Announcement

Collapse
No announcement yet.

Strange Client Behavior when accessing pages

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange Client Behavior when accessing pages

    Strange behavior of some random clients accessing website
    Hello,

    Since this is my first topic. It's beginning with I have a problem. We'll is not that big.

    I encountered strange behavior on some clients watching apache access logs.
    Client finds a link(page) and that page is ran all night and at least half a day more. Watching at the log files looks like it is refreshed every 1 second or 2 as the maximum.
    Now since my logs are rotated using cronolog on win32 I do not suspect that
    access logging is not working very well or its out of sync or late.
    Links that are ran from different IPs are random.
    I found this using WebDruid on Ubuntu, parsing IP with grep and literally scrolling log by specific IP.
    The best part of all this that the USER-AGENT is presented itself legally.
    Standard description for IE,Firefox.
    Pages that are "refreshed" do not contain meta-reresh tags. Its unlikely that someone has some kind of AutoRefresh function installed on a browser.
    This bothers me a little because these IPs are really easy to identify by watching REQUEST # from ip in webdruid.

    -mod_evasive and mod_security is not used because its ran on a Windows Server Machine
    -requests are ok inside log (200 OK)

    These requests could make high server load in peak times if client does not cache images etc... to reduce number of requests.

    And I forgot to say that links are ran with no referrer : DIRECT link access.

    SAMPLE log:

    79.116.227.252 - - [01/Aug/2009:19:05:48 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13931 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
    79.116.227.252 - - [01/Aug/2009:19:05:49 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13952 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
    79.116.227.252 - - [01/Aug/2009:19:05:50 +0200] "GET /croatia_ro/septembrie.php HTTP/1.1" 200 13958 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"

    Thats for now.
Working...
X