Access log of nginx: why are foreign URLs logged?

url nginx logging

My access log is full of such entries:

178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=241716 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=cbvfdghjr HTTP/1.1" 403 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=tata915 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=011296 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.4/Megaupload 3.0" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=270161 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=nwe9338 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win9x; en; Stable) Gecko/20020911 Beonex/0.8.1-stable" "-"

So my server was attacked somehow as it seemes. What I don't understand is why there are these http://win.mail.ru/ URLs. Does my server call those URLs? Those calls should be logged on that russian server, not on my one. Or am I wrong? Are these URLs just strings that are sent to my server when something on my server is called? But what is called?

I have no experience with the nginx server. So sorry if this question is dumb.


The HTTP 1.1 protocol allows to specify a hostname with the request and this can be an arbitrary name belonging to a different (or none at all) host. This is what makes having multiple virtual hosts web servers possible because they can use the name specified in the request to route it to the correct vhost.

In the default config, hostnames that don't have a vhost definition get routed (and logged) to the default vhost.

What happens with your server is just the usual background noise of bots and kiddies trying all kind of attacks on more or less random hosts.

Related

Error importing PSTs into Exchange 2010 SP1
Sharepoint and ADL-DS
both ssl and non-ssl on single port
Create DNS alias
Bind 9.2 server refuses to resolve CNAME from sub-zone
Migrating messages from an old mailserver to a new (courier)
Load Balancer & Route 53 : DNS address could not be found | AWS & BlueHost
How to create partition when growing raid5 with mdadm
Iptables blocking all my traffic for some reasson
Apache fails to start after ssl
get PIDs of processes from
HTTP Subdomain Redirect to HTTPS automatically. Why?