Hello.
I am running an Apage 2.4 server on Debian 8.
Recently, I have noticed that my access log file contains entries like:
198.55.103.73 - - [24/Jul/2017:15:29:45 +0100] "GET
http://px.
wangying06.
com/?bdc HTTP/1.0" 302 - "
http://px.
wangying06.
com/?bdc" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
104.223.185.6 - - [24/Jul/2017:15:29:49 +0100] "GET http://
xtt111.com/ HTTP/1.0" 302 - "http://
xtt111.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.15.244.63 - - [24/Jul/2017:15:29:53 +0100] "GET http://
video-edge-c2b188.fra02.hls.ttvnw.net/v0/CuMB6xEBCMkhVCGZ7cZqusjVePCtyTK7dX_RVlVaaXrBmlucADyu76w_8Q4HXy9LUMU8DRIHRDAWsT9A89ewCTV9vEx_f-JS9EKj7IxuvDHJVzA8l6M76rpMCpazRc2MAljDmyeIfjcSDXxH5xtbnO8JleLEitzzxxUbC1_orbaV-fjW_qz0GrUX-jpYNBmZanXlnbKzbR7Z1Ryns8sYK0XFOH4zBWKXMJ1tTNTx36QiHG1o_5p3aNtFPcBVyniMYqfcvxS3FCT5YlPbQIL8AVzrO0Zdb2poieNCoQCtY2RvihNPTP4SEPRbc5ZYChuDVbXCKqx7AK0aDHwVdGoDF17Bx2rPjw/index-live.m3u8 HTTP/1.1" 302 - "-" "-"
142.252.249.8 - - [24/Jul/2017:15:29:53 +0100] "GET http://
px.wangying06.com/?bdc HTTP/1.0" 302 - "http://
px.wangying06.com/?bdc" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
133.130.116.200 - - [24/Jul/2017:15:29:55 +0100] "GET http://
m.albamon.com/list/gi/mon_gib_read.asp?al_gi_no=49479748&optgf=mdlfocus HTTP/1.1" 302 - "" "Mozilla/5.0 (Linux; Android 5.1.1; SM-G928X Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36"
Note that none of the domains in the log is hosted on my server.
But it seems as if
xtt111.com was hosted on my server.
I thought that my mod_proxy and mod_proxy_http was being abused.
So, I have removed these and restarted the server.
But I can still see random domains in my log file.
It is as if I was under attack as there is an entry every ms or so.
Any hint will be very welcome
Thank you very much.
Arcadius.
