Disturbing log entries in bokeh server log

Hello,

I’m using a bokeh server for an interactive data visualization tool. I start the server with the following command:

bokeh serve --allow-websocket-origin=localhost:5006 --log-file log.txt --show ../my_app

This usually creates the following entries in the log file:

2020-12-08 16:16:29,547 Starting Bokeh server version 2.2.3 (running on Tornado 6.1)
2020-12-08 16:16:29,549 User authentication hooks NOT provided (default user enabled)
2020-12-08 16:16:29,555 Bokeh app running at: http://localhost:5006/my_app
2020-12-08 16:16:29,555 Starting Bokeh server with process id: 11256
2020-12-08 16:16:34,901 WebSocket connection opened
2020-12-08 16:16:34,902 ServerConnection created
2020-12-08 16:16:34,966 404 GET /favicon.ico (::1) 1.00ms

This is all as expected. However, after a while the following lines are added to the log:

2020-12-15 12:46:29,308 404 GET /password (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:29,592 404 GET /aboutprinter.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:29,604 404 GET /properties/configuration.php?tab=Status (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:29,992 404 GET /login.php (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,005 404 GET /this_server/all_settings.shtml (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,130 404 GET /authenticate/login (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,152 404 GET /start.js (xxx.yyy.zzz.aaa) 0.50ms
2020-12-15 12:46:30,170 404 GET /tmui/ (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,183 404 GET /login (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,214 404 GET /netmri/config/userAdmin/login.tdf (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,249 404 GET /scgi-bin/platform.cgi (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,260 404 GET /admin/login.do (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,273 404 GET /en/main.js (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,318 404 GET /mgmt/login?dest=%2Fmgmt%2Fgui%3Fp%3Dhome&reason=&username= (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,331 404 GET /dms2/Login.jsp (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,345 404 GET /login (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,358 404 GET /home.htm (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,371 404 GET /sws/data/sws_data.js (xxx.yyy.zzz.aaa) 0.50ms
2020-12-15 12:46:30,372 404 GET /login.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,391 404 GET /wcd/system.xml (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,396 404 GET /properties/description.dhtml (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,407 404 GET /js/Device.js (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,413 404 GET /properties/configuration.php?tab=Status (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,448 404 GET /ptz.htm (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,453 404 GET /header.php?tab=status (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,463 404 GET /admin/login.jsp (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,496 404 GET /loginMsg.js (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,568 404 GET /index.html (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:30,618 404 GET /MSWSMTP/Common/Authentication/Logon.aspx (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,628 404 GET /admin_ui/mas/ent/login.html (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,838 404 GET // (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,905 404 GET /commoncgi/servlet/CCGIServlet?ApHost=PDT_InterScan_NT&CGIAlias=PDT_InterScan_NT&File=logout.htm (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,919 404 GET /xmldata?item=All (xxx.yyy.zzz.aaa) 0.00ms
2020-12-15 12:46:30,936 404 GET /upnp/BasicDevice.xml (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:31,015 404 GET /intruvert/jsp/admin/Login.jsp (xxx.yyy.zzz.aaa) 1.00ms
2020-12-15 12:46:31,175 404 GET http://rfi.nessus.org/check_proxy.html (xxx.yyy.zzz.aaa) 0.00ms

I exchanged the ip address with (xxx.yyy.zzz.aaa)…

Actually many more lines like that follow. I’m not a security expert, but for me this looks highly alerting! I definitely did not add these requests to my code, so how do these requests end up in my log? Could it be from a malware scanner/ anti virus / …? Why would this then show up in my bokeh log file?

Any help is highly appreciated, since I will shut down all bokeh servers until I can better understand this behavior.

Additional info:
I’m using bokeh 2.2.3 with the py38_0 build in an anaconda environment.

Thanks

@FET

I cannot provide any security advice or audit your system. I have never seen such activity in the bokeh server logs for my apps.

A quick scan of the entries in the log in the context of your computer or network environment might point you in the direction to make an informed assessment of whether the traffic makes sense or is a cause of concern.

What does your bokeh server do? Do you include any other modules for data access/retrieval from sensors/hardware? The internet?

Are you running in a corporate network environment? Or on a company computer with management and/or oversight features?

Along those lines …


2020-12-15 12:46:30,170 404 GET /tmui/ (xxx.yyy.zzz.aaa) 0.00ms

includes TMUI, which might refer to Traffic Management User Interface, referenced in F5’s BIG-IP application services for security, traffic management, etc. See here.

And a quick article here regarding remote-code-execution vulnerability if this is germane to your network is here.


2020-12-15 12:46:30,331 404 GET /dms2/Login.jsp (xxx.yyy.zzz.aaa) 0.00ms

includes DMS2, which might refer to Delegated Management Services of users at Broadcom. See here.


2020-12-15 12:46:31,015 404 GET /intruvert/jsp/admin/Login.jsp (xxx.yyy.zzz.aaa) 1.00ms

includes INTRUVERT, which might refer to the company of the same name that develops(or previously developed?) intrusion detection systems.


2020-12-15 12:46:31,175 404 GET http://rfi.nessus.org/check_proxy.html (xxx.yyy.zzz.aaa) 0.00ms

includes NESSUS, which is a security vulnerability tool from Tenable. See here.

I hope this helps point you to more informed appraisal of what is going on in your specific setup.

Just in case it’s not evident, the server logs all incoming requests, whether they are successful or not. In this case you can see they all get 404 responses since those routes don’t exist on your server.

This could certainly be someone probing your system for known vulnerabilities. We’ve even had similar log entries for the CDN which is just an AWS Cloudfront distribution. As far as I can tell most any internet facing site has a decent chance to see intrusion attempts. That does not have anything to do with Bokeh, really, it’s just something that pests oh the internet do that we all have to put up with and prepare against.

Thanks for the info. That already helps a lot. Regarding incoming requests, would the IP in brackets be the IP of the requestor?

Yes I believe so. The logs are generated by Tornado, so ultimately the Tornado docs will have the definitive answer.

Also I guess it’s worth mentioning, if you are at a large company then it’s possible this is a corporate security team doing the probing.

That was my initial guess, but I was wondering if something like that has been seen before. So thanks a lot for the quick answers.

Thank you for the hints! Together with @Bryan replies this answers my question.