Results 1 to 8 of 8
  1. #1
    Join Date
    Sep 2006
    Location
    Sheffield, UK
    Posts
    119

    apache access log question

    I've seen in my logs thousands of requests from the same IP address, and it looks like it's just cycling through loads of thread and post ID's on my forum

    Code:
    94.23.193.197 - - [18/Aug/2009:22:03:39 +0100] "GET /forum/viewtopic.php?f=39&p=123828 HTTP/1.0" 200 10948 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:40 +0100] "GET /forum/viewtopic.php?f=39&p=123827 HTTP/1.0" 200 32842 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:41 +0100] "GET /forum/viewtopic.php?f=39&p=123826 HTTP/1.0" 200 76362 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:42 +0100] "GET /forum/viewtopic.php?f=39&p=123825 HTTP/1.0" 200 10948 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:43 +0100] "GET /forum/viewtopic.php?f=39&p=123824 HTTP/1.0" 200 40654 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:44 +0100] "GET /forum/viewtopic.php?f=39&p=123823 HTTP/1.0" 200 40654 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:45 +0100] "GET /forum/viewtopic.php?f=39&p=123822 HTTP/1.0" 200 76362 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:46 +0100] "GET /forum/viewtopic.php?f=39&p=123821 HTTP/1.0" 200 76362 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:47 +0100] "GET /forum/viewtopic.php?f=39&p=123820 HTTP/1.0" 200 76362 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:48 +0100] "GET /forum/viewtopic.php?f=39&p=123819 HTTP/1.0" 200 40654 "-" "-"
    94.23.193.197 - - [18/Aug/2009:22:03:49 +0100] "GET /forum/viewtopic.php?f=39&p=123818 HTTP/1.0" 200 40654 "-" "-"
    This is happening from several IP's, all from the same address range

    inetnum: 94.23.192.0 - 94.23.255.255
    netname: OVH
    descr: OVH SAS
    descr: Dedicated Servers
    descr: http://www.ovh.com
    country: FR
    admin-c: OK217-RIPE
    tech-c: OTC2-RIPE
    status: ASSIGNED PA
    mnt-by: OVH-MNT
    source: RIPE # Filtered

    What would they be trying to do?

    I've blocked their IP, so the requests have stopped, but this is the 3rd different IP that has done this.

    Cheers,

    Matt

  2. #2
    Join Date
    Sep 2006
    Location
    Sheffield, UK
    Posts
    119
    Had another one start pretty much straight away, so I've blocked the whole 94.23.0.0/16 range from accessing my server.

  3. #3
    Join Date
    Apr 2005
    Posts
    1,711
    Probably just a guy tunneling from his OVH server to browse your forums.

  4. #4
    Join Date
    Sep 2006
    Location
    Sheffield, UK
    Posts
    119
    I'd agree, if it wasn't hitting a different thread post every second. And also accessing just under 4000 pages in just over an hour!

    Code:
    [email protected] [/etc/apf]# more /home/z22se/access-logs/z22se.co.uk | grep 94.23 | awk '{print $1}' | sort -n | uniq -c | sort -nr
       3926 94.23.193.197
        261 94.23.58.180
    It's looking like a script of some sort, as the next IP address to start getting the post pages, started 5 post counts higher than the last one IP finished on when I blocked it.

  5. #5
    Join Date
    Apr 2005
    Posts
    1,711
    Now that I look closer, this might be a forum scraper. What is forum 39 on your site?

  6. #6
    Join Date
    Aug 2009
    Posts
    38
    Definately looks like a scrapper or crawler.

  7. #7
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Yep something scraping would be my bet. Track it down and report them to OVH abuse.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  8. #8
    Join Date
    Sep 2006
    Location
    Sheffield, UK
    Posts
    119
    Quote Originally Posted by zacharooni View Post
    Now that I look closer, this might be a forum scraper. What is forum 39 on your site?
    Forum 39 is car care and detailing.

    I'll report the IP's to OVH. Thanks for all the replies

Similar Threads

  1. Apache access restriction...
    By skolagotla in forum Hosting Security and Technology
    Replies: 5
    Last Post: 03-15-2006, 07:50 PM
  2. apache access logs
    By aqi32 in forum Web Hosting
    Replies: 13
    Last Post: 11-15-2004, 07:43 PM
  3. Apache Login Access
    By FunnyFo in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-08-2003, 08:30 AM
  4. setting up ftp access with apache
    By mrlugal in forum Hosting Software and Control Panels
    Replies: 3
    Last Post: 01-05-2003, 02:39 AM
  5. Apache Access log Question
    By MGCJerry in forum Hosting Security and Technology
    Replies: 5
    Last Post: 03-07-2002, 08:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •