Posted on: 08/04/09 05:18pm
By: Laugh
Is anyone else's Geeklog site (especially the forum) getting to many pageviews yesterday and today? On average for every unqiue user I get 4 page views. Today the average is 8 and according to GUS it is happening from a large number of IPs that are located in China, Russia, and the United States. I am use to having 25 or so IPs doing this everyday but today it is about 200 and none of the IP's have a Referrer.
Here are the first 2 pages of my GUS stats for today with page views as the sort order (I took out Yahoo and Googlebot):
Page Views HOST
313 ----- 211.239.124.90 00:16
143 ----- 41.214.66.203 08:04
132 ----- 66-169-164-211.dhcp.ftwo.tx.charter.com 12:55
114 ----- 116.228.234.151 00:02
112 ----- 84.22.140.88 00:00
97 ----- n11923634116.netvigator.com 00:05
96 ----- 71-81-209-108.dhcp.stls.mo.charter.com 00:55
96 ----- 24-107-159-205.dhcp.stls.mo.charter.com 00:22
91 ----- c-24-21-196-136.hsd1.or.comcast.net 00:24
91 ----- 222.134.69.181 00:21
91 ----- c-68-35-210-84.hsd1.al.comcast.net 00:10
85 ----- 75.63.14.63 05:33
84 ----- 173-22-106-92.client.mchsi.com 00:44
80 ----- adsl-71-136-244-107.dsl.sndg02.pacbell.net 00:01
79 ----- 218.25.99.135 00:22
75 ----- adsl-76-214-117-66.dsl.ipltin.sbcglobal.net 00:19
74 ----- c-67-174-111-74.hsd1.co.comcast.net 00:20
73 ----- ool-43561c0a.dyn.optonline.net 03:53
72 ----- 194.8.75.50 07:17
72 ----- 8.9.209.2 00:36
71 ----- 116.71.89.189.cliente.interjato.com.br 08:51
71 ----- cpe-65-29-110-184.mi.res.rr.com 02:50
68 ----- c-24-126-50-249.hsd1.md.comcast.net 00:58
67 ----- 62.38.34.218 00:05
66 ----- 193.239.178.194 05:31
66 ----- 219.150.227.101 00:25
65 ----- 60.18.168.172 02:26
65 ----- 75-135-132-235.dhcp.trcy.mi.charter.com 00:55
65 ----- c-67-170-170-67.hsd1.or.comcast.net 00:35
65 ----- ool-45706318.dyn.optonline.net 00:34
65 ----- 201.45.142.178 00:12
65 ----- 93.174.93.58 00:06
64 ----- c-24-30-83-34.hsd1.ga.comcast.net 00:27
64 ----- c-68-49-14-71.hsd1.md.comcast.net 00:22
64 ----- e106.dunet.com.br 00:19
63 ----- bakuganbestprice.com 00:39
62 ----- 68-117-11-98.dhcp.fdul.wi.charter.com 06:23
62 ----- 59.77.6.183 01:58
61 ----- ool-18be4e65.dyn.optonline.net 00:12
61 ----- wall.zjnb.cnuninet.net 00:06
60 ----- c-24-125-126-143.hsd1.va.comcast.net 06:37
60 ----- cpe-68-173-126-40.nyc.res.rr.com 05:30
60 ----- 66.96.251.178.volumedrive.com 02:09
59 ----- 39.65.153.219.broad.cq.cq.dynamic.163data.com.cn 00:26
58 ----- 41.214.119.84 08:20
58 ----- 218.248.31.211 02:45
58 ----- aworklan020043.netvigator.com 00:16
53 ----- 66-168-50-250.dhcp.mdsn.wi.charter.com 14:23
Re: Site getting hit.
Posted on: 08/05/09 06:52am
By: Dirk
Did you check your webserver logs to see the actual URLs requested? We're still getting a lot of those inclusion attempts (where the "attacker" simply puts a URL for some URL parameter and hopes that the script at the other end gets executed). On a bad day, those can make up to 30% of our hits ...
Another case of spikes comes when a vulnerability is found in some other webapp. I stopped counting the attempts to exploit some Joomla issue here on geeklog.net.
bye, Dirk
Re: Site getting hit.
Posted on: 08/05/09 11:25am
By: Laugh
I guess today and the last few days have been bad days then as a third of my traffic at the moment is this type of traffic. I am use to this figure being around 10 percent.
I'll have to look at the web logs as you suggest to get more details. From what I can tell with GUS most of the IPs are spidering my site by grabing a couple of pages every 10 minutes.
One interesting thing to note is Google Analytics seems to recognize the traffic as garbage and does not track it.
Re: Site getting hit.
Posted on: 08/06/09 06:42pm
By: 1000ideen
Re: Site getting hit.
Posted on: 08/22/09 02:18pm
By: scarecrow
Here in the last week my MFU (Most Frequent User) seems to be our friend from China, SosoSpider. The site has been getting 200-300 hits per day from various IP's in the 124.115.*.* range. Every visit is the same, 2 GET's and 2 HEAD's on index.php. They all made it under the BB/Spam-x radar, but good ol' .htaccess stop's 'em cold.
(btw: 'MFU' _may_ have a differrent meaning here in the shop. ) :wink: