Hello respondents, Thanks to all of you for your responses. I'm explaining the points which you have asked.
1. The requests are not available at log because I have blocked the .ru domains at firewall level. Let me disable the firewall to generate the logs for you 95.139.226.205 - - [17/Apr/2014:07:26:39 +0200] "-" 408 - "-" "-" 109.188.125.110 - - [17/Apr/2014:07:27:03 +0200] "GET /Uizz9n HTTP/1.1" 301 - "http://www.tv-house.ru/detail/200/5347"; "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko" 109.188.125.110 - - [17/Apr/2014:07:27:04 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 " http://www.tv-house.ru/detail/200/5347"; "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko" 109.191.88.164 - - [17/Apr/2014:07:27:13 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0" 109.188.125.110 - - [17/Apr/2014:07:27:16 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 " http://www.tv-house.ru/catalog/29/200/31/"; "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko" Though the ping commands shows a different IP than this server ping www.tv-house.ru PING www.tv-house.ru (90.156.201.67) 56(84) bytes of data. 64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=1 ttl=56 time=55.1 ms 64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=2 ttl=56 time=55.1 ms 64 bytes from fe.shared.masterhost.ru (90.156.201.67): icmp_seq=3 ttl=56 time=55.1 ms 2. I am not hosting any torrent. Though you can see the request 109.191.88.164 - - [17/Apr/2014:07:27:13 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0" 3. the sites are even live after shutting down the server. 4. Even after blocking the requested unknown domains I see a lot of following at access log 109.191.88.164 - - [17/Apr/2014:07:30:38 +0200] "GET /tracker/?info_hash=%8f%8d%98%b3%3dg%09RrefU%eep%bb%a7%bf%bf%1a%da&peer_id=-IL500%ad-o6JhUN9!EA.n&port=6881&uploaded=0&downloaded=0&left=7978279&corrupt=0&redundant=0&compact=1&numwant=200&key=48fb945&no_peer_id=1&supportcrypto=1&event=started&ipv4=109.191.88.164 HTTP/1.1" 301 - "-" "libtorrent/0.16.10.0" 109.191.88.164 - - [17/Apr/2014:07:30:38 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "libtorrent/0.16.10.0" 95.31.97.94 - - [17/Apr/2014:07:30:44 +0200] "-" 408 - "-" "-" 188.64.112.228 - - [17/Apr/2014:07:30:55 +0200] "-" 408 - "-" "-" 109.188.125.110 - - [17/Apr/2014:07:31:12 +0200] "-" 408 - "-" "-" 188.64.112.228 - - [17/Apr/2014:07:31:26 +0200] "-" 408 - "-" "-" 178.123.127.195 - - [17/Apr/2014:07:31:59 +0200] "GET /tracker/scrape?info_hash=%7F%98%05%BA%40%DB%ADo%1E%DD%D1%0BSL%0C%16%9DT%0D%BE HTTP/1.1" 301 - "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38" 178.123.127.195 - - [17/Apr/2014:07:31:59 +0200] "GET /index.php?id=16&no_cache=1 HTTP/1.1" 200 9009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38" Thanks On Wed, Apr 16, 2014 at 10:39 PM, Jim Barchuk <j...@jbarchuk.com> wrote: > HiHi! > > My first thought was that a -spammer- had -misconfigured- something, to > point a 'spam target domain name' to your IP address. But those domains are > registered '06/'07 which is not typical of spam targets, and they appear to > be reputable. > > Before I go further, a little more info. You mentioned... > > > tv-house.ru , world-hdtv.ru ... etc.... I am clue less. >> > > and then... > > > 147.45.64.140 - - [16/Apr/2014:11:26:44 +0200] "-" 408 - "-" "-" >> 176.8.100.50 - - [16/Apr/2014:11:26:59 +0200] "GET >> /tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4% >> FD%5D%AD%D5%5B%E9 >> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38" >> > > 408 is very weird. I didn't even know what it meant, had to look it up, > and still don't fully understand what it means, potentially, as related to > your situation. > > Could you please post a couple of lines that include the earlier *.ru > requests? > > newly configured opensuse >> > > There are other misconfiguration possibilities. No not on your side but > elsewhere. Your IP address may have been previously used elsewhere for > other things, that are still configured to point to you without knowing > you're the new owner. > > If nothing truly *NEFARIOUS* is going on, then over the course of time, a > few days, things may clear themselves out automatically and those odd > requests may simply stop happening. > > If nothing nefarious is going on, but there are configs somewhere that > someone needs to change manually but either forgot about or haven't gotten > to yet, then the requests may continue for a while. If they don't stop you > may need to write to the owners of those domains to give them a heads-up > that they need to fix something or their customers won't be getting pages > that they should be. > > Along those lines, there might be someone sitting elsewhere wondering why > -his- logs have dropped to -zero-. LOL!!! Or, they may drop way off, and as > nameservers are updated his logs 'revive' and continue as previous. The > only difference is that -he'll- have no clue why it all dropped off, > because -he- hadn't changed anything. If he's loading pages locally and > everyting works fine, yet he gets calls that other people can't load pages, > he'll have to know how to research the problem to find out where the > misconfiguration is. > > Have a :) day! > > Jim > > -- > Jim Barchuk > j...@jbarchuk.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
