Tags:




Website statistics mystification
May 16, 2007 1:22 AM   RSS feed for this thread Subscribe

Can you explain what these entries are doing in my website stats/logs?

For a week now I have been finding the following "rogue" entries in my website logs:

Every day, several times a day, there will be three short (few second) successive visits from some ip-address (never the same address, not necessarily from the same range, not even from the same geographical location). All three visits go to the splash page of the site, never more than that. All three have referrer "http://www.google.com", but no search terms or anything else in the url, as always happens with people who come to my site through Google.

Example:

2007-05-16 00:33:12 	 24.132.200.27 	/...	 http://www.google.com	 MSIE 	 Windows
2007-05-16 00:33:12 	24.132.200.27 	/...	 http://www.google.com	MSIE 	Windows
2007-05-16 00:33:13 	24.132.200.27 	/...	 http://www.google.com	MSIE 	Windows
or:

2007-05-16 02:29:55 	 68.108.208.35 	/...	 http://www.google.com	 MSIE 	 Windows
2007-05-16 02:30:01 	68.108.208.35 	/...	 http://www.google.com	MSIE 	Windows
2007-05-16 02:30:04 	68.108.208.35 	/...	 http://www.google.com	MSIE 	Windows
I would think it's a bot but that seems at odds with the different ip addresses (and the fact that the logs say "MSIE and Windows" and not "Bot").

Apart from the fact that I'm annoyed that I can't figure out why this is happening it doesn't seem to have any negative consequences.

This is all the info I have, by the way. Only basic logging is possible right now.
posted by Skyanth to computers & internet (3 comments total)
I would think it's a bot but that seems at odds with the different ip addresses (and the fact that the logs say "MSIE and Windows" and not "Bot").
I wouldn’t worry about it. I constantly have bots with headers that are a lot more convincing, coming from various IP addresses: 
echo871.server4you.de - - [16/May/2007:09:30:26 +0100] "POST ..." 200 15293  "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
ip503c30cf.speed.planet.nl - - [16/May/2007:09:34:48 +0100] "POST ..." 200 9608  "Opera/9.0 (Windows NT 5.1; U; en)"
s246100.ppp.asahi-net.or.jp - - [16/May/2007:08:25:48 +0100] "POST ..." 200 14224  "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
and I am sure they are bots; they just request the one page on the site, don’t even attempt my Turing tests, and have been at it for months and months.
posted by Aidan Kehoe at 2:03 AM on May 16, 2007


In case it wasn't clear, the Google referer is almost certainly made up by the bot. The different IP addresses is easy to explain: those people have been infected with the same malware.
posted by mendel at 6:32 AM on May 16, 2007


I think Mendel has it. Referrer spoofing is trivial to do.

You also can use arin.net/whois to look up the IPs. For yours:

Cox Communications Inc. NETBLK-PH-RDC-68-108-192-0 (NET-68-108-192-0-1)
68.108.192.0 - 68.108.223.255
Cox Communications Inc. COX-ATLANTA-2 (NET-68-96-0-0-1)
68.96.0.0 - 68.111.255.255

That looks like a high-speed internet user in Atlanta (who probably has no idea his or her computer has been hijacked)
posted by chrisamiller at 7:16 AM on May 16, 2007


« Older Help me be fashoinable. Um, Se...   |   I'm moving! I'll be driving f... Newer »
This thread is closed to new comments.