08-13-2009, 10:06 AM #1New Member
- Join Date
- Aug 2009
Strange behavior of some random clients accessing website
Since this is my first topic. It's beginning with I have a problem. We'll is not that big.
I encountered strange behavior on some clients watching apache access logs.
Client finds a link(page) and that page is ran all night and at least half a day more. Watching at the log files looks like it is refreshed every 1 second or 2 as the maximum.
Now since my logs are rotated using cronolog on win32 I do not suspect that
access logging is not working very well or its out of sync or late.
Links that are ran from different IPs are random.
I found this using WebDruid on Ubuntu, parsing IP with grep and literally scrolling log by specific IP.
The best part of all this that the USER-AGENT is presented itself legally.
Standard description for IE,Firefox.
Pages that are "refreshed" do not contain meta-reresh tags. Its unlikely that someone has some kind of AutoRefresh function installed on a browser.
This bothers me a little because these IPs are really easy to identify by watching REQUEST # from ip in webdruid.
-mod_evasive and mod_security is not used because its ran on a Windows Server Machine
-requests are ok inside log (200 OK)
These requests could make high server load in peak times if client does not cache images etc... to reduce number of requests.
And I forgot to say that links are ran with no referrer : DIRECT link access.
184.108.40.206 - - [01/Aug/2009:19:05:48 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13931 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
18.104.22.168 - - [01/Aug/2009:19:05:49 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13952 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
126.96.36.199 - - [01/Aug/2009:19:05:50 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13958 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
Thats for now.
08-13-2009, 06:13 PM #2Retired Moderator
- Join Date
- Feb 2005
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
08-14-2009, 06:07 AM #3New Member
- Join Date
- Aug 2009
I tested the site locally. I did not encounter any problems regarding to this situation inside access logs. We tested teh site on firefox,IE, random versions. Logically I think there is low probability that it is a JS error. Since these requests last all night (at least 8 to 10 hours).
Latest number of request on a single IP was at least 70000 requests on (home page + subpage).
Seems to come from CZ.
By RajeevM in forum Hosting Security and TechnologyReplies: 1Last Post: 03-31-2009, 05:03 PM
By LightTPD in forum Hosting Security and TechnologyReplies: 1Last Post: 11-15-2007, 09:18 AM
By webswimr in forum Dedicated ServerReplies: 1Last Post: 04-10-2003, 11:39 AM
By JeremyV in forum Hosting Security and TechnologyReplies: 0Last Post: 12-13-2002, 03:09 PM
By bert in forum Hosting Security and TechnologyReplies: 2Last Post: 10-18-2001, 01:12 AM