[Dshield] Server

Glenn Jarvis gaj at uppergroove.ca
Sat Aug 20 01:09:15 GMT 2005


>
>
>I agree that it looks like a search engine spidering the site but the
>whois output (http://www.whois.sc/12.44.172.92) seems to say that it's
>from a regular home user. Whois on some of the other IP addresses in the
>logs say the same so it could be something trying to do something
>naughty... or it could just be a few curious users clicking at random or
>downloading your entire site.
>

Agreed Craig. I did a whois before I raised the issue. It was one of the 
reasons I was concerned.
This is a normal visitor that is directly on our site....

24.xxx.xxx.62 - - [15/Aug/2005:17:09:26 -0400] "GET /style.css HTTP/1.1" 200 1176 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /background2.gif HTTP/1.1" 200 154 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /menutop.jpg HTTP/1.1" 200 7409 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /mainpage.jpg HTTP/1.1" 200 2809 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /sitelogo.jpg HTTP/1.1" 200 42297 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /aboutus.jpg HTTP/1.1" 200 2718 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /downloads.jpg HTTP/1.1" 200 2912 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /ourstore.jpg HTTP/1.1" 200 2776 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /support.jpg HTTP/1.1" 200 2631 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /links.jpg HTTP/1.1" 200 2279 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /other.jpg HTTP/1.1" 200 2973 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
24.xxx.xxx.62 - - [15/Aug/2005:17:09:27 -0400] "GET /contact.jpg HTTP/1.1" 200 2873 "http://www.uppergroove.ca/kasse3.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"

This is normal traffic we get from the download sites....

69.xxx.xxx.116 - - [15/Aug/2005:17:24:52 -0400] "GET /logo.gif HTTP/1.1" 304 - "http://www.gamealbum.com/Games/Arcade/index25.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iebar; YPC 3.2.0; acc=; .NET CLR 1.1.4322; yplus 4.1.00b)"
64.xxx.xxx.53 - - [15/Aug/2005:17:30:45 -0400] "GET /logo.gif HTTP/1.1" 200 1717 "http://www.soft32.com/index-2-5-49-10-4.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

As for spider visits (and I have a robot.txt file place for those 
gaffers)....

8.xxx.xxx.156 - - [15/Aug/2005:21:01:41 -0400] "GET /robots.txt HTTP/1.0" 200 5058 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
66.xxx.xxx.68 - - [15/Aug/2005:21:05:31 -0400] "GET /robots.txt HTTP/1.0" 200 5058 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

The site also receives traffic from the download sites polling for the 
PAD files....

69.xxx.xxx.14 - - [16/Aug/2005:11:56:22 -0400] "GET /numblocks.xml HTTP/1.1" 200 5622 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
69.xxx.xxx.14 - - [16/Aug/2005:11:56:22 -0400] "GET /wiggilez.xml HTTP/1.1" 200 5509 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"


Sorry for making this so long. The above contains most of what I see and 
there are other entries which I know
are normal. As I mentioned in my reply to Johannes, the entries I 
mentioned in the beginning was the first time
I had ever seen them and it just raised a red flag. Plus, the icon 
directory doesn't exist on my site. I thought at
first it was an attempt to access the graphic files for Awstats, but 
that program doesn't even use the ones listed
in the entries. The hosting company told me earlier this evening that 
the lines I originally mentioned are totally
normal activity. Sure looked odd to me though :-)


Glenn




-- 
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.



More information about the list mailing list