Topic: Heads Up - Page Squatter

[Maumelle Weather]

Hi Folks,

Came across the following IP in my logs that has been squatting on various pages of my site:  73.78.184.105 in Lafayette, CO.

On May 8th, I had 220 hits. On May 9th, I had 3069 hits. So far today, the 10th, I have had 1862 hits so far.


NetRange:       73.78.0.0 - 73.78.255.255
CIDR:           73.78.0.0/16
NetName:        DENVER-8
NetHandle:      NET-73-78-0-0-1
Parent:         CABLE-1 (NET-73-0-0-0-1)
NetType:        Reassigned
OriginAS:       
Customer:       Comcast IP Services, L.L.C. (C05967120)
RegDate:        2015-11-17
Updated:        2015-11-17
Ref:            https://whois.arin.net/rest/net/NET-73-78-0-0-1


CustName:       Comcast IP Services, L.L.C.
Address:        1800 Bishops Gate Blvd
City:           Mount Laurel
StateProv:      NJ
PostalCode:     08054
Country:        US
RegDate:        2015-11-17
Updated:        2016-08-31
Ref:            https://whois.arin.net/rest/customer/C05967120

I have blocked this entire IP range of Comcast Cable.

Has anyone else seen this IP?


John

[Jáchym]

Hi John,

OT: can you recommend any usable SW for analyzing the logs? I was recently trying to look at mine, but I gave up because after 5 minutes I had hundreds of entries since each load of the page loads hundreds of files (images, JS etc.) so it is impossible to make any sense of it if you just see the raw log file in a code editor

[Maumelle Weather]

Hi Jachym,

I use Notepad++ to look at my logs. I use the Find and Replace All part of it constantly. When I open up a log, I will use find/replace to find entries like my IP here at home or work and replace those IP's with (i.e. - replace my home IP with EchoValleyWeather, or for work AHTDWork, etc.). Granted it takes a little while to go through that way, but it helps me spot any oddball entries. Putting letters where there were IP numbers is a lot easier on the eyes. Plus, once I started doing it that way, I was able to start spotting the oddball entries, Bots, wp-login.php, etc. I would then use find/replace on those and list them as IPBlock, after I had the Bots to both my robot.txt and .htaccess files.

Hope that makes,

John

[SoMDWx]

John,
  Can you see in the logs what page they are hitting? Could be grabbing your images/code......

Jim

[Jáchym]

Hi Jachym,

I use Notepad++ to look at my logs. I use the Find and Replace All part of it constantly. When I open up a log, I will use find/replace to find entries like my IP here at home or work and replace those IP's with (i.e. - replace my home IP with EchoValleyWeather, or for work AHTDWork, etc.). Granted it takes a little while to go through that way, but it helps me spot any oddball entries. Putting letters where there were IP numbers is a lot easier on the eyes. Plus, once I started doing it that way, I was able to start spotting the oddball entries, Bots, wp-login.php, etc. I would then use find/replace on those and list them as IPBlock, after I had the Bots to both my robot.txt and .htaccess files.

Hope that makes,

John

Do you have limited bandwidth? Because I think that after time you sort of realize this is a never ending thing, that htaccess is of course ok, but trying to block particular IPs... I was trying at the beginning, but right now unless it is one particular page being called periodically or unless the page gets suspiciously slow I just ignore it.

[smokie]

I get this to, i block the ip, lask week it was my solar pv page every 2 mins, even night time, ip look up put it from USA,  I find them from my statcounter account, page count rockets, no need to check logs

[Maumelle Weather]

John,
  Can you see in the logs what page they are hitting? Could be grabbing your images/code......

Jim

Hi Jim,

On Monday, May 8th, all of the hits were on my wxaqirss.php page. 220 hits over 1.5 hours time

Yesterday, May 9th, it originated from this topic. One hit at 12:13 am EDT, then a 7 hour skip, on the same page, wxaqirss.php. Then went to my wx111111.php page, with a 1 second interval between change pages, of which they stayed on this page about 90 seconds, then back to the wxmetars.php page. From 7:17am to 11:59pm, they were on my wxmetars.php page this entire time.

Today, May 10th, they continued on my wxmetars.php page from 12:00 am to 10:19 am.

From what I can see, they opened the page and walked away from it. Didn't download any images, just sat on it. I mean, seriously, the METARS update every 30-60 minutes, the wx111111.php is a static page with historical data/information on it. The wxaqirss.php page updates once a day, I believe.

The funny part is they started getting a 403 about 7:50 am yesterday and they didn't notice it until this morning.  I had someone do this last year after I had gotten my Bloomsky camera up and running. They sat on that page for several days, both day and night. I think that was from the University of Missouri in Kansas City.

John

[Maumelle Weather]

Hi Jachym,

I use Notepad++ to look at my logs. I use the Find and Replace All part of it constantly. When I open up a log, I will use find/replace to find entries like my IP here at home or work and replace those IP's with (i.e. - replace my home IP with EchoValleyWeather, or for work AHTDWork, etc.). Granted it takes a little while to go through that way, but it helps me spot any oddball entries. Putting letters where there were IP numbers is a lot easier on the eyes. Plus, once I started doing it that way, I was able to start spotting the oddball entries, Bots, wp-login.php, etc. I would then use find/replace on those and list them as IPBlock, after I had the Bots to both my robot.txt and .htaccess files.

Hope that makes,

John

Do you have limited bandwidth? Because I think that after time you sort of realize this is a never ending thing, that htaccess is of course ok, but trying to block particular IPs... I was trying at the beginning, but right now unless it is one particular page being called periodically or unless the page gets suspiciously slow I just ignore it.

Bandwidth isn't a problem with my hosting company. I have 1 TB limit per month. On average, I probably use 10-20 GB per month, depending on what I'm uploading, etc. I guess, for me, its the principle of it. I haven't ever camped on anyones page for that amount of time, tying up their resources, etc.,  therefore I am not going to let someone do that to me, but that's me.

[Jáchym]

Makes sense

In my case it would probably not be worth the time because I would have to spend lot of time going through the logs which are not even available to me. I can activate it once per month for 24h for free when needed, but if I wanted them all the time it would be extra cost, so I dont have that feature in my hosting plan. Extra cost, extra time and as long as my page is running smoothly it would not be worth for me - but I get your point.

[BCJKiwi]

If these users are not moving to other pages nor refreshing the page they are sitting on, then you could use a
   <meta http-equiv="refresh" content="1500; url=http://get_lost_idiot.com/?timeout"/>
line in the <head> section of top.php (Saratoga) or other suitable page that is loaded by each visited page.

This redirects the squatter somewhere else after 1500 secs or whatever number you choose.

I have this set up to redirect to a static page which includes buttons to allow a legit user to re-open the weather website.