Access log of nginx: why are foreign URLs logged?
My access log is full of such entries:
178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=241716 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:37 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=cbvfdghjr HTTP/1.1" 403 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=tata915 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=011296 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.4/Megaupload 3.0" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=270161 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1" "-"
178.207.40.219 - - [03/Apr/2014:17:34:38 +0200] "GET http://win.mail.ru/cgi-bin/[email protected]&Domain=mail.ru&Password=nwe9338 HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows; U; Win9x; en; Stable) Gecko/20020911 Beonex/0.8.1-stable" "-"
So my server was attacked somehow as it seemes. What I don't understand is why there are these http://win.mail.ru/ URLs. Does my server call those URLs? Those calls should be logged on that russian server, not on my one. Or am I wrong? Are these URLs just strings that are sent to my server when something on my server is called? But what is called?
I have no experience with the nginx server. So sorry if this question is dumb.
The HTTP 1.1 protocol allows to specify a hostname with the request and this can be an arbitrary name belonging to a different (or none at all) host. This is what makes having multiple virtual hosts web servers possible because they can use the name specified in the request to route it to the correct vhost.
In the default config, hostnames that don't have a vhost definition get routed (and logged) to the default vhost.
What happens with your server is just the usual background noise of bots and kiddies trying all kind of attacks on more or less random hosts.