Re: Fwd: apache hosting unknown sites !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello respondents,

Thanks to all of you for your responses. I'm explaining the points which you have asked.

1. The requests are not available at log because I have blocked the .ru domains at firewall level. Let me disable the firewall to generate the logs for you

95.139.226.205 - - [17/Apr/2014:07:26:39 +0200] "-" 408 - "-" "-"
109.188.125.110 - - [17/Apr/2014:07:27:03 +0200] "GET /Uizz9n HTTP/1.1" 301 - "http://www.tv-house.ru/detail/200/5347" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko"
109.188.125.110 - - [17/Apr/2014:07:27:04 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "http://www.tv-house.ru/detail/200/5347" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko"
109.191.88.164 - - [17/Apr/2014:07:27:13 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0"
109.188.125.110 - - [17/Apr/2014:07:27:16 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "http://www.tv-house.ru/catalog/29/200/31/" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko"


Though the ping commands shows a different IP than this server

ping www.tv-house.ru
PING www.tv-house.ru (90.156.201.67) 56(84) bytes of data.
64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=1 ttl=56 time=55.1 ms
64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=2 ttl=56 time=55.1 ms
64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=3 ttl=56 time=55.1 ms


2. I am not hosting any torrent. Though you can see the request

109.191.88.164 - - [17/Apr/2014:07:27:13 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0"


3. the sites are even live after shutting down the server.


4. Even after blocking the requested unknown domains I see a lot of following at access log

109.191.88.164 - - [17/Apr/2014:07:30:38 +0200] "GET /tracker/?info_hash=%8f%8d%98%b3%3dg%09RrefU%eep%bb%a7%bf%bf%1a%da&peer_id=-IL500%ad-o6JhUN9!EA.n&port=6881&uploaded=0&downloaded=0&left=7978279&corrupt=0&redundant=0&compact=1&numwant=200&key=48fb945&no_peer_id=1&supportcrypto=1&event=started&ipv4=109.191.88.164 HTTP/1.1" 301 - "-" "libtorrent/0.16.10.0"
109.191.88.164 - - [17/Apr/2014:07:30:38 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0"
95.31.97.94 - - [17/Apr/2014:07:30:44 +0200] "-" 408 - "-" "-"
188.64.112.228 - - [17/Apr/2014:07:30:55 +0200] "-" 408 - "-" "-"
109.188.125.110 - - [17/Apr/2014:07:31:12 +0200] "-" 408 - "-" "-"
188.64.112.228 - - [17/Apr/2014:07:31:26 +0200] "-" 408 - "-" "-"
178.123.127.195 - - [17/Apr/2014:07:31:59 +0200] "GET /tracker/scrape?info_hash=%7F%98%05%BA%40%DB%ADo%1E%DD%D1%0BSL%0C%16%9DT%0D%BE HTTP/1.1" 301 - "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
178.123.127.195 - - [17/Apr/2014:07:31:59 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"


Thanks 



On Wed, Apr 16, 2014 at 10:39 PM, Jim Barchuk <jb@xxxxxxxxxxxx> wrote:
HiHi!

My first thought was that a -spammer- had -misconfigured- something, to point a 'spam target domain name' to your IP address. But those domains are registered '06/'07 which is not typical of spam targets, and they appear to be reputable.

Before I go further, a little more info. You mentioned...


tv-house.ru , world-hdtv.ru ... etc.... I am clue less.

and then...


147.45.64.140 - - [16/Apr/2014:11:26:44 +0200] "-" 408 - "-" "-"
176.8.100.50 - - [16/Apr/2014:11:26:59 +0200] "GET
/tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4%FD%5D%AD%D5%5B%E9
HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"

408 is very weird. I didn't even know what it meant, had to look it up, and still don't fully understand what it means, potentially, as related to your situation.

Could you please post a couple of lines that include the earlier *.ru requests?

newly configured opensuse

There are other misconfiguration possibilities. No not on your side but elsewhere. Your IP address may have been previously used elsewhere for other things, that are still configured to point to you without knowing you're the new owner.

If nothing truly *NEFARIOUS* is going on, then over the course of time, a few days, things may clear themselves out automatically and those odd requests may simply stop happening.

If nothing nefarious is going on, but there are configs somewhere that someone needs to change manually but either forgot about or haven't gotten to yet, then the requests may continue for a while. If they don't stop you may need to write to the owners of those domains to give them a heads-up that they need to fix something or their customers won't be getting pages that they should be.

Along those lines, there might be someone sitting elsewhere wondering why -his- logs have dropped to -zero-. LOL!!! Or, they may drop way off, and as nameservers are updated his logs 'revive' and continue as previous. The only difference is that -he'll- have no clue why it all dropped off, because -he- hadn't changed anything. If he's loading pages locally and everyting works fine, yet he gets calls that other people can't load pages, he'll have to know how to research the problem to find out where the misconfiguration is.

Have a :) day!

Jim

--
Jim Barchuk
jb@xxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux