Website statistics mystification
May 16, 2007 1:22 AM Subscribe
Can you explain what these entries are doing in my website stats/logs?
For a week now I have been finding the following "rogue" entries in my website logs:
Every day, several times a day, there will be three short (few second) successive visits from some ip-address (never the same address, not necessarily from the same range, not even from the same geographical location). All three visits go to the splash page of the site, never more than that. All three have referrer "http://www.google.com", but no search terms or anything else in the url, as always happens with people who come to my site through Google.
Example:
Apart from the fact that I'm annoyed that I can't figure out why this is happening it doesn't seem to have any negative consequences.
This is all the info I have, by the way. Only basic logging is possible right now.
For a week now I have been finding the following "rogue" entries in my website logs:
Every day, several times a day, there will be three short (few second) successive visits from some ip-address (never the same address, not necessarily from the same range, not even from the same geographical location). All three visits go to the splash page of the site, never more than that. All three have referrer "http://www.google.com", but no search terms or anything else in the url, as always happens with people who come to my site through Google.
Example:
2007-05-16 00:33:12 24.132.200.27 /... http://www.google.com MSIE Windows 2007-05-16 00:33:12 24.132.200.27 /... http://www.google.com MSIE Windows 2007-05-16 00:33:13 24.132.200.27 /... http://www.google.com MSIE Windowsor:
2007-05-16 02:29:55 68.108.208.35 /... http://www.google.com MSIE Windows 2007-05-16 02:30:01 68.108.208.35 /... http://www.google.com MSIE Windows 2007-05-16 02:30:04 68.108.208.35 /... http://www.google.com MSIE WindowsI would think it's a bot but that seems at odds with the different ip addresses (and the fact that the logs say "MSIE and Windows" and not "Bot").
Apart from the fact that I'm annoyed that I can't figure out why this is happening it doesn't seem to have any negative consequences.
This is all the info I have, by the way. Only basic logging is possible right now.
Best answer: In case it wasn't clear, the Google referer is almost certainly made up by the bot. The different IP addresses is easy to explain: those people have been infected with the same malware.
posted by mendel at 6:32 AM on May 16, 2007
posted by mendel at 6:32 AM on May 16, 2007
Best answer: I think Mendel has it. Referrer spoofing is trivial to do.
You also can use arin.net/whois to look up the IPs. For yours:
That looks like a high-speed internet user in Atlanta (who probably has no idea his or her computer has been hijacked)
posted by chrisamiller at 7:16 AM on May 16, 2007
You also can use arin.net/whois to look up the IPs. For yours:
Cox Communications Inc. NETBLK-PH-RDC-68-108-192-0 (NET-68-108-192-0-1)
68.108.192.0 - 68.108.223.255
Cox Communications Inc. COX-ATLANTA-2 (NET-68-96-0-0-1)
68.96.0.0 - 68.111.255.255
That looks like a high-speed internet user in Atlanta (who probably has no idea his or her computer has been hijacked)
posted by chrisamiller at 7:16 AM on May 16, 2007
« Older NO MORE T-SHIRTS!!! No MORE KHAKIS!!! | I'm traveling cross-country from SF to NH via AZ.... Newer »
This thread is closed to new comments.
posted by Aidan Kehoe at 2:03 AM on May 16, 2007