1

My access log is full of such entries:

178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nutyck@bk.ru&Domain=mail.ru&Password=241716 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nuzhdinss@bk.ru&Domain=mail.ru&Password=cbvfdghjr HTTP/1.1" 403 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nvb915@bk.ru&Domain=mail.ru&Password=tata915 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nvmovchan@bk.ru&Domain=mail.ru&Password=011296 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.4/Megaupload 3.0" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nv-panchenko@bk.ru&Domain=mail.ru&Password=270161 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/auth?Login=nweoez@bk.ru&Domain=mail.ru&Password=nwe9338 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win9x; en; Stable) Gecko/20020911 Beonex/0.8.1-stable" "-"

So my server was attacked somehow as it seemes. What I don't understand is why there are these http://win.mail.ru/ URLs. Does my server call those URLs? Those calls should be logged on that russian server, not on my one. Or am I wrong? Are these URLs just strings that are sent to my server when something on my server is called? But what is called?

I have no experience with the nginx server. So sorry if this question is dumb.

robsch
  • 147
  • 9

1 Answers1

1

The HTTP 1.1 protocol allows to specify a hostname with the request and this can be an arbitrary name belonging to a different (or none at all) host. This is what makes having multiple virtual hosts web servers possible because they can use the name specified in the request to route it to the correct vhost.

In the default config, hostnames that don't have a vhost definition get routed (and logged) to the default vhost.

What happens with your server is just the usual background noise of bots and kiddies trying all kind of attacks on more or less random hosts.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • I think I get it. But it makes no sense to try this russian URLs on my server which is in Austria. It's easier to win a jackpot than trying to call something on some host. If I would attack a server at least I would try it with the right domain name... I don't get this. – robsch Apr 04 '14 at 07:15
  • Yes, it's a gamble, but unlike a lottery ticket, it doesn't cost the perpetrators anything to try a wide range of attacks on a wide range of hosts. – Sven Apr 04 '14 at 07:18