Discover Server Health and Hacking Attempts in Web Server error_log Files

In this third and final edition in my series on web server logs, I'll explain what an error_log is and the important information you can find within. My previous two Nuggets explaining your web server's access_log can be found here and here.

In those previous two Nuggets I showed examples of the information that is recorded in your access_log file every time someone visits your website. All of that information is useful for helping you determine how to improve your site.

On the other hand, the error_log file is where server problems are saved. These problems include misconfigurations, missing files, hacking attempts, server errors, and denial of service (DOS) attacks.

The error_log file is usually saved in the same directory on your web server as your access_log file. For security reasons this directory should not be visible to the public and it should be password protected or simply not accessible through a web browser at all.

Here's a sample error log entry:


Because these error logs are a lot easier to read than the access_logs you won't need a program to help you read them. Here's how you would read the above example:

[Sun Apr 19 23:59:48 2015]
This is the time and date the error occurred, shown in military time. This says Sunday, April 19, 2015 at 11:59 and 48 seconds PM.

[error]
This next part tells us the type of problem. Most of the time you'll see "[error]" here. Other possibilities include [alert], [info], [warn], [notice], [debug], [crit], and [emerg].

[client 173.209.212.16]
This is the IP address for the person or computer that made the request that lead to this error. During hacking attempts you will see dozens, hundreds, even thousands of entries from the same IP.

File does not exist: /var/www/public_html/apple-touch-icon.png
The last part of the entry explains what the problem was. In this case we see the file "apple-touch-icon.png" was missing. That's the icon image file that smartphones look for when saving bookmarks.

Missing favicon.ico Errors

Here are a few common errors that you'll probably see in your own logs...



The favicon.ico is the default icon that all web browsers look for. When this file exists on your website it will appear next to your website address in the browser's address bar. Take a look at this favicon.ico Nugget to see how to create one of these for your site.

Common Hacking Errors

Here are four common errors you'll see when someone is trying to hack into your website...



These are actual errors from my error log that happened sequentially over 4 seconds from the same IP address. That IP, 176.119.109.177, is located somewhere in the Ukraine.

The first attack attempt is looking for the WordPress login script "wp-login.php." The hacker took no further action since it wasn't found.

The second attack attempt was looking for the Magento "administrator" directory. The hacker moved on since that didn't exist either.

The third attack attempt was looking for the CS.Cart "admin.php" login file. The hacker moved on since that didn't exist either.

The fourth attack attempt was looking for the WordPress management directory of "wp-admin," but this time they randomly chose to look for it in the "blog" subdirectory. In an attempt to prevent typical attacks like this one, some website administrators will try to hide the WordPress CMS directories in other subdirectories. This error shows why those website admins are just performing an exercise in futility.

With millions of websites around the world using WordPress, Magento, and CS Cart, I imagine that the odds of these hackers finding one of these during probing attacks like this are probably pretty high.

It's because of attacks like these that you should always change the default administrative usernames and passwords for your website as soon as the CMS software is installed.

Broken Website Errors

Sometimes the error logs can alert you to broken or missing pages on your website that you don't know about...



In this example, we see a page called "rings/engagement-rings.html" that should be on the website but appears to be broken.

The most notable reasons a web page might break include a fault during FTP upload, a connection failure while the website admin is editing a page, and a simple sector error on the server's hard drive.

While the first two errors can be solved quickly, the hard drive sector failure is akin to the same problem that will cause a Blue Screen of Death on your personal computer. Server administrators should be on the lookout when a website starts exhibiting frequent dead files like this because this is an early warning sign that the hard drives need to be replaced.

Spotting DOS Attacks

It's time to check your server's error logs when nothing seems to make sense, and your website is not functioning correctly. Denial of Service (DOS) attacks usually look innocuous, but anything in a very large quantity can be deadly to your site...



In the example above, you can see 5 errors that occurred over 2 seconds. The same IP address is looking for a file called "wpad.dat." This file is associated with a common Microsoft DNS service, but that service isn't running on this web server.

Sometimes a DOS attack is intentional, and sometimes it's an accident. You can tell the difference by the number of log entries per second. In this case we only see 2 or 3 entries per second, which I would classify as accidental. An intentional DOS attack would occur at dozens or hundreds of times per second. Those massive attacks are what cause web server overloads.

Blocking intentional DOS attacks is too complicated to explain here. On the other hand, if you constantly see accidental attacks then you can try to contact the owner of the web server by tracking them down through their IP address. Odds are that they won't even be aware of the situation until you tell them.

Google Errors

In an attempt to discover all they can about the web, Google tries to snoop around websites. Here are some common errors that Google causes...



The "categories.cfm" page does not exist on the website, but Google is looking for it in an attempt to find more information about an e-commerce site.

The "sitemap.xml" file should exist on all websites. This file usually contains an authoritative list of the pages Google should be reading. Seeing it in the error log means something is wrong.

In the last error Google is looking for the "mobile" folder. No doubt they are searching for mobile compatibility for this particular website.

The Google spider isn't all bad though, sometimes it can alert you to a real problem like what you see here...



The above 9 errors show several missing image files. The only reason Google is looking for these files is because they are found on the website somewhere. They probably appear as broken images on those pages.

By the way, it's suspected that Google monitors the number of errors that your website has, and uses that error count as a ranking factor. As part of your SEO process you should have someone periodically review your error logs for Google's IPs and correct the problems Google is identifying for you.

Conclusion

Your web server log files provide a lot of valuable information for maintaining the health of your website.
Many people will ignore their access_logs in favor of Google Analytics, but the information contained in your error_logs can't be found anywhere else.

Someone on your team should be monitoring this regularly.