attack on port 80

Question

I have a ubuntu ec2 instance server hosting apache2 site & tomcat7 at back end. According to apache logs I have doubt there malicious attack ! Please can anyone confirm it & what can i do to stop it ?

I found that those IP is from xyz so tried blocking traffic from Geo restrict using .htacces but still no use !

.htaccess :

#Geo Restrict
                MaxMindDBEnable On
#               MaxMindDBFile DB /path/to/GeoIP/GeoLite2-Country.mmdb
                MaxMindDBFile DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
                MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code

#                SetEnvIf MM_COUNTRY_CODE ^(RU|DE|FR|US|CN) BlockCountry
                SetEnvIf MM_COUNTRY_CODE ^(IN) BlockCountry
                Allow from env=BlockCountry
#                Deny from env=BlockCountry

"/var/log/apache2access.log" :

 188.143.232.19 - - [19/Nov/2015:10:02:05 +0000] "POST http://confessions.nerve.com/confessions/add HTTP/1.1" 200 5340 "http://confessions.nerve.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    5.45.79.4 - - [19/Nov/2015:10:02:06 +0000] "GET http://toolbarqueries.google.com/tbr?client=navclient-auto&ch=62284050769&ie=UTF-8&oe=UTF-8&features=Rank&q=info%3Ahttp%3A%2F%2Fblog.fabricinteractive.com%2Fwp-content%2Fthemes%2Flicense.php HTTP/1.1" 200 818 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Safari/535.1"
    188.143.232.43 - - [19/Nov/2015:10:02:06 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dsite%253Asoundviewengineers.com%2520a%2520href%253Dhttp%253A%252F%252F%2520OR%2520%255Burl%253Dhttp%253A%252F%252F%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYoLy2sgUiGQDxp4NLQrzvBnbvmg6S5qqbxttbTFrHfHQ HTTP/1.1" 503 3443 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=site%3Asoundviewengineers.com%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    95.215.111.101 - - [19/Nov/2015:10:02:06 +0000] "GET http://steamcommunity.com/market/listings/730/Nova%20%7C%20Ranger%20%28Well-Worn%29/render/?query=&start=0&count=10&country=RU&language=russian&currency=5 HTTP/1.1" 429 815 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
    188.143.232.62 - - [19/Nov/2015:10:02:06 +0000] "GET http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcutenews%2Fhome.php%3Fcomm_start_from%3D%20%22View%20guestbook%22%20site%3Abiz%20viagra&num=100&gws_rd=ssl HTTP/1.1" 302 1242 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcutenews%2Fhome.php%3Fcomm_start_from%3D%20%22View%20guestbook%22%20site%3Abiz%20viagra&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    69.64.50.250 - - [19/Nov/2015:10:02:06 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Flip%20Knife%20%7C%20Slaughter%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927351958 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.22 - - [19/Nov/2015:10:02:06 +0000] "GET http://search.yahoo.com/search?ei=utf-8&p=site%3Asunwooltd.com%20m%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1 HTTP/1.1" 999 2978 "http://search.yahoo.com/search?ei=utf-8&p=site%3Asunwooltd.com%20m%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1" "Mozilla/5.0 (Windows NT 5.2; rv:5.0) Gecko/20100101 Firefox/5.0"
    109.234.158.21 - - [19/Nov/2015:10:02:04 +0000] "CONNECT yandex.ru:443 HTTP/1.1" 200 53785 "-" "Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0"
    188.143.232.62 - - [19/Nov/2015:10:02:07 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dinurl%253A%252Fcutenews%252Fhome.php%253Fcomm_start_from%253D%2520%2522View%2520guestbook%2522%2520site%253Abiz%2520viagra%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYoby2sgUiGQDxp4NLSJ_Ek8k_8mneqvVmGriE3wqaxOs HTTP/1.1" 503 3481 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcutenews%2Fhome.php%3Fcomm_start_from%3D%20%22View%20guestbook%22%20site%3Abiz%20viagra&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.22 - - [19/Nov/2015:10:02:07 +0000] "GET http://search.yahoo.com/search?ei=utf-8&p=site%3Asteigerwaldrebellen.de%20k%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1 HTTP/1.1" 999 2994 "http://search.yahoo.com/search?ei=utf-8&p=site%3Asteigerwaldrebellen.de%20k%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1" "Mozilla/5.0 (Windows NT 5.2; rv:5.0) Gecko/20100101 Firefox/5.0"
    5.9.28.162 - - [19/Nov/2015:10:02:05 +0000] "POST http://voh.russianpost.ru:8080/niips-operationhistory-web/OperationHistory HTTP/1.1" 200 451 "-" "Mozilla/5.0 (Windows NT 6.3; rv:27.0) Gecko/20100101 Firefox/27.0"
    188.143.232.19 - - [19/Nov/2015:10:02:07 +0000] "POST http://confessions.nerve.com/confessions/add HTTP/1.1" 200 5340 "http://confessions.nerve.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.34 - - [19/Nov/2015:10:02:07 +0000] "GET http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fscript%2Fchat.cgi%3Fno%3D%20%22Title%3A%22%20site%3Afr%20a&num=100&gws_rd=ssl HTTP/1.1" 302 1184 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fscript%2Fchat.cgi%3Fno%3D%20%22Title%3A%22%20site%3Afr%20a&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    5.19.253.227 - - [19/Nov/2015:10:02:07 +0000] "GET http://steamcommunity.com/market/listings/730/AWP%20%7C%20Asiimov%20(Battle-Scarred)/render/?query=&start=0&count=1&country=RU&language=russian&currency=5&1992083898 HTTP/1.1" 429 852 "-" "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16"
    36.85.194.247 - - [19/Nov/2015:10:02:07 +0000] "POST http://check2.zennolab.com/proxy.php HTTP/1.1" 200 274 "RefererString" "-"
    69.64.50.250 - - [19/Nov/2015:10:02:08 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Bayonet%20%7C%20Safari%20Mesh%20(Field-Tested)/render/?country=RU&language=english&currency=5&count=7&1447927352753 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.62 - - [19/Nov/2015:10:02:06 +0000] "POST http://work.a-poster.info:25000/ HTTP/1.1" 200 391 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.34 - - [19/Nov/2015:10:02:08 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dinurl%253A%252Fscript%252Fchat.cgi%253Fno%253D%2520%2522Title%253A%2522%2520site%253Afr%2520a%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYory2sgUiGQDxp4NLCFzapaSOeJXgQvaH9AxGxcYKyhE HTTP/1.1" 503 3392 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fscript%2Fchat.cgi%3Fno%3D%20%22Title%3A%22%20site%3Afr%20a&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.41 - - [19/Nov/2015:10:02:08 +0000] "GET http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%22bookstore.cgi%22%20%22june%22%20j&num=100&gws_rd=ssl HTTP/1.1" 302 1114 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%22bookstore.cgi%22%20%22june%22%20j&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.11 - - [19/Nov/2015:10:02:07 +0000] "POST http://www.fengjiebathrooms.com/index.php/order HTTP/1.1" 200 577 "http://www.fengjiebathrooms.com/index.php/appraisal?page=16515" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    51.254.120.8 - - [19/Nov/2015:10:02:08 +0000] "GET http://www.eat-with.us/25-healthy-eating-diet-tips/?tb8 HTTP/1.1" 403 566 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4; pl-PL) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4"
    69.64.50.250 - - [19/Nov/2015:10:02:08 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20StatTrak%E2%84%A2%20Karambit%20%7C%20Case%20Hardened%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927354145 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    69.64.50.250 - - [19/Nov/2015:10:02:07 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Gut%20Knife%20%7C%20Stained%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927351316 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.19 - - [19/Nov/2015:10:02:08 +0000] "POST http://confessions.nerve.com/confessions/add HTTP/1.1" 200 5340 "http://confessions.nerve.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    69.64.50.250 - - [19/Nov/2015:10:02:08 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20M9%20Bayonet%20%7C%20Forest%20DDPAT%20(Field-Tested)/render/?country=RU&language=english&currency=5&count=7&1447927353469 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.41 - - [19/Nov/2015:10:02:09 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dinurl%253A%2522bookstore.cgi%2522%2520%2522june%2522%2520j%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYory2sgUiGQDxp4NLCFzapaSOeJXgQvaH9AxGxcYKyhE HTTP/1.1" 503 3319 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%22bookstore.cgi%22%20%22june%22%20j&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    185.87.49.13 - - [19/Nov/2015:10:02:09 +0000] "GET http://steamcommunity.com/profiles/76561198122741909 HTTP/1.1" 200 41395 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    95.211.196.33 - - [19/Nov/2015:10:01:55 +0000] "CONNECT www.marathonbet.com:443 HTTP/1.1" 200 7631 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
    149.202.54.93 - - [19/Nov/2015:10:02:09 +0000] "GET http://www.eat-with.us/25-healthy-eating-diet-tips/?tb10 HTTP/1.1" 403 708 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5; pl-PL) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2"
    188.143.232.19 - - [19/Nov/2015:10:02:09 +0000] "POST http://confessions.nerve.com/confessions/add HTTP/1.1" 200 5340 "http://confessions.nerve.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.37 - - [19/Nov/2015:10:02:09 +0000] "GET http://www.americanlisted.com/new_york_32/pets_and_animals_47/jxdb0n/ HTTP/1.1" 404 27057 "http://whitewater-wi.americanlisted.com/53190/pets-leasure-time-hobbies/domestic-short-hair-dancer-medium-adult-male-cat_23421353.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.11 - - [19/Nov/2015:10:02:09 +0000] "POST http://www.fengjiebathrooms.com/index.php/order HTTP/1.1" 200 577 "http://www.fengjiebathrooms.com/index.php/appraisal?page=16515" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.34 - - [19/Nov/2015:10:02:10 +0000] "GET http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fboard.php%3Ftb%3D%20%22Required%20fields%20are%22%20site%3Acom%20n&num=100&gws_rd=ssl HTTP/1.1" 302 1200 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fboard.php%3Ftb%3D%20%22Required%20fields%20are%22%20site%3Acom%20n&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.37 - - [19/Nov/2015:10:02:09 +0000] "POST http://www.baoshijz.com/xcv2w93idn48f.asp?page=7305 HTTP/1.1" 200 10912 "http://www.baoshijz.com/xcv2w93idn48f.asp?page=7305" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.41 - - [19/Nov/2015:10:02:10 +0000] "POST http://www.biblus.ru/Default.aspx?mode=op&bk=1b17h286g8 HTTP/1.1" 500 5124 "http://www.biblus.ru/Default.aspx?mode=op&bk=1b17h286g8" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.19 - - [19/Nov/2015:10:02:10 +0000] "POST http://confessions.nerve.com/confessions/add HTTP/1.1" 200 5340 "http://confessions.nerve.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.34 - - [19/Nov/2015:10:02:11 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dinurl%253A%252Fboard.php%253Ftb%253D%2520%2522Required%2520fields%2520are%2522%2520site%253Acom%2520n%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYpby2sgUiGQDxp4NLU2N77ituKHIJSj4homKS8Pc3vLA HTTP/1.1" 503 3416 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fboard.php%3Ftb%3D%20%22Required%20fields%20are%22%20site%3Acom%20n&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    178.62.104.120 - - [19/Nov/2015:09:57:57 +0000] "GET http://betsbc.com/bets/bets.php HTTP/1.1" 503 563 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36"
    195.234.5.142 - - [19/Nov/2015:10:02:09 +0000] "CONNECT oauth.vk.com:443 HTTP/1.0" 200 5970 "-" "-"
    69.64.50.250 - - [19/Nov/2015:10:02:11 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Gut%20Knife%20%7C%20Stained%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927356209 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.11 - - [19/Nov/2015:10:02:11 +0000] "POST http://www.fengjiebathrooms.com/index.php/order HTTP/1.1" 200 577 "http://www.fengjiebathrooms.com/index.php/appraisal?page=16515" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    95.215.111.101 - - [19/Nov/2015:10:02:12 +0000] "GET http://steamcommunity.com/market/listings/730/Dual%20Berettas%20%7C%20Cobalt%20Quartz%20%28Minimal%20Wear%29/render/?query=&start=0&count=10&country=RU&language=russian&currency=5 HTTP/1.1" 429 815 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
    69.64.50.250 - - [19/Nov/2015:10:02:12 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Bayonet%20%7C%20Safari%20Mesh%20(Field-Tested)/render/?country=RU&language=english&currency=5&count=7&1447927357655 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    69.64.50.250 - - [19/Nov/2015:10:02:12 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20Flip%20Knife%20%7C%20Slaughter%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927356908 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    94.23.214.156 - - [19/Nov/2015:10:02:09 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6337 "-" "-"
    51.254.120.81 - - [19/Nov/2015:10:02:12 +0000] "GET http://www.cooking-ideas.net/hot/?tb9 HTTP/1.1" 403 696 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; pl-PL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36"
    54.193.55.118 - - [19/Nov/2015:10:02:10 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6326 "-" "-"
    109.234.158.21 - - [19/Nov/2015:10:02:10 +0000] "CONNECT yandex.ru:443 HTTP/1.1" 200 55688 "https://yandex.ru/yandsearch?text=%D0%BC%D0%B5%D1%82%D0%B0%D0%BB%D0%BB%D0%BE%D0%BF%D0%BB%D0%B0%D1%81%D1%82%D0%BC%D0%B0%D1%81%D1%81%D0%BE%D0%B2%D1%8B%D0%B5+%D0%BA%D0%BE%D1%80%D0%BE%D0%BD%D0%BA%D0%B8&lr=213" "Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0"
    69.64.50.250 - - [19/Nov/2015:10:02:12 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20M9%20Bayonet%20%7C%20Forest%20DDPAT%20(Field-Tested)/render/?country=RU&language=english&currency=5&count=7&1447927358337 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    69.64.50.250 - - [19/Nov/2015:10:02:13 +0000] "GET http://steamcommunity.com/market/listings/730/%E2%98%85%20StatTrak%E2%84%A2%20Karambit%20%7C%20Case%20Hardened%20(Minimal%20Wear)/render/?country=RU&language=english&currency=5&count=7&1447927359020 HTTP/1.1" 429 837 "-" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0"
    188.143.232.40 - - [19/Nov/2015:10:02:08 +0000] "POST http://santaefigeniapernambucana.com.br/loja/postreview.php HTTP/1.1" 302 474 "http://santaefigeniapernambucana.com.br/loja/products/Gravador-Dig.-De-Aud.-E-Vid.-8-Canais-Dvr-Sata-Vd-3008.html?revpage=149" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.11 - - [19/Nov/2015:10:02:12 +0000] "POST http://www.fengjiebathrooms.com/index.php/order HTTP/1.1" 200 577 "http://www.fengjiebathrooms.com/index.php/appraisal?page=16515" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.62 - - [19/Nov/2015:10:02:13 +0000] "GET http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcgi-bin%2Fminibbs.cgi%3Fmode%3D%20%22Your%20e-mail%3A%22%20site%3Ainfo%20levitra&num=100&gws_rd=ssl HTTP/1.1" 302 1232 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcgi-bin%2Fminibbs.cgi%3Fmode%3D%20%22Your%20e-mail%3A%22%20site%3Ainfo%20levitra&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    188.143.232.22 - - [19/Nov/2015:10:02:14 +0000] "GET http://search.yahoo.com/search?ei=utf-8&p=site%3Aspa.bg%20i%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1 HTTP/1.1" 999 2973 "http://search.yahoo.com/search?ei=utf-8&p=site%3Aspa.bg%20i%20a%20href%3Dhttp%3A%2F%2F%20OR%20%5Burl%3Dhttp%3A%2F%2F&n=100&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-701&xargs=0&pstart=1" "Mozilla/5.0 (Windows NT 5.2; rv:5.0) Gecko/20100101 Firefox/5.0"
    188.143.232.62 - - [19/Nov/2015:10:02:14 +0000] "GET http://ipv4.google.com/sorry/IndexRedirect?continue=http://www.google.com/search%3Fie%3Dutf-8%26oe%3Dutf-8%26hl%3Den%26q%3Dinurl%253A%252Fcgi-bin%252Fminibbs.cgi%253Fmode%253D%2520%2522Your%2520e-mail%253A%2522%2520site%253Ainfo%2520levitra%26num%3D100%26gws_rd%3Dssl&q=CGMSBDapqgcYqLy2sgUiGQDxp4NLYu-kCPvL_N7zpKfNskycakgzv2c HTTP/1.1" 503 3458 "http://www.google.com/search?ie=utf-8&oe=utf-8&hl=en&q=inurl%3A%2Fcgi-bin%2Fminibbs.cgi%3Fmode%3D%20%22Your%20e-mail%3A%22%20site%3Ainfo%20levitra&num=100&gws_rd=ssl" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    ^C

Possible duplicate of [Webserver logs show someone is trying to hack my site, what should I do?](http://security.stackexchange.com/questions/5001/webserver-logs-show-someone-is-trying-to-hack-my-site-what-should-i-do) — Steffen Ullrich, Nov 19 '15 at 10:52

score 2 · Accepted Answer · answered Nov 19 '15 at 12:50

2

It is not attacks, your server is used to Proxy requests.

I don't know how is your proxy config, but if it shoudn't redirect trafic, you can add this rule to avoid thoose kind of useless request

<Directory />
#blocking request who not start by /
RewriteCond %{REQUEST_URI} !^/
#redirect to nowhere
RewriteRule .* - [END]
</Directory>

In more, you should check your Proxy configuration to not redirect trafic

answered Nov 19 '15 at 12:50

Froggiz

301
1
10

After applying above rule 94.23.214.156 - - [19/Nov/2015:13:36:52 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6746 "-" "-" 94.23.214.156 - - [19/Nov/2015:13:36:54 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6744 "-" "-" 94.23.214.156 - - [19/Nov/2015:13:36:56 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6736 "-" "-" 94.23.214.156 - - [19/Nov/2015:13:37:02 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6735 "-" "-" – Ashish Karpe Nov 19 '15 at 13:40
94.23.214.156 - - [19/Nov/2015:13:37:07 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6748 "-" "-" 94.23.214.156 - - [19/Nov/2015:13:37:14 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 200 6744 "-" "-" 5.39.71.18 - - [19/Nov/2015:13:37:19 +0000] "GET http://www.google.pl/search?q=bank HTTP/1.1" 302 1169 "-" – Ashish Karpe Nov 19 '15 at 13:41
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" 209.126.107.152 - - [19/Nov/2015:13:37:21 +0000] "GET http://kinopoisk.ru/premiere/ru/ HTTP/1.1" 301 426 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 5.39.71.18 - - [19/Nov/2015:13:37:20 +0000] "CONNECT www.google.pl:443 HTTP/1.1" 200 5285 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" 5.39.71.18 - - [19/Nov/2015:13:37:21 +0000] "CONNECT – Ashish Karpe Nov 19 '15 at 13:42
ipv4.google.com:443 HTTP/1.1" 200 7471 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" 209.126.107.152 - - [19/Nov/2015:13:37:22 +0000] "GET http://www.kinopoisk.ru/premiere/ru/ HTTP/1.1" 200 41599 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 37.229.198.57 - - [19/Nov/2015:13:37:23 +0000] "GET http://nova.rambler.ru/search?utm_source=nhp&query=%D0%AE2417%20forum HTTP/1.1" 200 – Ashish Karpe Nov 19 '15 at 13:43
The this logs not able to figure out whether everything is dine but flow to access log is now slowed ..... – Ashish Karpe Nov 19 '15 at 13:44
if you want to have special log for it, you can redirect them to special code, for exemple `RewriteRule .* - [END,R=406]` (Not Acceptable) or `RewriteRule .* - [END,R=405]` Method Not Allowed list of codes https://fr.wikipedia.org/wiki/Liste_des_codes_HTTP, you can even customize this page to send them a special message ;) – Froggiz Nov 19 '15 at 13:45

score 1 · Answer 2 · answered Nov 19 '15 at 12:30

1

Ashish, it seems like several computers are using you as their proxy server. Otherwise, these requests should have never arrived at your box and received back "200 OK" status codes (what means that you actually sent back the requested page).

The requests are not malicious per-se, but you should make sure your server is configured in a way that you don't end up proxying connections to other sites.

Blocking the IP addresses does not solve your problem, it just sweeps the dirt under the mat. To really solve your problem, you should disable whatever configuration is enabling Apache to accept proxy connections.

answered Nov 19 '15 at 12:30

DarkLighting

1,523
11
16

"Ashish, it seems like several computers are using you as their proxy server" ..... Can you please explain how this happens – Ashish Karpe Mar 23 '17 at 09:17
and also I am using aws ec2 instance so amazon don't detect and stop this threats / attack – Ashish Karpe Mar 23 '17 at 09:19
They request your server to fetch them a web page. One way of doing that is using the [CONNECT HTTP method](https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling). That way, if they do something malicious in some other website, your ip is the one that is goin to fill their logs, therefore, the "hacked" website will think you did the hacking. – DarkLighting Mar 24 '17 at 20:48

attack on port 80

2 Answers2