1

I am hosting a small test website in ec2 and there should be only 2-3 test users with valid login to my server. However, I am seeing a lot of junk logs in my apache access_log( /var/log/httpd/access_log):

198.2.208.231 - - [13/Dec/2013:21:11:07 +0000] "GET http://ib.adnxs.com/ttj?id=1995383&position=above HTTP/1.0" 302 - "http://www.minbusiness.net/?p=611" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"

173.234.32.69 - - [13/Dec/2013:21:11:07 +0000] "GET http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=728x90,468x60&section=5172215&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://lookfashionstyle.com/index.php?option=com_content&view=category&layout=blog&id=42&Itemid=98&limitstart=24" "Mozilla/4.0 (compatible; MSIE 6.0; WINDOWS; .NET CLR 1.1.4322)"

198.136.31.98 - - [13/Dec/2013:21:11:07 +0000] "GET http://ad.tagjunction.com/st?ad_type=ad&ad_size=468x60&section=4914662&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://www.benzec.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

....

Not exactly sure what's going on... Am I being attacked?

thanks!

Jason
  • 821
  • 2
  • 16
  • 28

2 Answers2

1

One possibility is that your server is configured as an open proxy and some ad scams are proxying traffic through it to hide their real origin.

David Levesque
  • 22,181
  • 8
  • 67
  • 82
  • This makes sense - but after I disable the proxy I still see access log full of junks - but the status changed from "302" to "403". How can I totally get rid of these requests from access? – Jason Dec 14 '13 at 01:21
  • 403 means access forbidden so the abusers will eventually realize they don't have access anymore and stop. If it doesn't stop (or you don't want to wait), you could try to release your EC2 Elastic IP and get a new one. If they were accessing by IP address (and not by domain) it should stop them. You could also try to block them at the firewall level, but that may be harder since the requests seem to come from multiple IPs. – David Levesque Dec 14 '13 at 04:38
  • Yes - they came from hundreds of different IPs. I will wait for a few days and then try to release EC2 elastic IP and get a new one. – Jason Dec 14 '13 at 10:20
0

There is alot of bots around the web attempting all kinds of exploits, I spawned my web server just yesterday and already received lots of spamming/exploit attempts. Like the ones in the thread I've just created ( and not only, quite a few others.. Cloudflare is helping but it doesn't catch it all, at least not in the free version, which is what I am using to get some protection):

Exploit Attempts in nginx access log, Some logs without IP, what to do about it?

Pablo Camara
  • 622
  • 1
  • 5
  • 14