Is my Apache server under attack [duplicate]

apache-2.2 ubuntu

Hi please have a look at the access log. I'm getting a million entries like this and dont't know how to stop it. First off is this an attack and if so how do i stop it and prevent it from happening again.

Photo of log

192.184.54.119 — — [14/Mar/2014:14:28:48 +0200] “GET http://ads.pubrnatic.com/Adserver/js/ibshowad.js HTTP/1.O” 200 1204S “http://ads.yoo.com/st?adtype=iframe&adsize=728x9O&section=S13OO96&pubur1=mostgamespa1y.com” “Mozilla/ atible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
192.184.40.105 — — [14/Mar/2014:14:28:46 +0200] “GET http:f/ads.yoo.coget—user—id?ver2&s542598O&tsl3948OOO99&sig42da229369dO7a3O HTTP/l.O” 200 589 “http://ads.yahoo.coznlst?ad_typeiframe&ad_size72Sx9O&sectionS42S98O&pt cenews.com” “Mozilla/4.O (compatible; MSIE 6.0; Windows NT 4.0; Alexa Toolbar)”
192.184.62.133 — — [l4/Mar/2014:14:28:46 +02001 “GET http://ads.yahoo.com/pixel?idl080229&t2 HflP/l.O” 302 835 /5.0 (Windows; U; Windows NT 5.1; en—US; rv:l.7) Gecko/20040626 Firefox/O.9.l”
192.184.62.131 — — [14/Mar/2014:14:28:53 +0200J “GET http://ib.adnxs.com/seg?add35728l&t2 HTTP/1.O” 302 1090  “http://ads.yahoo.comst?ad_teiframe&ad_size728x9O&section53O46S4&pub_urlpcgamesofun.com” “Mozilla/4.O (compati 5.5; Windows 98; Alexa Toolbar)”
107.160.10.76  — — [14/Mar/2014:14:28:43 +0200] “GET http://content.yieldmanager.edgesuite.net/atonis/Od/65/5a/8b/Od6SSaBbeca597ed6b64l6f7dal67aec.gif  HTTP/l.O” 200 17745 “http://www.thedthosaurgames.com” “Mozilla/4.O (compatible; ; Windows NT 5.0; Alexa Toolbar)”
192.184.40.98  — — [14/Mar/2014:14:28:53 +0200J “GET http://ib.adnxs.coWpx?idl5959l&t2 HflP/l.O” 200 1015 cM100000cSO9600aRCRÐ&cidWS_OMG_BM_SA_786_RTBLifestyle_SWF_CRO2_C230_acts_NA” “Mozilla/4.O (compatible; 1151E 5.01; Windows 95; Alexa Toolbar)”
192.184.54.114 — — [l4/Mar/2014:14:28:46 +02001 “GET http://ads.yahoo.coni/get—user—id?ver=2&s=5141567&ts=l394800009&sig=624l2e5886a1adaa HTTP/1.O” 200 589 “http://ads.yahoo.com/st?ad_typeiframe&ad_size728x90&sectionSl4lS67&ptpi.com” “Mozilla/4.O (compatible; MSIE 5.0; Windows 98; DigExt; Alexa Toolbar)”
192.184.62.137 — — [l4/Mar/20l4:14:28:49 +0200] “GET http://ds.serving—sys.coxn/BurstingCachedScripts//Ad21540/ebStdBanner.js HTTPI1.O” 200 98176 “http://fral.ib.adnxs.com/if?encfkOIyt7X8D8hsHJoke3oPyGwcaiR7egLvTSXoSo7D_9p!X8SsCx6BXgUuRlrl4qOfh9STrAAAAAEvRIgB6AgAAoQcAAAIAAADÐT8YAOSwFAAAAAQBVEJOQAWNE.ANgCWgDsygAAnYOAAgUCAQIAAIwAgC35tQAAAAA . &cnd%2 1hSNtXwiS48QBEMOfmQYYACC7UBYwADjs1RtAAEihÐ1DLoosBWABgkQZoAIiAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQCSAVZSV1zjMI)4zllzP8kBzrnEYlfGj—D_ZAQAAAAAAAPA_4AEA&ccd%21FQb4OQiS48QBEMOfmQYYu7gWIAA.223954%2C+367675%2C+O%2C+O%2C+2592000%29%3ßppv%28l55649%2C+%2763l42654897l4567058%27%2C+l394800097%2C+l397392097%2C+3223954%2C+367675%2C+O%2C+O%2C+2592000%29%3B&vpid43&apid22 435&referrerjerusalemonline.com&media_subtypesl&ct “Mozilla/4.O (compatible; MSIE 6.0; Windows 98; Alexa Toolbar)”
192.184.53.236 — — [14/Mar/2014:14:28:48 +0200] “GET http://ib.adnxs.com/seg?add357300&t2 HTTP/l.O” 302 1091 “http://www.vagobond.com” “Mozilla/4.76 (Macintosh; U; PPC)” 
192.184.62.135 — — [14/Mar/2014:14:28:43 +0200] “GET http://ibadnxs.com/seg?add357300&t2 HTTP/l..O” 302 1091 “http://www.splashnewsonline.com” “Mozilla/4.08 [en] (WinNT; U)” 
192.184.62.137 — — [l4/Mar/2014:14:28:48 +02001 “GET http://cdn.adnxs.com/p/31/bO/bO/69/3lbObO6949e3edbSdS24Sa3bfd4bl6b7.gif HTTP/l.O” 200 22490 “http://ads.ythoo.com/st?adtype=iframe&adsize=728x90&section=54260l9&puburl=jerine.com” “Mozilla/4.O (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
192.184.53.231 — — [14/Mar/2014:14:28:Sl +0200J “GET http://ads.creafi—online—media.com/pixel?idl774l97&t2 HTTP/1.O” 302 751 “http://www.lifeandhealth.org” “Mozilla/4.O (compatible; MSIE 6.0;Windows NT 5.0; Alexa Toolbar)”
192.184.49.221 — — [14/Mar/20l4:14:28:49 +0200] “GET  http://content.yieldmanager.edgesuite.net/atorns/29/6a/17/ee/296al7eebb6aadc7es6fadd4e96csb3s.gif HTTP/1.O” 200 11771 “http://www.yfia.com” “Mozillaf4.O (compatible; MSIE 6.01; 98; Alexa Toolbar)”
192.184.40.99  — — [l4/Mar/20l4:l4:28:47 +0200] “GET http://ads.yahoo.com/get—user—id?ver=2&s=5425844&ts=l394799996&sig=6ccfla86b3oa6dcb HTTP/l.0” 200 589 “http://www.splashnewsonline.com” “Mozilla/5.0 (Windows; U; Windows NT 5.1 rv:1.6) Gecko/20040206 Firefox/0.8”
107.160.10.75  — — [14/Mar/2014:14:28:41 +0200J “GET HTTP/1.0” 200 2066 “http://ads.yahoo.com/st iframe&ad_size728x90&section5lo27ll&pub_url—thetraingames.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; Alexa Toolbar)”
192.184.49.211 — — [14/Mar/2014:14:28:4l +0200] “GET HTTP/1.0” 200 2230 “http://ads.yahoo.corn/st?ad_te&ad_size728x90&section5l3o867&pub_urlkatheating.com” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en—US; rv:1.6) Gecko/20040113”
192.184.54.116 — — [l4/Mar/2014:14:28:Sl +0200J “GET http://ads.yahoo.coni/stadtype=iframe&adsize=728x90&section=5150479&puburl=zcxo.com HTTP/1.0 200 6027 “http://www.zcxo.com” “Mozilla/4.0 (compatible; MSIE 5.5; AOL 6.0; Wi
192.184.40.103 — — [14/Mar/2014:14:28:49 +0200J “GET http://cdn.adnxs.com/ANX_async_usersync.js HTTP/l.0” 200 1890 “http://ads.yahoo.coni/st?adtype=iframe&adsize=728x90&section=5426026&puburl=travelsmith.com” “Mozilla/4.0 (cot MSIE 5.5; Windows NT 4.0; Alexa Toolbar)”
192.184.62.138 — — [14/Mar/2014:14:28:43 +0200] “GET http://cdn.adnxs.coni/p/31/bO/bO/69/3lbObO6949e3edbSdS24Sa3bfd4bl6b7.gif HTTP/1.0” 200 22490 “http://ads.yahoo.cotn/st?adtype=iframe&adsize=728x90&section=54260l9&puburl=jerine.com” “Mozilla/4.76 [en] (Win98; U)”
192.184.62.139 - - [14/Mar/2014 :14:28:54 +0200 J “GET http: //fral . ib. adnxs . AQIAAIwASy1V1QAAAAA. &udjuf%28%27a%2 7C+%275126610165993718005%27%2C+l394800132%2C+1397392132%2C+3282l78%2C+367675%2C+0%2C+0%2C+2592000%29%3B&vpid=43&apid=22435&referrer=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad type%3Diframe%26adsize%3D728x90%26section%3D5426026%26pubvelsmith.com&mediasubtypes=1&ct=0&dlo=1 HTTP/1.0” 200 2855 “http://ads.yahoo.com/st?adtype=iframe&adsize=728x90&section=5426026&puburl=travelsmith.com” “Mozilla/4.61 [en] (WinNT; I)”
107.160.10.75 — — [14/Mar/20l4:14:28:46 +0200J “GET HTTP/1.0” 200 2066 “http://ads.yahoo.com/st iframe&ad size728x90&sectionSlO27ll&puburlthetraingames.com” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT;igExt)” — —

Solution 1:

It looks like someone is blindly search for web server with proxy enabled. The requests here are most of the form GET http://<something>. Normal requests should looks like GET /mysite/index.php (or what ever files and directories you have in your web root).

Can become a problem if you get more and more requests of this kind because it can overloa your web server (DOS - denial of service attack).

If you see constantly the same IP as origin of these requests, you can add some iptables rules to ban them before they get handled by Apache.

Related

updates-testing repo for CentOS 6?
How to analyse performance issue on apache web server?
How to redirect to different servers based on login username?
Halt goes into uninterruptable state while shutting down - how can I shut down?
Upgrade ubuntu 9.10 to 10.04
How Can I Take The First Four Elements Of A Column In Each Row and Append it To A Newly Created Column Using Python Pandas?
Remove an array from an Array if a certain value exists in the array in javascript
table manager does not purge chunk in loki 2.4
How to create a page navigation partial view?
Tensorflow: ValueError: Shapes (None, 1) and (None, 2) are incompatible
how to build nextjs with fallback: true enable
How to order PGSQL output depending on where clause