I have weird requests in my log every day from the same IP... they are all similar to this:

192.218.140.157 - - [12/Jul/2000:04:07:15 -0400] "GET /images/logo.jpg HTTP/1.0" 304 - "-" "Mozilla/3.01 (compatible )"

Most of the time this IP requests the images, and no HTML pages... I was thinking that someone was linking to my images, but it requests stuff that nobody would want to link to like top logo or the pixel graphic.

I'm just curious what it is... Any ideas? Can I track it down by this IP?

[This message has been edited by sunsmile (edited 07-14-2000).]

Unfortunately Samspade is down, so I can't do a definitive lookup, but I had a look at IP ownership (through http://ipindex.dragonstar.net/c/192/192_218.html) and came up with the following :

The closest IP address/range that I came up with was

192.218.140.0 Mitsubishi Electric Corporation (NET-MELCO-IPNET4)

Howveer, the IP *range* was not specified; which means one of three things :

1. The IP was forged by someone to get your images
2. Dynamic IPs? That is, a dial-in network from Mitsubishi?
3. Something completely different which I can't think of :D

When Samspade's back up I'll do a full search and let you know what I find.

Here is what little I can add (samspade is still down :-( )

[root@host log]# nslookup 192.218.140.157
Server: ns.cfoxhost.com
Address: 208.56.139.120

Name: ps.melco.co.jp
Address: 192.218.140.157

The domain name given here does not look like a dial-up to me. A whois lookup at http://www.nic.ad.jp/cgi-bin/whois_gate on "melco.co.jp" produces this result:

[ JPNIC database provides information on network administration. Its use is ]
[ restricted to network administration purposes. For further information, use ]
[ 'whois -h whois.nic.ad.jp help'. To suppress Japanese output, add '/e' at ]
[ the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ]

Domain Information:
a. [Domain Name] MELCO.CO.JP
g. [Organization] Mitsubishi Electric Corporation
j. [Address] 2-2-3, Marunouchi, Chiyoda-ku, Tokyo, 100-8310, Japan
l. [Organization Type] Corporation
m. [Administrative Contact] TA189JP
n. [Technical Contact] ST245JP
n. [Technical Contact] HS732JP
p. [Name Server] ins01.melco.co.jp
p. [Name Server] gw01.melco.co.jp
p. [Name Server] melconws.melco.co.jp
s. [Network Number] 133.229.0.0
s. [Network Number] 192.218.140.0
y. [Reply Mail] staff@melit.melco.co.jp
[State] Connected
[Registered Date]
[Connected Date]
[Last Update] 2000/03/13 11:15:02 (JST)
Fumihiro.Taniguchi@hq.melco.co.jp

So it is a subdomain of melco.co.jp (based on the domain name).

------------------
Chuck Fox
http://cfoxhost.com

Thanks to everyone who replied for your help. I still keep getting image requests from this IP. What do you think I can do about it other then renaming the images?

You could always block the IP.

Make a .htaccess file in the directory that has the image(s) in it with the following:

deny from 192.218.140.157

If it's always the same IP then that should keep it from happening. If you want to try and lower the chances of the IP changing just take a chunk off the end of the IP.

Example:

deny from 192.218.140

You want to block more, just take another chunk off. Be careful though. The more you take off, the more chances of blocking more people than you want to.

(note: I'm no expert at this stuff, I just know that works for some cases.)

------------------
Justin K.
A pessimistic person sees the glass as half empty, optimistic half full... when in fact the glass is completely full. Partially with water and partially with air.

I'm afraid to block it - what if the IP is dynamic and someone else is using it for legitimate requests...

If it is a dynamically assigned IP it should have changed by now. Also, you could use the domain name (ps.melco.co.jp) instead of the IP. I just did another nslookup and it is still the same IP and domain name. In my personal opinion, this is not a dialup it's a static IP and you can safely deny them.
Your call though! :-)

------------------
Chuck Fox
http://cfoxhost.com

Hi,

From the info you gave it looks like it is a "caching server" used by ISP's to increase speed and use less outgoing bandwidth by storing images locally for there dialup users.

You describe that your logs only shows images being loaded so I would go with that theory. We also use a caching server and ours has the same browser tag of "Mozilla/3.01 (compatible )" when fetching images.

It's probably not something you want to block or even worry about.

Usually cache servers, if this is the case here should come back once or twice within a day or two and then should stop gathering images if the user does not go back to your page.

Hope that helps!

Yeah, that would probably explain it, since the images that are being requested do not look like the type of images someone would want to steal :-)

Thanks for the info.

Melanie