Hello,
I’m using a bokeh server for an interactive data visualization tool. I start the server with the following command:
bokeh serve --allow-websocket-origin=localhost:5006 --log-file log.txt --show ../my_app
This usually creates the following entries in the log file:
2020-12-08 16:16:29,547 Starting Bokeh server version 2.2.3 (running on Tornado 6.1)
2020-12-08 16:16:29,549 User authentication hooks NOT provided (default user enabled)
2020-12-08 16:16:29,555 Bokeh app running at: http://localhost:5006/my_app
2020-12-08 16:16:29,555 Starting Bokeh server with process id: 11256
2020-12-08 16:16:34,901 WebSocket connection opened
2020-12-08 16:16:34,902 ServerConnection created
2020-12-08 16:16:34,966 404 GET /favicon.ico (::1) 1.00ms
This is all as expected. However, after a while the following lines are added to the log:
2020-12-15 12:46:29,308 404 GET /password (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:29,592 404 GET /aboutprinter.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:29,604 404 GET /properties/configuration.php?tab=Status (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:29,992 404 GET /login.php (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,005 404 GET /this_server/all_settings.shtml (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,130 404 GET /authenticate/login (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,152 404 GET /start.js (xxx.yyy.zzz.aaa) 0.50ms
2020-12-15 12:46:30,170 404 GET /tmui/ (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,183 404 GET /login (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,214 404 GET /netmri/config/userAdmin/login.tdf (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,249 404 GET /scgi-bin/platform.cgi (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,260 404 GET /admin/login.do (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,273 404 GET /en/main.js (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,318 404 GET /mgmt/login?dest=%2Fmgmt%2Fgui%3Fp%3Dhome&reason=&username= (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,331 404 GET /dms2/Login.jsp (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,345 404 GET /login (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,358 404 GET /home.htm (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,371 404 GET /sws/data/sws_data.js (xxx.yyy.zzz.aaa) 0.50ms
2020-12-15 12:46:30,372 404 GET /login.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,391 404 GET /wcd/system.xml (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,396 404 GET /properties/description.dhtml (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,407 404 GET /js/Device.js (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,413 404 GET /properties/configuration.php?tab=Status (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,448 404 GET /ptz.htm (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,453 404 GET /header.php?tab=status (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,463 404 GET /admin/login.jsp (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,496 404 GET /loginMsg.js (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,568 404 GET /index.html (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,618 404 GET /MSWSMTP/Common/Authentication/Logon.aspx (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,628 404 GET /admin_ui/mas/ent/login.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,838 404 GET // (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,905 404 GET /commoncgi/servlet/CCGIServlet?ApHost=PDT_InterScan_NT&CGIAlias=PDT_InterScan_NT&File=logout.htm (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,919 404 GET /xmldata?item=All (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,936 404 GET /upnp/BasicDevice.xml (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:31,015 404 GET /intruvert/jsp/admin/Login.jsp (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:31,175 404 GET http://rfi.nessus.org/check_proxy.html (xxx.yyy.zzz.aaa) 0.00ms
I exchanged the ip address with (xxx.yyy.zzz.aaa)…
Actually many more lines like that follow. I’m not a security expert, but for me this looks highly alerting! I definitely did not add these requests to my code, so how do these requests end up in my log? Could it be from a malware scanner/ anti virus / …? Why would this then show up in my bokeh log file?
Any help is highly appreciated, since I will shut down all bokeh servers until I can better understand this behavior.
Additional info:
I’m using bokeh 2.2.3 with the py38_0 build in an anaconda environment.
Thanks