Apache getting hits by ads.yahoo and other spammers

Question

I have a test server hosted on amazon ec2 on linux (centos). I saw the access logs of the server and saw some entries like:

Access logs:

217.153.182.206 - - [04/May/2014:03:39:45 -0700] "GET http://chek.zennolab.com/proxy.php HTTP/1.1" 301 315
217.150.7.21 - - [04/May/2014:03:40:30 -0700] "GET http://images.google.com/ HTTP/1.1" 301 315
117.214.190.73 - - [04/May/2014:03:41:06 -0700] "GET http://www.baidu.com/ HTTP/1.1" 301 250
198.56.193.214 - - [09/May/2014:04:45:52 -0700] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=5713092&pub_url=${PUB_URL} HTTP/1.0" 403 381 "http://www.mufinancepro.com/?p=512" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4 ( .NET CLR 3.5.30729)"
142.54.168.227 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2632471 HTTP/1.0" 302 - "http://www.advisablefinance.com/?p=1817" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
142.54.166.201 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2620691 HTTP/1.0" 302 - "http://www.affordfinance.com/?p=1165" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.1 Safari/532.0"
173.208.129.99 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2620681 HTTP/1.0" 302 - "http://www.allowhealth.com/?p=150" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.42; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
142.54.166.220 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/upper-division-transfer/" "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.6; AOLBuild 4340.27; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
162.211.123.38 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/seg?add=357270&t=2 HTTP/1.0" 200 - "http://ads.yahoo.com/st?ad_type=iframe&ad_size=160x600&section=5741811&pub_url=${PUB_URL}" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AT&T CSM6.0; AT&T CSM 6; YComp 5.0.0.0)"
142.54.186.132 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/university-of-southern-california/feed/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.206.1 Safari/532.0"    
142.54.186.132 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/correspondence-courses/" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; InfoPath.1; HbTools 4.8.0)"
172.246.42.214 - - [09/May/2014:04:45:52 -0700] "GET http://ads.yahoo.com/st?ad_type=ad&ad_size=728x90&section=5200398&pub_url=${PUB_URL} HTTP/1.0" 403 376 "http://www.autoinlife.com/?p=656" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-TW; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 ( .NET CLR 3.5.30729)"

Questions:

1. Apache access logs contains inbound requests - so why is the request for http://chek.zennolab.com/proxy.php or http://images.google.com is coming to my server's access log?

2. Why do I have so many ads.yahoo request? And how do I stop these?

Answer 1

Install mod_security on your apache web server and create the following rule:

SecRule SERVER_NAME "www\.yourdomain\.com$"  "id:'200000',phase:1,nolog,allow,ctl:ruleEngine=off

In case of any problems change the nolog to log and see the logs to understand whats happening.

Answer 2

I think you bought your test server recently, may be that's why this is happening.

Answer to Question:1
Since the IP address is scarce resource on the internet, it is very likely that the previous owner of your current IP address was somehow using/allowing requests from ads.yahoo.com, images.google.com or whatever the requests you are getting in your logs.

Answer to Question:2
Although its not a great solution, but it will help you to certain extent:

1. Write all the IP address to a file(better if you do it pragmatically), while you do this, don't send any genuine request to server.
2. Write shell script to read this file line by line and execute iptables -I INPUT -s $FILE_LINE -j DROP (You will need root access)

Basically this command will block these IP addresses by making entry in iptable of kernel.