Hello, I am experiencing the strangest thing on my vbulletin board. I just don't have a clue what to make of this, why it's happening, if it will somehow hurt my board or how to make it stop.
The following is a detailed description of what is going on. If any of you have seen this before or if you have any idea what could be happening I would sincerely appreciate any insight that you could give to me.
Late in the evening of October 15th 2007 I noticed what I
can only describe as a "mystery" of web usage behavior.
A pattern of activity showed up with almost no conceivable
explanation. Below is a description of this web activity.
Every 1-2 minutes somebody requests a page from our forum
In total almost 200 different requests have come in for this
page. This is strange enough, since that URL simply points to
an obscure thread which has been deleted.
They come from a variety of IP addresses located literally all
over the world. Some of the hostnames seen include btc-net.bg,
tpnet.pl, tttmaxnet.com, netvision.net.il, nbnet.nb.ca,
denver.comcast.net, and so forth.
One thought was that this URL was posted in a chatroom and
then clicked on by a number of people from around the globe.
But if that's true, it's inconceivable that they would all have
EXACTLY the same browser type. The browser is always:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
They all have blank referring URLs that show up as "-"
None of these IP addresses has made more than one request; they
all request the thread, they do not request graphics, then no more
requests come from that IP. A small piece of my logfile is below:
217.132.132.2 - - [16/Oct/2007:02:30:13 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
61.178.77.119 - - [16/Oct/2007:02:35:36 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.181.94.182 - - [16/Oct/2007:02:41:02 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.204.100.120 - - [16/Oct/2007:02:44:46 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 18320 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
89.102.96.158 - - [16/Oct/2007:02:47:53 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
156.34.60.89 - - [16/Oct/2007:02:48:12 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
My only conclusion is that the IP addresses which have requested
this page represent machines which are compromised and have been
instructed, en masse, to request this obscure page from our server.
This sounds rather farfetched, and I would gladly entertain any
other ideas from professionals in this field.
The following is a detailed description of what is going on. If any of you have seen this before or if you have any idea what could be happening I would sincerely appreciate any insight that you could give to me.
Late in the evening of October 15th 2007 I noticed what I
can only describe as a "mystery" of web usage behavior.
A pattern of activity showed up with almost no conceivable
explanation. Below is a description of this web activity.
Every 1-2 minutes somebody requests a page from our forum
In total almost 200 different requests have come in for this
page. This is strange enough, since that URL simply points to
an obscure thread which has been deleted.
They come from a variety of IP addresses located literally all
over the world. Some of the hostnames seen include btc-net.bg,
tpnet.pl, tttmaxnet.com, netvision.net.il, nbnet.nb.ca,
denver.comcast.net, and so forth.
One thought was that this URL was posted in a chatroom and
then clicked on by a number of people from around the globe.
But if that's true, it's inconceivable that they would all have
EXACTLY the same browser type. The browser is always:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
They all have blank referring URLs that show up as "-"
None of these IP addresses has made more than one request; they
all request the thread, they do not request graphics, then no more
requests come from that IP. A small piece of my logfile is below:
217.132.132.2 - - [16/Oct/2007:02:30:13 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
61.178.77.119 - - [16/Oct/2007:02:35:36 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.181.94.182 - - [16/Oct/2007:02:41:02 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.204.100.120 - - [16/Oct/2007:02:44:46 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 18320 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
89.102.96.158 - - [16/Oct/2007:02:47:53 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
156.34.60.89 - - [16/Oct/2007:02:48:12 -0400] "GET /freebies/
showthread.php?t=24155 HTTP/1.1" 200 107120 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
My only conclusion is that the IP addresses which have requested
this page represent machines which are compromised and have been
instructed, en masse, to request this obscure page from our server.
This sounds rather farfetched, and I would gladly entertain any
other ideas from professionals in this field.
Comment