[lug] Odd web robot behavior

Chip Atkinson chip at rmpg.org
Tue Oct 15 11:45:42 MDT 2002 

Check out www.arin.net and put the IPs in the whois search.  It shows a
USWest IP and some place called Web Content International.

Chip

On Tue, 15 Oct 2002, Warren Sanders wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Forgot to add this tidbit:
>
>   nmap -O 65.102.23.153
>
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on  (65.102.23.153):
> (The 1551 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 199/tcp    open        smux
> 3128/tcp   open        squid-http
>
> Remote operating system guess: Linux Kernel 2.4.0 - 2.4.17 (X86)
> Uptime 85.020 days (since Mon Jul 22 10:42:41 2002)
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 59 seconds
>
> Warren Sanders wrote:
> > I have a family photo gallery with tons of photos.  Just noticed (live)
> > strange robotic behaviors.  I'm getting requests for images that looks
> > normal but then I notice different IP addresses in the same network and
> > different OS/browsers for each IP.  My PostNuke is only reporting 1
> > guest online proving that it's just one person.  The traffic is
> > requesting one image after the other and in order... just four different
> > IP's and four different OS/Browsers:
> >
> > 65.102.23.169 - - "Mozilla/5.0 (compatible; Konqueror/2.1.2; X11)"
> > 65.102.12.225 - - "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
> > 65.102.23.161 - - "Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)"
> > 65.102.23.153 - - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
> >
> > I can stop the web server for about 5 minutes and restart... this guy
> > continues where it left off within a few seconds!
> >
> > Anyone know about this kind of behavior?
> >
> > Cheers!
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
> - --
> Warren Sanders
> http://MontanaLinux.Org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
>
> iD8DBQE9rFL22/99byU+bbQRAg1zAJ0e5VpwPHPh86HAGeUM/DSl+5u3SACgib2M
> pe1tID6+98+hf54tEnPU+6M=
> =Qkpi
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list