Questionable Error Messages in General Log
-
Hi Guys,
I'm running pfSense 2.8.1-RELEASE (amd64) CE on protectli HW. I'm getting these Error messages from a new Windows 11 home Laptop:Mar 22 18:57:19 nginx 2026/03/22 18:57:19 [error] 16237#100269: *5538 open() "/usr/local/www/cgi/get.cgi" failed (2: No such file or directory), client: 10.A.B.C, server: , request: "GET /cgi/get.cgi?cmd=home_login HTTP/1.1", host: "10.X.Y.Z" Mar 22 18:57:19 nginx 2026/03/22 18:57:19 [error] 16237#100269: *5537 open() "/usr/local/www/loginMsg.js" failed (2: No such file or directory), client: 10.A.B.C, server: , request: "GET /loginMsg.js HTTP/1.1", host: "10.X.Y.Z" Mar 22 18:57:19 nginx 2026/03/22 18:57:19 [error] 16237#100269: *5536 open() "/usr/local/www/index.asp" failed (2: No such file or directory), client: 10.A.B.C, server: , request: "GET /index.asp HTTP/1.1", host: "10.X.Y.Z" Mar 22 18:56:37 nginx 2026/03/22 18:56:37 [error] 16237#100269: *5531 "/usr/local/www/HNAP1/index.php" is not found (2: No such file or directory), client: 10.A.B.C, server: , request: "GET /HNAP1/ HTTP/1.1", host: "10.X.Y.Z"It's happening once a day in random time. Does anybody get similar messages in the general Log or anybody got an idea what could polling once a day the Firewall? The Client Computer with the address 10.A.B.C is clean, i checked it. It's the one and only Windows 11 home computer in the network.
Thanks in advance
-
@leroyx So it’s a LAN device? software scanning for vulnerabilities/probe?
-
The easy solution : disconnect the device, and the issue is gone.
But I get it, you consider the device as safe. So, why wait ? Trust has to be gained, created and can withstand some challenge.For myself, I wouldn't even offer a "Home 11" to anybody. Getting the Pro is somewhat mandatory, as it tends to be bit way cleaner (less bloat stuff) but that advantage starts to fade away, and companies are really yelling now.
Anyway : it's not hard to find out what is happening = what or who is sending these https requests to your pfSense. File names like "index.asp"and "get.cgi" are to generic, but you might have a chance with "loginMsg.js" : locate this text string in every file on your system, and you will find what file it is. Finding this file on your PC, and you can see who made the request.
Normally, when you have a new "Home 11", make sure you also have the Install ISO as a backup, and make a disk image of your system as an extra backup.
Then, go shopping for a known to be good (whatever that might be) de-bloat tool and clean your system. You'll be loosing all the candy bars and other AI related stuff, and loads of stuff you didn't even knew it existed on your PC. -
The Client Computer with the address 10.A.B.C is clean, i checked it.
No it's not.
-
I started TcpLogView on the Computer and it's the NortonSvc.exe that polling daily once or twice the Firewall. On that particular Computer ist Norton 360 installed. It's up to date. That is a part of an Antivirus / Endpoint IT Security Programm. Weird.... just weird
-
Thanks for the feedback.
I think this "Norton" process scans local network resources once in a while and it checks if known 'bad URLs' gets a web server answer = a web page. In that case you'll see a "Norton local network security issue message" on your PC.
That's why you saw these web requests on your pfSense web server log.Remember this one :
said in Questionable Error Messages in General Log:
Anyway : it's not hard to find out what is happening = what or who is sending these https requests to your pfSense. File names like "index.asp"and "get.cgi" are to generic, but you might have a chance with "loginMsg.js" : locate this text string in every file on your system, and you will find what file it is. Finding this file on your PC, and you can see who made the request.
which means that in one of the Norton executables or Norton DDLs you would have found the text "loginMsg.js" so you would have known it was Norton sending these URLs.
This :
@leroyx said in Questionable Error Messages in General Log:
I started TcpLogView on the Computer
was a good idea
Btw : Normally, when you start to use a PC, you have to go through the rather tedious process called : "remove bloatware".
Most PC users don't need Antivirus stuff anymore.
And the ones who do, even something like "Norton" can't protect them.
so ... remove it all, and keep the CPU for yourself.
