET /wp/wp-content/plugins/ioptimizations/IOptimizes.php?hamlorszd HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 20:25:03 [error] 15327#0: *43729 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 162.158.154.198, server: coreygarvey.com, request: "GET /wordpress/wp-content/plugins/ioptimizations/IOptimizes.php?hamlorszd HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 22:23:03 [error] 15327#0: *43807 open() "/var/www/html/home/robots.txt" failed (2: No such file or directory), client: 162.158.78.139, server: coreygarvey.com, request: "GET /robots.txt HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 22:23:03 [error] 15327#0: *43807 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 162.158.78.139, server: coreygarvey.com, request: "GET /robots.txt HTTP/1.1", host: "www.coreygarvey.com"
2021/01/05 22:48:13 [error] 15327#0: *43836 open() "/var/www/html/home/.env" failed (2: No such file or directory), client: 40.86.206.98, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "52.7.66.46"
2021/01/05 22:48:13 [error] 15327#0: *43836 open() "/var/www/html/home/404.html" failed (2: No such file or directory), client: 40.86.206.98, server: coreygarvey.com, request: "GET /.env HTTP/1.1", host: "52.7.66.46"

Solution

We encountered ioptimizations (your log mentions /wordpress/wp-content/plugins/ioptimizations/IOptimizes.php) a year back, its pure malware, inspect the code, it creates a form to upload a file, and it will execute it (and can thus install more garbage). My bet is that this is where your troubles come from.

We use Wordfence as protection on the Wordpress website, it blocks anything that tries te execute outside of Wordpress, so it could do no damage in our case (so I recommend using it).

We have tried informing Wordpress dev team about this. Just having a malicious plugin is one thing, but how it manages to install itself on its own on your website is a serious concern (and would imply some vulnerability in Wordpress being exploited). But our complaints got ignored, and there is a serious lack of information to be found on this when try to google it (I happened to stumble upon yours to see if there was more information about it by now).

So I would recommend anti malware plugins (wordfence) and do a thorough cleaning, make sure to get rid of ioptimizations and look for any other damage it might have caused.

This is my first post on stackoverflow, I hope I did this right. Good luck!

Answered By - Zoop

This Answer collected from stackoverflow and tested by PythonFixing community admins, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Wednesday, November 24, 2021

[SOLVED] Nginx Cloudflare Wordpress Intermittent 521 Error

Issue

Solution

Popular Posts

Labels