Hello XV105,

I see SD got there first. I'll add a little bit more....

(1) Ref 224.0.0.22 / 224.0.0.251 / 239.255.255.250 / 235.1.1.1

These are "special use" addresses that have no place on the internet, in internet terms they are known as "bogons" because they should not be routed by any ISP. Infact, best practice recommends to block the following ranges (amongst others, see link....) unless you've got a specific use for them :

223.0.0.0/8 (i.e. 223.0.0.0 to 223.255.255.255.255 - inclusive)
224.0.0.0/3 (i.e. 224.0.0.0 to 255.255.255.255 - inclusive)

There is a handy website known as "Team Cymru" (no relation whatsoever to that part of the UK) which gives a list of current "bogons" that you should be blocking .... go here ... The Bogon Reference - Team Cymru scroll down to "1. HTTP Bogon References" and open, I would suggest, "The Text Bogon List, Aggregated".

All the addresses listed on the TC website are addresses that should essentially be never seen from the internet (i.e. you should never receive traffic from those IPs) and should never be leaked out onto the internet (i.e. you should not send traffic to the internet from those IPs without appropriate measures in place, e.g. NAT).

(2) Ref 198.107.148.254

Sounds like you've tracked this one down.

(3)

I'm sure it's easily doable through the Linux command line.... "restarts by itself every half hour" sounds suspiciously like a crontab entry !