For the past few days I have noted a great many lines similar to that shown below, in my logs of one of my sites:
195.154.44.62 - - [28/Mar/2018:07:59:34 +0100] "GET / HTTP/1.1" 200 4995 "http://verbflexdabbfi.soup.io" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
The redirected address shown in the GET clause varies a bit between 4 or 5 different sites. Only one of three virtual domains are affected, not the entire server.
This looks like illegal activity, but I am not sure exactly what is happening. As a safety measure I have added the IP addresses to my deny list.
Does anyone have any ideas?
Thanks,
Kenneth Spencer