I registered a domain, and as soon as I set it up, I see in the logs that every minute from different ips with different referees they knock on the site to some kind of script. Here is an example of errors in the logs:

2019/04/25 11:54:52 [error] 18771#18771: *968 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 83.97.110.197, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=1b10b02d377e8c936434a509e7747005&r=&h=www.google.com&rand=1556193290958&_=1556193290480 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://www.google.com/" 2019/04/25 11:54:59 [error] 18771#18771: *968 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 83.97.110.197, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=1b10b02d377e8c936434a509e7747005&r=https%3A%2F%2Fwww.google.com%2F&h=www.youtube.com&rand=1556193298293&_=1556193295292 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://www.youtube.com/" 2019/04/25 11:55:51 [error] 18771#18771: *975 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 78.85.175.231, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=687b15e9a15b91aa8e54d6bc0d982283&r=&h=e.mail.ru&rand=1556193355156&_=1556193343577 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://e.mail.ru/thread/0:15559335500000000132:500000/" 2019/04/25 11:56:17 [error] 18771#18771: *977 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 188.235.10.69, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=b75f3a00d7c3ac8ba10820b87473fe92&r=&h=yandex.ru&rand=1556189834748&_=1556189832912 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://yandex.ru/" 2019/04/25 11:56:18 [error] 18771#18771: *977 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 188.235.10.69, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=b75f3a00d7c3ac8ba10820b87473fe92&r=https%3A%2F%2Fyandex.ru%2F&h=mail.yandex.ru&rand=1556189836082&_=1556189835338 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://mail.yandex.ru/" 2019/04/25 11:56:42 [error] 18771#18771: *981 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 78.85.175.231, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=687b15e9a15b91aa8e54d6bc0d982283&r=https%3A%2F%2Fe.mail.ru%2Fthread%2F0%3A15559335500000000132%3A500000%2F&h=e.mail.ru&rand=1556193406272&_=1556193393206 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://e.mail.ru/thread/0:15559335500000000132:500000/" 2019/04/25 11:56:52 [error] 18771#18771: *983 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 78.85.175.231, server: xerxes.ru, request: "GET /getscripts2?&b=c98aecda097f2a52964c89167f60f61d&publisher_id=81c675d4733cd5376ff43d2bc7005e0a&uid=687b15e9a15b91aa8e54d6bc0d982283&r=https%3A%2F%2Fe.mail.ru%2Fthread%2F0%3A15559335500000000132%3A500000%2F&h=e.mail.ru&rand=1556193416634&_=1556193410996 HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "xerxes.ru", referrer: "https://e.mail.ru/thread/0:15559335500000000132:500000/"

What is it and how to deal with it, the first time I see this.

UPD: for the last 3 days of logs on 40mb ...

  • If the question is only in the size of the logs, then create a separate location in which to turn off logging and that's it. Yes, and php in it is not necessary to rape - Alexey Ten
  • No, do not care for the logs, you need to know the reason)) - Paul Wall
  • one
    Fluent googling gives only posts of 2015 - Alexey Ten

1 answer 1

Apparently, this domain with the name of the Persian king was once used as a source of data on mirrors for bypassing locks. It can be assumed that this was something for the Kinogo site , since in the code of the browser extension there is a reference to the request to /getscripts2 for getting some scripts, being inserted into the <head> each page that the user visits. In this case, the h parameter indicates the host into which this script is embedded.

The correct option in such a situation would be simply to ignore requests:

 location = /getscripts2 { access_log off; expires max; return 200 ""; }

Another option would be to ask users to remove the extension:

 location = /getscripts2 { access_log off; return 200 "alert('Удалите устаревшее расширение для доступа к онлайн-кинотеатру. Это сообщение будет показываться пока расширение не будет удалено.');"; }

A less correct option would be to use this feature to run some of your scripts on all sites that are visited by unsuccessful users of this extension. This can be very unpleasant for users of the extension, but also risky for you: you can get on the Google blacklist and fly out of search results.

  • I would give 404 or 410 instead of 200 - Alexey Ten
  • Why would this be better? - sanmai
  • This is honest, there is no file. And 410, in theory, the browser should remember and not walk more. By the way, caching headers should also be added - Alexey Ten
  • Cache headers - the thing seems self-evident, but I will add. - sanmai