nuxx.net
Making, baking, and (un-)breaking things in Southeast Michigan.

Weird Referrers…

Any of you out there who run webservers… Have you ever seen anything like this? It appears to be grabbing lots and lots and lots of images. In tailing the nuxx.net log I haven’t seen it grabbing anything else yet.

207.155.199.163 – – [08/Feb/2005:23:28:38 -0500] “GET /albums/wallpaper/collectiveextension_1024.sized.jpg HTTP/1.0” 200 32768 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”

It’s a really weird referrer, and I’m getting it from a bunch of IPs all at once. I’d normally say it’s someone indexing my site, but some of the IPs it’s coming from are:

207.155.199.163 (UUNET)
12.17.130.27 (AT&T)
65.164.129.91 (Microsoft Sprintlink)
208.252.91.3 (UUNET)

None of those reverse, and the addresses aren’t allocated to any customers, they are just held by the big ISPs.

Seems kinda weird to me…

UPDATE: Upon more digging, I’ve found this:

207.155.199.163 – Concentric Dialup, run by XO.
12.17.130.27 – Traceroute seems to just stop, like it’s part of some absolutely massive netblock.
65.164.129.91 – Similarly weird traceroute result. Weirdness after Seattle.
208.252.91.3 – Another oddly terminating traceroute. Weird stuff starts happening after Seattle.

Sounds like someone is trolling through my site looking for addresses. Possibly from stolen netblocks? I haven’t bothered to look up weird routes because it’s bed time.

UPDATE2: It almost seems to be coordinated… Check this out:

65.164.129.91 – – [08/Feb/2005:23:46:34 -0500] “GET /gallery/livingroom_speakers HTTP/1.0” 200 15551 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”
207.155.199.163 – – [08/Feb/2005:23:46:42 -0500] “GET /albums/livingroom_speakers/speakers_hung.highlight.jpg HTTP/1.0” 200 6193 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”
12.17.130.27 – – [08/Feb/2005:23:46:50 -0500] “GET /gallery/livingroom_moulding HTTP/1.0” 200 15701 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”
65.164.129.91 – – [08/Feb/2005:23:46:56 -0500] “GET /albums/livingroom_moulding/DCP_0920.highlight.jpg HTTP/1.0” 200 6225 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”
65.164.129.91 – – [08/Feb/2005:23:47:05 -0500] “GET /gallery/livingroom_painting HTTP/1.0” 200 52236 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )”

It’s like a distinct set of addresses are rummaging through my site, one request per second.

3 Responses

  1. pathwalker February 9, 2005

    Someone browsing your page using an onion-routing based anonymous proxy network?

    1. c0nsumer February 9, 2005

      Oh, you know, I didn’t think of that… Hmm. That’s very possible, too. Except they went to the #13 useragent for February in one day… 1696 hits. Maybe they were just really looking hard?

      1. I want to be as smart as you guys. :P

Leave a reply