1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Someone keeps accessing only index, i don't understand why

Discussion in 'Traffic Analysis' started by flamey, Jan 13, 2010.

  1. #1
    A month ago I noticed hike in hits on my forum, from 1500-2000 a day to 8000-10000+. Without any visible change in hosts, registrations or activity on the forum. After looking through the counter stats, and raw access logs, it looks like one single IP keeps knocking into the forum's root - http://forum.xxxxxxx.org

    here's a typical raw access log line:
    85.xxx.xxx.xxx - - [12/Jan/2010:16:23:30 -0500] "GET /?sid=580eccd99d3830f0b109d1d797b4742d HTTP/1.1" 200 26067 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
    Code (markup):
    I pulled all lines for this IP from raw access log to see what resources are being accessed (this is for half day log):
    
    4332    /
    4       /viewforum.php
    4       /favicon.ico
    4       /images/rss-feed-10x10.png
    4       /viewtopic.php
    3       /templates/NoseBleed/NoseBleed.css
    3       /templates/NoseBleed/NoseBleed.js
    2       /templates/NoseBleed/translit2.js
    2       /templates/NoseBleed/sel2reply.js
    2       /templates/NoseBleed/show_layer.js
    1       /viewonline.php
    1       /login.php
    1       /index.php
    
    Code (markup):
    Thus, single "user" (script i assume) just keeps accessing the root, where is just list of forum sections, no other content.

    As I understad it's too few hits for a typical DDoS attack, even though at some point phpBB2 (updated to the latest version) was giving up with error about too many DB connections - I saw it once myself, even though noone complaned yet. they're no accessing login.php, so it's not bruteforce password trys. and viewtopic.php isn't accessed, so it's not content stealing.

    so what's going on? what they could possibly want, and how would I fight it?


    I did blocked the IP once, but the next day it resumed with different IP from different country. Though, I blocked it again last night, and it seems to stop for now.
     
    flamey, Jan 13, 2010 IP
  2. khirad

    khirad Greenhorn

    Messages:
    60
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    23
    #2
    they will change IP n attack again
     
    khirad, Jan 16, 2010 IP
  3. wilderness

    wilderness Member

    Messages:
    43
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    43
    #3
    Hopefullu your visitor doesn't read this forum or locate this thread through some form of ESP ;)

    # deny blank referrer only IF UA contains Opera or Presto
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} ^$
    RewriteCond %{HTTP_USER_AGENT} (Opera|Presto)
    RewriteRule .* - [F]

    (please note; a denial of access will not prevent the requests from appearing in your raw logs, however the 403 will show).
     
    wilderness, Jan 19, 2010 IP
  4. wgcom

    wgcom Peon

    Messages:
    157
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    would you mind to explain why those two only?
    browser bug?
     
    wgcom, Jan 21, 2010 IP
  5. wilderness

    wilderness Member

    Messages:
    43
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    43
    #5
    Those terms were included in flamey's UA line.

    "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"

    You may add/include as many different terms within the parentheses and separated by the or pipe-character (|) as you desire, however you may want to add the no-case flag [NC] at the end of the line.

    This is simply an example of multi-condition rewrites. There are endless possibilities configurable for individual needs.

    In addition it should be clarified that the example I provided ONLY denys UA's with either of those terms included and REQUIRES the Refer to be blank.
     
    wilderness, Jan 21, 2010 IP