I've been paying more attention to the stats on my various sites lately, and noticed a few things that concern me. Here's a screenshot What I'm referring to specifically, is a) the cursors-4u.com which is hitting the site sometimes 50 times a day, single page. I'm assuming this is an attempt at referral spam? b) the 208.66.195.* IP from Russia that is hitting ~40 pages a few times a day. This one bothers me more. Would it be a good idea to block these IP's?
these stats actually does in NO way say clearly wether these hits are from ONE PC or from several using same IP like using ONE ISP. such extreme LOW numbers i never would worry look at your numbers again when you get many hundreds or better thousands of hits per day from a single IP. best is to have a "who is online" tool installed that allows you to live monitor what is going on on your web site. your host offers surely much larger bandwidth to leave your mind free for productivity rather than for worries. be happy to have any traffic at all - later when you get 100+k hits per day you may filter the thousands of obsolete hits. before taking any action agains an IP - look who that IP is - associated with an ISP, host or what - then make a decision based on facts rather than on panic and fear.
IP Range 208.66.195.* belongs to a U.S. company called mccolo corporation and you can find an interesting WMW thread by doing a Google Search. From what I have read its a spambot.
Hmm yes that was definately interesting, I found a few other good pages referring to that, including a thread on DP from a month ago. Definately an email harvester.. That ones getting blocked for sure.
I am running a piece of software called tcpview on my windows XP machine which shows tons of connections to the IP mentioned. I am very concerned that this reflects inimical software that may be transmitting information from my PC -- passwords, hole cards in poker, etc. I just wrote to mccolo -- in the meantime, on windows how would one disable these connections? TIA, Abe
From the sounds of it your PC is being used a zombie machine probably to collect or spit out spam. I highly doubt that company will respond or admit its their doing, if it is them. I would suggest downloading anti-spyware software and running some scan, do this in Safe Mode. Also use the command prompt and run 'netstat' which will show your current connections to the net.
yes, apparently this is some well-known virus the details of removal seem to involve removing a key from the registry pe386 which I cannot find. I think the virus is rustok -- here is a link: http://www.offensivecomputing.net/?q=node/238 yes, mccolo has not bothered to respond and may thus be in on it. I will, however, not forget them. finally, I note that by stopping the services.exe process which had the connection to the mccolo IP I eliminate the other periodic connections.