Strange activity in access log

[ErnieG]

I was getting ready for FM Unlimited anyway, but there have now been two episodes of strange flurries of activity that maxed out my 10-user limit. I'm wondering if it's an attack of some kind, or if anyone has seen anything like this:

205.188.208.76 - - [24/Aug/2003:16:42:44 -0600]

205.188.209.70 - - [24/Aug/2003:16:42:46 -0600]

205.188.209.141 - - [24/Aug/2003:16:42:46 -0600]

205.188.209.20 - - [24/Aug/2003:16:42:46 -0600]

205.188.208.8 - - [24/Aug/2003:16:42:47 -0600]

205.188.209.109 - - [24/Aug/2003:16:43:09 -0600]

205.188.209.20 - - [24/Aug/2003:16:43:11 -0600]

205.188.208.101 - - [24/Aug/2003:16:43:21 -0600]

205.188.209.109 - - [24/Aug/2003:16:43:38 -0600]

205.188.209.109 - - [24/Aug/2003:16:43:44 -0600]

205.188.209.109 - - [24/Aug/2003:16:43:52 -0600]

I removed the other code, which indicated they didn't have passwords to open any databases, but here we have, for example, two simultaneous log-ons at 16:42:46, from two different IP addresses!

The same thing happened 8 days later (today), one hour later in the day, from the same 205.188 IP addresses.

I'm very curious about what could be happening, so if anyone has any ideas, I'd be very grateful.

Ernie

[Unable]

Ideas. Hey, I got ideas you wouldn't believe.

1) A search engine worm trying to gather site data?

2) Someone playing games with you who knows the limitations with which you are working?

3) The Great Pumpkin giving an early sign of Haloween?

[ErnieG]

Thanks, Unable. You're certainly entertaining.

It's still the THREE hits (I was wrong about "two") in the exact same second, all from different versions of the IP, that has me perplexed.

I'll go check the pumpkin patch.

Ernie

[Garry Claridge]

It maybe Verisign with some sort of SSL type checks. Do you have a VPN or anything similar running? It may even be "bots" from Google etc.

Or, "Sun Spots"

Good Luck.

Garry

[Steve T.]

You can look up IP addresses to see if they are registered and (sort of) who they are. I used Mac OS X's Network Utility for you on some of your mysterious IPs....

Name: cache-dc08.proxy.aol.com

Address: 205.188.208.76

Name: cache-dq09.proxy.aol.com

Address: 205.188.209.141

Name: cache-dp09.proxy.aol.com

Address: 205.188.209.109

Looks like AOL is involved... probably a search engine bot or something unless AOL users use proxies, too.

INTERESTING SEARCH ENGINE TIDBIT RELATED TO THIS:

We get hit by googlebots and other search engine bots periodically and suspect them of causing some of our past crashes. We do not have trouble now, but from an analysis of the logs then, it was kind of interesting to note that there was a maximum number of characters the bots/crawlers could take in their URLs. Our CDML links were sometimes too long for the bots to use in their entirety and they would get errors because they would be missing the -find (or whatever action) and other info at the end. They would apparently try again later and fail again repeatedly. I think they got truncated at the first 256 characters, but I can't remember exactly.

--ST

[ErnieG]

Thanks Gary and Steve,

No on VPN, so the "bots" idea is most likely. Very interesting information, and I appreciate the tip on looking up IP addresses. Have to admit it didn't occur to me to try that.

Ernie

[Unable]

Hey, sorry Ernie. I said worm and I probably meant spider or bot. But I got the search engine part right. My techie language suffers.

I'm glad you enjoyed the entertaining ideas.