Page 1 of 1

What would you guess is going on here?

Posted: Thu May 25, 2006 12:19 am
by s.dot
My statistics counter that I made is showing about 260 guests online ALL the time. Quite a bit unusual

so I looked it up an phpmyadmin and got the following results

Code: Select all

1291 24.211.10.238 1148534191 /index.php 
      1289 71.140.91.74 1148534191 /index.php 
      1288 70.31.229.12 1148534191 /index.php 
      1285 65.29.93.164 1148534191 /index.php 
      1282 24.117.81.17 1148534191 /index.php 
      1275 74.128.202.184 1148534191 /index.php 
      1272 24.166.92.62 1148534191 /index.php 
      1271 200.113.181.156 1148534191 /index.php 
      1269 72.30.110.137 1148534191 /index.php 
      1268 72.30.107.92 1148534191 /index.php 
      1266 71.109.35.211 1148534191 /index.php 
      1265 207.195.55.144 1148534191 /index.php 
      1250 64.233.166.136 1148534191 /index.php 
      1246 69.181.83.57 1148534191 /index.php 
      1236 67.139.119.79 1148534191 /index.php 
      1228 74.225.105.104 1148534191 /index.php 
      1222 64.229.225.123 1148534191 /index.php 
      1216 24.166.19.103 1148534191 /index.php 
      1212 24.22.80.98 1148534191 /index.php 
      1210 66.194.6.72 1148534191 /index.php 
      1208 205.208.227.46 1148534191 /index.php 
      1207 69.211.84.164 1148534191 /index.php 
      1199 72.30.128.13 1148534191 /index.php 
      1191 70.249.66.57 1148534191 /index.php 
      1189 65.95.51.86 1148534191 /index.php 
      1185 72.30.98.84 1148534191 /index.php 
      1184 207.118.91.200 1148534191 /index.php 
      1182 71.247.10.110 1148534191 /index.php 
      1173 65.3.76.239 1148534191 /index.php 
      1166 72.30.98.30 1148534191 /index.php
That's ID - IP - TIME- PAGE

5 minutes later the page will change, they will all be /login.php, then 5 minutes later /showthread.php

What's going on?

[edit] I meant to put this in security. Sorry guys.

Posted: Thu May 25, 2006 1:00 am
by s.dot
I don't believe they're trying to brute force a login. Because I log failed login attempts, and after 5 fails, make them wait 15 minutes.

And nobody's showing up as even failing once.

Could they be attempting to sniff the posted passwords?

Posted: Thu May 25, 2006 3:26 am
by AGISB
It might be a buggy spider of a search engine or some hacker who looks for exploits.

Posted: Thu May 25, 2006 3:40 am
by s.dot
It's up to 325 unique ips crawling the site right now =/

Now they're on index.php

Posted: Thu May 25, 2006 4:28 am
by Maugrim_The_Reaper
Likely what AGISB suggested - either some buggy bot (what's the client profile? user agent?) or someone scanning your site for potential vulnerabilities.

Posted: Thu May 25, 2006 5:50 am
by Weirdan
It could be someone experimenting with ddos bots... not to their full potential (~300 bots is something to sneeze on, generally).

Posted: Thu May 25, 2006 8:22 am
by feyd
accidental overwrite of other records when updating?

Posted: Fri May 26, 2006 10:38 am
by GM
feyd wrote:accidental overwrite of other records when updating?
Exactly what I was thinking... I reckon something's overwriting the time and location fields of all the records instead of just the one. Could also be combined with a lack of garbage collection on old records?