Today, for the first time ever, i am seeing a lot of 'missed' image hits. Someone hits a page, and that page tries to load an image file that does not exist, and as far as i can tell is not in the page-source at all. All of the misses are for image files with the following location format: /mydomain.com/3237/9443/16_32_51_9892768.jpg /mydomain.com/2839/8583/09_30_39_9161977.gif /mydomain.com/3231/7423/11_42_17_3242772.jpg They are coming different IPs and I can't see any common denominator. any idea what/why this would be happening? Some kind of hack/scan, or some new malware on visitor's PC's ?
According to my experience in analyzing hacked web sites' logs, your case is likely that- - Attackers trying to probe images outputted from web log analyzer softwares, which has some kinds of habits in numerically naming files based on date, time and so on. Amazingly, large number of web sites store html outputted from those softwares in web root directories. They make it available for SEO/SEM stuffs. Current blackhat tools widely used in Underground use a dozen of proxy IPs for periodic scanning so as to avoid detection by web firewalls. I mean continuous requests to non-existent files will trigger 404. If 404 requests reach to unacceptable limits per IP, then web firewalls detect bad guys probing.
upon further analysis, i've found that one of my advertising networks (Kontera) has gone fluey and is trying to load it's images incorrectly - causing the hits in my logs.