Flutterby™! : weirdness

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

weirdness

2006-09-08 19:26:19.054231+00 by Dan Lyke 5 comments

Anyone have a clue why 208.53.147.137 would be trying to load the various highest database resource and bandwidth using pages from my server with assorted different client specs (ie: quite a few claims of different versions of Mozilla with varous different plug-ins, although always "Windows NT 5.1"), several claims of Opera), and no referrer?

[ related topics: Microsoft Open Source Databases ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2006-09-08 19:52:54.235647+00 by: meuon [edit history]

It's apparently a misconfigured, hacked or evil boxen at FDC Servers.

It could be a proxy, bloggerspam or other funky server stealing all your wonderful content to go on it's advert driven search index manipulating clone site, or to be included into e-mails linking to viagra/porn sites.

#Comment Re: made: 2006-09-08 20:26:37.992479+00 by: flushy

It looks like a company's firewall. Maybe their own spider? Or an intelligent web cache solution that's gone not-so-intelligent?

%rwhois V-1.5:003eff:00 rwhois.fdcservers.net (by Network Solutions, Inc. V-1.5.9.4) network:Auth-Area:208.53.128.0/18 network:Class-Name:network network:OrgName:PIXELFXSOLUTION network:OrgID;I:PIXELFXSOLUTION network:Address:96 Blandford Road network:City:Beckenham network:NetRange:208.53.147.0 - 208.53.147.255 network:CIDR:208.53.147.0/24 network:NetName:PIXELFXSOLUTION-208.53.147.0 network:OrgAbuseHandle:ABUSE-PIXELFXSOLUTION network:OrgAbuseName:ABUSE department network:OrgAbuseEmail:sales@pixelfxsolution.com network:OrgNOCHandle:NOC1402-ARIN network:OrgNOCName:Network Operations Center network:OrgNOCPhone:+1-312-913-9304 network:OrgNOCEmail:support@fdcservers.net network:OrgTechHandle:PKR5-ARIN network:OrgTechName:Petr Kral network:OrgTechPhone:+1-312-933-1046 network:OrgTechEmail:petr@fdcservers.net network:RegDate:20060727 network:Updated:20060727

#Comment Re: made: 2006-09-08 23:53:10.795546+00 by: Dan Lyke

I've run a tail -f on my logs and left it running in a side window, and seen some interesting stuff. Like...

209.85.54.131 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.145 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.143 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.130 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.134 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.136 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.144 - - [08/Sep/2006:16:50:44 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.143 - - [08/Sep/2006:16:50:46 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.85.54.137 - - [08/Sep/2006:16:50:46 -0700] "GET /archives/comments/8208.html HTTP/1.1" 200 4010 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

9 simultaneous requests for the same document from separate IPs. WTF, hey?

#Comment Re: made: 2006-09-09 02:18:46.044644+00 by: meuon [edit history]

Something called 'Assista has a website at several of the IP's Above. They don't seem to be hitting my server from that block of addresses. Want some of their codebase? /scripts and other dirs are wide open for playing with..

And for more of a clue as to what they are up to, http://search.assista.com is a glimpse. Seams they are trying to come up with a better search interface. I've broken it a few times already, the sentance/word completion code is basic AJAX. They don't know what a 'meuon' is, yet. :)

They call it a 'subject search engine'.

#Comment Time to add some redirects... made: 2006-09-12 00:26:39.560693+00 by: nkane

Redirect any request from that IP range to goatse or something similar.