Is my Apache server under attack [duplicate]
Hi please have a look at the access log. I'm getting a million entries like this and dont't know how to stop it. First off is this an attack and if so how do i stop it and prevent it from happening again.
Photo of log
192.184.54.119 — — [14/Mar/2014:14:28:48 +0200] “GET http://ads.pubrnatic.com/Adserver/js/ibshowad.js HTTP/1.O” 200 1204S “http://ads.yoo.com/st?adtype=iframe&adsize=728x9O§ion=S13OO96&pubur1=mostgamespa1y.com” “Mozilla/ atible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
192.184.40.105 — — [14/Mar/2014:14:28:46 +0200] “GET http:f/ads.yoo.coget—user—id?ver2&s542598O&tsl3948OOO99&sig42da229369dO7a3O HTTP/l.O” 200 589 “http://ads.yahoo.coznlst?ad_typeiframe&ad_size72Sx9O§ionS42S98O&pt cenews.com” “Mozilla/4.O (compatible; MSIE 6.0; Windows NT 4.0; Alexa Toolbar)”
192.184.62.133 — — [l4/Mar/2014:14:28:46 +02001 “GET http://ads.yahoo.com/pixel?idl080229&t2 HflP/l.O” 302 835 /5.0 (Windows; U; Windows NT 5.1; en—US; rv:l.7) Gecko/20040626 Firefox/O.9.l”
192.184.62.131 — — [14/Mar/2014:14:28:53 +0200J “GET http://ib.adnxs.com/seg?add35728l&t2 HTTP/1.O” 302 1090 “http://ads.yahoo.comst?ad_teiframe&ad_size728x9O§ion53O46S4&pub_urlpcgamesofun.com” “Mozilla/4.O (compati 5.5; Windows 98; Alexa Toolbar)”
107.160.10.76 — — [14/Mar/2014:14:28:43 +0200] “GET http://content.yieldmanager.edgesuite.net/atonis/Od/65/5a/8b/Od6SSaBbeca597ed6b64l6f7dal67aec.gif HTTP/l.O” 200 17745 “http://www.thedthosaurgames.com” “Mozilla/4.O (compatible; ; Windows NT 5.0; Alexa Toolbar)”
192.184.40.98 — — [14/Mar/2014:14:28:53 +0200J “GET http://ib.adnxs.coWpx?idl5959l&t2 HflP/l.O” 200 1015 cM100000cSO9600aRCRÐ&cidWS_OMG_BM_SA_786_RTBLifestyle_SWF_CRO2_C230_acts_NA” “Mozilla/4.O (compatible; 1151E 5.01; Windows 95; Alexa Toolbar)”
192.184.54.114 — — [l4/Mar/2014:14:28:46 +02001 “GET http://ads.yahoo.coni/get—user—id?ver=2&s=5141567&ts=l394800009&sig=624l2e5886a1adaa HTTP/1.O” 200 589 “http://ads.yahoo.com/st?ad_typeiframe&ad_size728x90§ionSl4lS67&ptpi.com” “Mozilla/4.O (compatible; MSIE 5.0; Windows 98; DigExt; Alexa Toolbar)”
192.184.62.137 — — [l4/Mar/20l4:14:28:49 +0200] “GET http://ds.serving—sys.coxn/BurstingCachedScripts//Ad21540/ebStdBanner.js HTTPI1.O” 200 98176 “http://fral.ib.adnxs.com/if?encfkOIyt7X8D8hsHJoke3oPyGwcaiR7egLvTSXoSo7D_9p!X8SsCx6BXgUuRlrl4qOfh9STrAAAAAEvRIgB6AgAAoQcAAAIAAADÐT8YAOSwFAAAAAQBVEJOQAWNE.ANgCWgDsygAAnYOAAgUCAQIAAIwAgC35tQAAAAA . &cnd%2 1hSNtXwiS48QBEMOfmQYYACC7UBYwADjs1RtAAEihÐ1DLoosBWABgkQZoAIiAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQCSAVZSV1zjMI)4zllzP8kBzrnEYlfGj—D_ZAQAAAAAAAPA_4AEA&ccd%21FQb4OQiS48QBEMOfmQYYu7gWIAA.223954%2C+367675%2C+O%2C+O%2C+2592000%29%3ßppv%28l55649%2C+%2763l42654897l4567058%27%2C+l394800097%2C+l397392097%2C+3223954%2C+367675%2C+O%2C+O%2C+2592000%29%3B&vpid43&apid22 435&referrerjerusalemonline.com&media_subtypesl&ct “Mozilla/4.O (compatible; MSIE 6.0; Windows 98; Alexa Toolbar)”
192.184.53.236 — — [14/Mar/2014:14:28:48 +0200] “GET http://ib.adnxs.com/seg?add357300&t2 HTTP/l.O” 302 1091 “http://www.vagobond.com” “Mozilla/4.76 (Macintosh; U; PPC)”
192.184.62.135 — — [14/Mar/2014:14:28:43 +0200] “GET http://ibadnxs.com/seg?add357300&t2 HTTP/l..O” 302 1091 “http://www.splashnewsonline.com” “Mozilla/4.08 [en] (WinNT; U)”
192.184.62.137 — — [l4/Mar/2014:14:28:48 +02001 “GET http://cdn.adnxs.com/p/31/bO/bO/69/3lbObO6949e3edbSdS24Sa3bfd4bl6b7.gif HTTP/l.O” 200 22490 “http://ads.ythoo.com/st?adtype=iframe&adsize=728x90§ion=54260l9&puburl=jerine.com” “Mozilla/4.O (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)”
192.184.53.231 — — [14/Mar/2014:14:28:Sl +0200J “GET http://ads.creafi—online—media.com/pixel?idl774l97&t2 HTTP/1.O” 302 751 “http://www.lifeandhealth.org” “Mozilla/4.O (compatible; MSIE 6.0;Windows NT 5.0; Alexa Toolbar)”
192.184.49.221 — — [14/Mar/20l4:14:28:49 +0200] “GET http://content.yieldmanager.edgesuite.net/atorns/29/6a/17/ee/296al7eebb6aadc7es6fadd4e96csb3s.gif HTTP/1.O” 200 11771 “http://www.yfia.com” “Mozillaf4.O (compatible; MSIE 6.01; 98; Alexa Toolbar)”
192.184.40.99 — — [l4/Mar/20l4:l4:28:47 +0200] “GET http://ads.yahoo.com/get—user—id?ver=2&s=5425844&ts=l394799996&sig=6ccfla86b3oa6dcb HTTP/l.0” 200 589 “http://www.splashnewsonline.com” “Mozilla/5.0 (Windows; U; Windows NT 5.1 rv:1.6) Gecko/20040206 Firefox/0.8”
107.160.10.75 — — [14/Mar/2014:14:28:41 +0200J “GET HTTP/1.0” 200 2066 “http://ads.yahoo.com/st iframe&ad_size728x90§ion5lo27ll&pub_url—thetraingames.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; Alexa Toolbar)”
192.184.49.211 — — [14/Mar/2014:14:28:4l +0200] “GET HTTP/1.0” 200 2230 “http://ads.yahoo.corn/st?ad_te&ad_size728x90§ion5l3o867&pub_urlkatheating.com” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en—US; rv:1.6) Gecko/20040113”
192.184.54.116 — — [l4/Mar/2014:14:28:Sl +0200J “GET http://ads.yahoo.coni/stadtype=iframe&adsize=728x90§ion=5150479&puburl=zcxo.com HTTP/1.0 200 6027 “http://www.zcxo.com” “Mozilla/4.0 (compatible; MSIE 5.5; AOL 6.0; Wi
192.184.40.103 — — [14/Mar/2014:14:28:49 +0200J “GET http://cdn.adnxs.com/ANX_async_usersync.js HTTP/l.0” 200 1890 “http://ads.yahoo.coni/st?adtype=iframe&adsize=728x90§ion=5426026&puburl=travelsmith.com” “Mozilla/4.0 (cot MSIE 5.5; Windows NT 4.0; Alexa Toolbar)”
192.184.62.138 — — [14/Mar/2014:14:28:43 +0200] “GET http://cdn.adnxs.coni/p/31/bO/bO/69/3lbObO6949e3edbSdS24Sa3bfd4bl6b7.gif HTTP/1.0” 200 22490 “http://ads.yahoo.cotn/st?adtype=iframe&adsize=728x90§ion=54260l9&puburl=jerine.com” “Mozilla/4.76 [en] (Win98; U)”
192.184.62.139 - - [14/Mar/2014 :14:28:54 +0200 J “GET http: //fral . ib. adnxs . AQIAAIwASy1V1QAAAAA. &udjuf%28%27a%2 7C+%275126610165993718005%27%2C+l394800132%2C+1397392132%2C+3282l78%2C+367675%2C+0%2C+0%2C+2592000%29%3B&vpid=43&apid=22435&referrer=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad type%3Diframe%26adsize%3D728x90%26section%3D5426026%26pubvelsmith.com&mediasubtypes=1&ct=0&dlo=1 HTTP/1.0” 200 2855 “http://ads.yahoo.com/st?adtype=iframe&adsize=728x90§ion=5426026&puburl=travelsmith.com” “Mozilla/4.61 [en] (WinNT; I)”
107.160.10.75 — — [14/Mar/20l4:14:28:46 +0200J “GET HTTP/1.0” 200 2066 “http://ads.yahoo.com/st iframe&ad size728x90§ionSlO27ll&puburlthetraingames.com” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT;igExt)” — —
Solution 1:
It looks like someone is blindly search for web server with proxy enabled.
The requests here are most of the form GET http://<something>
. Normal requests should looks like GET /mysite/index.php
(or what ever files and directories you have in your web root).
Can become a problem if you get more and more requests of this kind because it can overloa your web server (DOS - denial of service attack).
If you see constantly the same IP as origin of these requests, you can add some iptables rules to ban them before they get handled by Apache.