Net Talk Server error: 501 Not Implemented : PHP Support not activated on this serve

rjolda · April 15, 2026, 11:49am

HI,
I have a Net Talk server NT14.37 with c 11.1. It has been running fine on a Windows 11 VPS. All of a sudden I am getting these PHP support not activated on this server and one procedure browse j_pickup is telling me it cannot find the file. This is the garbage I am getting Error [-1:2] opening file: C:\Webapp\InspAuto\web\a_mem_browse_j_pickup-a_mem_browse_j_pickup_value
15 34.444586 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 501 Not Implemented : PHP Support not activated on this server. FileRequest=[admin.php]
16 35.888494 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 501 Not Implemented : PHP Support not activated on this server. FileRequest=[66.php]
17 37.217808 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 501 Not Implemented : PHP Support not activated on this server. FileRequest=[a5.php]
18 39.281307 30068 InspAuto.exe [st][4] [netTalk][thread=4] SendError = 501 Not Implemented : PHP Support not activated on this server. FileRequest=[ol.php]
19 45.702755 30068 InspAuto.exe [st][3] [netTalk][thread=3] Error [-1:2] opening file: C:\Webapp\InspAuto\web\1.1
20 45.704805 30068 InspAuto.exe [st][3] [netTalk][thread=3] Sendfile error 404, Error 404 filename=C:\Webapp\InspAuto\web\1.1
21 45.704878 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 404 The page cannot be found : The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. FileRequest=[1.1]
22 51.477169 30068 InspAuto.exe [st][3] [netTalk][thread=3] Error [-1:2] opening file: C:\Webapp\InspAuto\web\1.1
23 51.477261 30068 InspAuto.exe [st][3] [netTalk][thread=3] Sendfile error 404, Error 404 filename=C:\Webapp\InspAuto\web\1.1
24 51.477351 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 404 The page cannot be found : The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. FileRequest=[1.1]
25 53.147641 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 501 Not Implemented : PHP Support not activated on this server. FileRequest=[style.php]
26 54.837910 30068 InspAuto.exe [st][3] [netTalk][thread=3] Error [-1:2] opening file: C:\Webapp\InspAuto\web\1.1
27 54.839129 30068 InspAuto.exe [st][3] [netTalk][thread=3] Sendfile error 404, Error 404 filename=C:\Webapp\InspAuto\web\1.1
28 54.839183 30068 InspAuto.exe [st][3] [netTalk][thread=3] SendError = 404 The page cannot be found : The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. FileRequest=[1.1]
29 56.743131 30068 InspAuto.exe [st][3] [netTalk][thread=3] Error [-1:2] opening file: C:\Webapp\InspAuto\web\1.1
30 56.744846 30068 InspAuto.exe [st][3] [netTalk][thread=3] Sendfile error 404, Error 404 filename=C:\Webapp\InspAuto\web\1.1

HELP? What is this PHP stuff. Did malicious actor do something or did WIndows update and create this mess?
THanks,
ROn

Bruce · April 15, 2026, 4:42pm

The first error is the interesting one, but likely just a request for a timed out session.

The rest arent new. Your server is on the internet. It’s constantly getting random (malicious) requests. As you can see here they are ignored.

This is perfectly normal and not something to worry about.

RchdR · April 15, 2026, 7:39pm

I suspect its related to this CVE because it was still showing up in 2025 and possibly still occuring in 2026.

if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions.

Out of curiosity, not that it helps much, where is the location of the originating IP address?

I say “not help much”, VPN’s are more common now, but they might not have chosen to hide their location if the attacks are coming from botnets running in memory on people’s home routers ala Lizard Squad home router botnet

The bug is exploiting default windows behaviour seen with these api’s.

More information can be found here, which is something we have to be mindful of.

Bruce · April 16, 2026, 5:06am

The individual CVE the script is trying to exploit, and the IP address of the client are irrelevant. If your server is on the internet you will be regularly polled by many many scripts all the time.

At least hundreds, if not thousands per day. Spending even 1 second of your time considering each one would waste all your time.

Since they are probing for know flaws in IIS or Apache or PHP or whatever, they’re all meaningless when sent to a Nettalk app.

RchdR · April 16, 2026, 9:50am

Well there’s not alot of paid work going around at the moment in the UK, the NHS is no more than a govt PR exercise and voluntary euthanasia is still not legal in the UK to escape their torture.

Potentially they are meaningless, in this example, using the default behaviour of a API like a Caesar cipher to get different characters to then run existing apps, is a little bit better than a script kiddie.