Strange Visitors
Sunday 21st October, 2007 15:01 Comments: 0
Apologies in advance for a very geeky post. I spotted a series of pages had been visited on my site. Ordinarily, this isn't anything too unusual, as people do tend to read backwards through my blog, but this time it pretty much started with January 2007 (one of the first links) and headed to July (classic signs of a web spider), all in the space of 4 minutes (some spiders are faster, some are slower so as not to affect the performance of rubbish or overloaded web servers):
1:00 pm July 2007 Read
Computer: 61.156.238.217 (61.156.238.217)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:59 pm June 2007 Read
Computer: host-173-159-remedium.igloonet.pl (77.65.159.173)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm May 2007 Read
Computer: 200.228.151.232 (200.228.151.232)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm April 2007 Read
Computer: 220-135-104-31.hinet-ip.hinet.net (220.135.104.31)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm March 2007 Read
Computer: ohta112203.catv.ppp.infoweb.ne.jp (218.226.213.203)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm February 2007 Read
Computer: 61.156.238.217 (61.156.238.217)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm January 2007 Read
Computer: host-173-159-remedium.igloonet.pl (77.65.159.173)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm Read
Computer: 217.216.169.43.dyn.user.ono.com (217.216.169.43)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm Read
Computer: 200.228.151.232 (200.228.151.232)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:55 pm October 2007 Read
Computer: corporat190-025224157.sta.etb.net.co (190.25.224.157)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Notice how the browser string is the same, but the source IP address is different. The pattern makes it quite obvious that it's the same person (no one else was reading the diary.php page at that time), and you even start to see hosts repeat themselves (e.g. host-173-159-remedium.igloonet.pl). But there's a different IP address, which is weird. A quick search of 77.65.159.173 using Google reveals that this IP address is associated with a few spam comment posts on websites, so this could explain the spider-like requests as it searches for places to spam. But is it a host going through something like The Onion Router (TOR) to hide its identity, or is it a clever botnet that distributes the requests amongst compromised PCs to hide itself from server logs? I don't know. Which also means I don't know how to block it.
1:00 pm July 2007 Read
Computer: 61.156.238.217 (61.156.238.217)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:59 pm June 2007 Read
Computer: host-173-159-remedium.igloonet.pl (77.65.159.173)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm May 2007 Read
Computer: 200.228.151.232 (200.228.151.232)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm April 2007 Read
Computer: 220-135-104-31.hinet-ip.hinet.net (220.135.104.31)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm March 2007 Read
Computer: ohta112203.catv.ppp.infoweb.ne.jp (218.226.213.203)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:58 pm February 2007 Read
Computer: 61.156.238.217 (61.156.238.217)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm January 2007 Read
Computer: host-173-159-remedium.igloonet.pl (77.65.159.173)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm Read
Computer: 217.216.169.43.dyn.user.ono.com (217.216.169.43)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:56 pm Read
Computer: 200.228.151.232 (200.228.151.232)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
12:55 pm October 2007 Read
Computer: corporat190-025224157.sta.etb.net.co (190.25.224.157)
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Notice how the browser string is the same, but the source IP address is different. The pattern makes it quite obvious that it's the same person (no one else was reading the diary.php page at that time), and you even start to see hosts repeat themselves (e.g. host-173-159-remedium.igloonet.pl). But there's a different IP address, which is weird. A quick search of 77.65.159.173 using Google reveals that this IP address is associated with a few spam comment posts on websites, so this could explain the spider-like requests as it searches for places to spam. But is it a host going through something like The Onion Router (TOR) to hide its identity, or is it a clever botnet that distributes the requests amongst compromised PCs to hide itself from server logs? I don't know. Which also means I don't know how to block it.