Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Persistent user/bot in logs?
Trawling through the logs for one of my sites I spotted a page access very regularly. Too regularly for my liking: the same page over and over about once every hour or so. Every time it’s a different IP and Host. I don’t think it’s the usual search bots because it’s not whole chunks of the site at once, just one specific page.
Example entries:
06 Jun 2007 10:46:01 82.226.199.87 pai34-2-82-226-199-87.fbx.proxad.net 06 Jun 2007 09:21:15 220.255.4.135 220.255.4.135 06 Jun 2007 07:54:38 213.252.229.113 213.252.229.113 06 Jun 2007 07:48:52 201.228.68.142 201.228.68.142 06 Jun 2007 06:28:03 69.145.65.138 host-69-145-65-138.bzm-mt.client.bresnan.net 06 Jun 2007 05:03:09 210.87.251.107 tmhaos04b.imsbiz.com 06 Jun 2007 04:37:29 70.50.193.110 bas1-toronto47-1177731438.dsl.bell.ca ...
I Googled a selection of the IPs and a lot of them are listed by ProjectHoneypot as comment spammers. But I’m not receiving comment spam.
That page happens to have a link to an mp3 on it and as far as I can tell, this person/thing is spidering it every page access. My file download count for that one tune is over 1500 accesses and it’s load-balanced across a few servers so the chances are it’s many times that in reality (I’d be truly flattered if it was real people!). My bandwidth usage is over 1Gb since the start of the month… 6 days ago.
Out of morbid curiosity, I tried clicking the mp3 link manually from the page and – though I get a page impression in the log with no referrer – it differs from “his” in only one way as far as I can tell: mine is a GET and his is a POST. So I dug further and looked at my hoster’s awstats. There it says the referer for every one of these page accesses is my contact page on the same site. Ug?
So, the questions:
- What could be causing it? Someone linking to my page from somewhere else via a POST request, hence the changing IPs? One person/bot faking IPs and trying to eat all my bandwidth up? Or could it be legit and I’m famous at last :-)
- Is someone bypassing zem_contact_reborn and pap_contact_cleaner and somehow POSTing a message that my tunes page is receiving? I’m not getting any e-mails through so it’s not spam in the conventional sense, unless someone’s using my site as a spam relay.
- Anything I can do about it, perhaps blocking POST requests to that page somehow with .htaccess while I figure out what’s really going on and check my site security?
I like to think of myself as quite devious but I can’t figure out how (or why) this is being done. Many thanks for any insight/pointers.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Persistent user/bot in logs?
If you want to block post requests, perhaps you can modify this WP htaccess for blocking POST requests. To prevent the page from displaying to POST requests, you can throw something like this in your template:
<txp:if_article_id id="XX">
<txp:php>
if ($_POST) {
die();
}
</txp:php>
</txp:if_article_id>No idea what’s going on though.
Last edited by jm (2007-06-14 21:37:43)
Offline
Re: Persistent user/bot in logs?
Thanks jm, I’ll add that. Knew there had to be a way somehow.
No idea what’s going on though.
Me neither. My ISP’s best guess is that my tune is truly that popular but someone is hotlinking via a POST request on their site. Can’t see it msyelf, but I tightened the hotlinking protection on that domain even further and I’ll monitor it for a while. Weird.
Last edited by Bloke (2007-06-14 21:58:38)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Pages: 1