Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Advice from fellow webmasters/developers about possible malicious user

Author
Message
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 10th Sep 2006 20:19
Link
On one of the websites I work with (www.sportbusiness.com), I've noticed that the stats are showing 1 particular use regularly hitting the site. In fact, in the last week (the first week the sites been tracking stats on its nice new server), they've hit the site over 150,000 times (about 20,000 times a day)... Their domain name is:
u15186985.onlinehome-server.com

Does anyone else recognise that? onlinehome-server.com seems to be part of 1and1.com - but might be a single user trying to rip our sites content?!

Blocking will be easy via .htaccess (maybe redirect him to barbie.com ) but I dont want to do that if its a legit user maybe doing something for search engines (google in disguise?!). Has anyone else seen that user in their logs? They appear quite a lot in logs found by a google search... but they aren't picked up as a robot.

Any advice or thoughts? I've emailed 1and1.com but they haven't bothered to reply.

[center]
Back to top
Profile PM Email Website
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 11th Sep 2006 09:22
Link
I don't know. Probably just re-direct, and if you get complaints, then ask questions, then allow. But, I think barbie.com would be funny.
Back to top
Profile PM Email Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 11th Sep 2006 11:10
Link
The barbie.com thing is actually what Rich does to banned users on this forum.

Ideally I'd rather know exactly what I'm blocking before I block it.

[center]
Back to top
Profile PM Email Website
Cash Curtis II
19
Years of Service
User Offline
Joined: 8th Apr 2005
Location: Corpus Christi Texas
Posted: 11th Sep 2006 11:37
Link
Google looks like this for me...

Quote: "http://64.233.183.104/search
http://66.249.93.104/translate_c"


I have a few of this though...
Quote: "http://www.singingfish.com/"

and it looks like they're trying to rip content. That fine for me though, they can rip all they want. Although... I should probably put my name and website in the videos.

I'd say just block those guys. 20,000 hits a day is just absurd.


Come see the WIP!
Back to top
Profile PM
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 11th Sep 2006 11:55
Link
Quote: "and it looks like they're trying to rip content. That fine for me though, they can rip all they want."


You'd better hope that google is certain you had the content first, otherwise you'll end up in the sandbox and you'll dissappear off their listings alltogether.

I've also noticed google appearing as an IP rather than a resolved address. Thats fine - I've got to know them. Plus a quick IPWHOIS will tell me who owns the IP!.

20,000 hits a day is a lot - however if they're providing some kind of indexing service on the site - or maybe they're some kind of news aggregator, then I really dont want to block them. However, if they are scraping content then I need to block them asap!

[center]
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 11th Sep 2006 14:56
Link
If you sent an email to abuse~1and1.com (intentionnally not putting an @ sign there - damn you email harvesters!) then aren't they obliged to deal with it? If they don't reply, give em a call on 0870 24 11 247. Someone from their network is costing your business money. Plain and simple. They need to sort it out....

[center]
But you see, I have the will of the warrior. Therefore, the battle is already over. The winner? Me!
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 11th Sep 2006 22:04
Link
Quote: "Someone from their network is costing your business money. Plain and simple. They need to sort it out...."

Thats true...

I did actually email their info one last week - but haven't had a reply. I didn't want to email abuse in case it was legit.

[center]
Back to top
Profile PM Email Website
Tinkergirl
21
Years of Service
User Offline
Joined: 1st Jul 2003
Location: United Kingdom
Posted: 11th Sep 2006 22:09
Link
Maybe I'm being a bit thick, but what legitimate purpose requires 20,000 hits a day? I mean, even if it were a search engine, surely they'd hit once or twice and be done with it - and not need to keep coming back and back and back?
I'd be tempted to ban it until you find out, or are contacted. (You know, guilty until proven innocent )

Back to top
Profile PM
Peter H
20
Years of Service
User Offline
Joined: 20th Feb 2004
Location: Witness Protection Program
Posted: 11th Sep 2006 22:17
Link
Quote: "The barbie.com thing is actually what Rich does to banned users on this forum."



so i guess i'll know if i get banned

"We make the worst games in the universe..."
Back to top
Profile PM Email
Jeku
Moderator
21
Years of Service
User Offline
Joined: 4th Jul 2003
Location: Vancouver, British Columbia, Canada
Posted: 11th Sep 2006 22:26
Link
Quote: "The barbie.com thing is actually what Rich does to banned users on this forum."


Actually that was only used once or twice in extreme cases.


http://www.codercafe.com - My blog
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 11th Sep 2006 23:10
Link
I think 20,000 hits a day is an extreme case!

Currently I dont mind - its not putting a huge load on the server and its not pushing us past our bandwidth limits, however I find it interesting that such a diverse community like this has never heard of it (along with google having relatively little info).

I might take the advice and phone 1and1 tomorrow and ask them to look into it.

[center]
Back to top
Profile PM Email Website
Matt Rock
19
Years of Service
User Offline
Joined: 5th Mar 2005
Location: Binghamton NY USA
Posted: 13th Sep 2006 09:30
Link
Maybe it's just someone who REALLY likes your website


"In an interstellar burst, I'm back to save the universe"
Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 13th Sep 2006 12:06 Edited at: 13th Sep 2006 12:06
Link
whois.net returns this result



give andreas a call at 3AM when your stinkin mad with a bottle of vodka some redbull and a fist full of jellybabies or Starbursts.
Ok change that, make it 449AM.


I tried to [nmap] stealth scan but it was not up at the time i gave it a go.

Back to top
Profile PM Email
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 13th Sep 2006 16:47
Link
The last time it visited was at 3:47am BST... but I've seen it come at midday, 7pm and many other times... Seems random!

What is nmap?

[center]
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 13th Sep 2006 19:54
Link
nmap (as used by Trinity in one of the Matrix films) scans an IP for open ports

[center]
But you see, I have the will of the warrior. Therefore, the battle is already over. The winner? Me!
Back to top
Profile PM Website
Alquerian
18
Years of Service
User Offline
Joined: 29th Mar 2006
Location: Reno Nevada
Posted: 13th Sep 2006 20:22 Edited at: 13th Sep 2006 20:28
Link
nmap is a network map utility brought to the fore by Fyodor, a (German I think? His accent was hard to distinguish) which was nice enough to grace me with his presence at the defcon before last. It is a useful tool for finding open ports and their associated uses by allowing users to adjust the types of scans involved. You can not only check open ports, you can check remote software types in some instances, and operating systems which are being utilized at said ip/port. It is handy for pro-active security measures and others like to use it to scope out information about other people's machines (A word of advice, don't go nampping random sites on the internet like NASA or the FAA)

@NT, I am a hosting provider and I host 40 or 50 domains. I have bots from all sorts of search engines and sites for 5 years now and I have NEVER encountered hits like that from a legitimate source. It really sounds like someone is looking for an exploit somewhere in the server or they wrote some software which went haywire. I wouldn't suggest allowing them access. People don't accidently hit a site 20,000 times in a day, nor could they do it intentionally without software. If they are using software, chances are they know they are doing it, and if they know they are doing it, they must have a reason and the reason is NOT harvesting information. A single pass is all a bot or info-harvester needs. Just my 2 denari

"We are what we repeatedly do. Excellence, therefore, is not an act, but a habit." - Aristotle
Back to top
Profile PM Email Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 14th Sep 2006 00:06 Edited at: 14th Sep 2006 00:07
Link
Well the server is online now and I've learned that it also has windows remote desktop fully "public" (allbeit password protected).

That nMap is pretty usefull!

I know people dont accidentally hit the site 20,000 times a day, however that only leave intentional hitting which is either some kind of DoS, or possibly genuine (possibly crawling the site to index it).

The site recently was completely relaunched, hence me wondering if something decided to do a complete crawl... Thing is, this address alone has done over 2 times more than every search engine bot known...

I wonder how easy the remote desktop password is to guess...

EDIT: I am not endorsing hacking! Its meant as a light hearted joke at the onlinehome-server.com person...

[center]
Back to top
Profile PM Email Website
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 14th Sep 2006 17:45
Link
onlinehome-server.com
Comes up as 1&1.com?!!
Back to top
Profile PM Email Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 14th Sep 2006 18:17
Link
yup - but I can do that with any domain. Simply set the A Record to point at a server (or maybe set it as a CNAME... Not sure).

the address I'M interested in is the u151...blah... one i mentioned above (check the first post).

[center]
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-11-17 14:14:25
Your offset time is: 2024-11-17 14:14:25