Re "6) “Hey, look at my ads!!!”<p>> 2021-04-25T17:00:00: POST <a href="http://***.best/" rel="nofollow">http://***.best/</a><p>This is not an ad -- the "<a href="http://" rel="nofollow">http://</a>" in the first (path) line tries to invoke HTTP proxy functionality. An open proxy would establish connection to the attacker's site and post the data there.<p>Once attacker has gathered list of open proxies, it would use those proxies for bypassing password guessing limits, illegal scraping, and ad fraud.