Why my nginx server receives requests targeting ads.yahoo.com?

nginx logging

It seems like they are trying to use your web server as an open proxy. As long as you don't see your servers responding with a 200 OK, you shouldn't be worried.

UPDATE:

Although there may be ways to handle this with builtin nginx functionality, I found easier to install/enable mod_security and let him handle this and other nasty attacks. As you'll see in the logs below, somebody is trying to reach wikipedia through my server, mod_security knows that this this is an anomaly an takes an appropriate action (It returns a 403 forbidden response). This is an Apache server but it should be exactly the same in nginx.

--817ee627-A--
[03/Feb/2014:22:26:01 +0300] Uu-tScDjiOsAAALeENQAAAAA 178.19.107.26 52735 1.2.3.4 80
--817ee627-B--
GET http://wikipedia.pl HTTP/1.1
Host: wikipedia.pl
Accept: */*
Proxy-Connection: Keep-Alive

--817ee627-F--
HTTP/1.1 403 Forbidden
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

--817ee627-E--

--817ee627-H--
Message: Access denied with code 403 (phase 1). Match of "rx ^(?i:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "GET http://wikipedia.pl HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"]
Action: Intercepted (phase 1)
Stopwatch: 1391455561096692 260049 (- - -)
Stopwatch2: 1391455561096692 260049; combined=104238, p1=104194, p2=0, p3=0, p4=0, p5=43, sr=104028, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

*1.2.3.4 = I replaced my IP address with this fake IP. I don't need any more strange packets knocking my door :)

Related

What does "single-bit ECC errors were detected on the RAID controller" mean?
Is it Possible to Automatically Resilver a ZFS Array On Hotswap
How to find parent process for child process if parent process is terminated
How can I quickly detect files that are shadowed by a mounted filesystem
Where's my RAM if it's not in cache/buffers or used by processes?
Shell script: the child process do not terminate in linux
How do I remove (un-apply) a named filter from a Procurve switch port using the CLI?
Troubleshooting Application Evaluations in SCCM2012
Active Directory Administrative Center over Active Directory Users and Computers
How do I give label to vSwitches on VMWare?
Adding "HttpOnly" and "Secure" cookie flags on Nginx & PHP
How Active Directory Dynamic DNS updates works behind the scenes?