|Guest w/Same IP in 10 Forums At Once|
I Don't Understand
My forum was getting sluggish. I checked who was logged on. It's a new forum, not so much traffic. I noticed (screen captured) a guest with the same IP address in 10 forums all at once and showing three entries of posting a message. I've worked large and small forums and I've never seen that.
A search of the IP address came up a complete blank. My most reliable IP search site came up a complete and total blank.
A Google search of that IP address showed it associated with some sort of uasge stats.
So is there a company that has a completely untraceable IP address that can do what I described above for the purpose of gathering usage stats?
As there haven't been any replies, should I asume that nobody has a clue as to what could have happened here? Or nobody has a clue as to what I'm talking about?
Would it help if I put the IP address here. I didn't out of consideration for whatever privacy rights still can be observed on our fine Net, but if it'll help in any way I suppose I could do so. I have noticed suspicious IP addresses posted in other threads.
jimji this may not be of much help, but then it might.
I often open several browser windows in a forum, **especially** if it's running slow. If the authentication holds for each window, you could see how this would show several entries in your logs and may not be any real suspicious activitity. It may also indicate that this user has nothing to do with your problem.
I wouldn't post the IP (see TOS.)
rocknbil, thanks for getting this going. Let me give you the specifics on my forum:
Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem, sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).
Version 2.1 by Nuke Cops © 2003 [nukecops.com...]
I'm doing this because I don't think a guest, or even a member can open multiple windows. But check that info up there and if I'm wrong, well, it wouldn't be the first time. More like the zillionth time.
Now, I see you're a senior member, which I gather to mean very wize in all things of this fine site and the Net in general, so would you reckon it's okay to post the suspect IP address here.
By the way, the sluggishness isn't what I'm concerned about. That was just to explain one aspect of this mystery. In fact, the site gets sluggish off and on and at preent I'm not too concerned about that. I just don't feel comfortable with the fact that one IP address was able to be in all places at once. I'm going to see if I can copy/paste the info from that screen capture image.
[edited by: jimji at 6:26 pm (utc) on Nov. 11, 2005]
we don't allow posting of specific ip addresses
have you done an ip whois to see if the ip might belong to a bot?
Oh yes. I checked that IP address with about four or five different sites and all came up blank. Zip, zero, nothing, except the general Google search which showed it listed in some kind of usage stats.
have you picked through your logs to see if the user agent gives any more info?
I have to go to the bossman to get at the logs. I say "my forum", but I don't own the site. Right now I don't want to cry wolf until I check it out as much as I can.
Now I transcribed the info from the screen capture image. I was wrong, I copied 14 entries and there was at least one more maybe two.
Dates are all Nov. 11, 2005 Ė Times are 11:23 am X 2, 11:22 am X 4, 11:21 am X 3, 11:20 am X 4, 11:19 am X one that I copied and maybe one or two more.
Locations: (in the same order as times are listed) Forum Index X 2; Viewing Private Message X 1; Forum Index X 1; Benefits X 1; Posting a message X 2; Benefits X 2; Forum Index X 1; Benefits X 1; Posting a message X 2.
And as I wrote there seems to be more, but I didnít do the screen capture correctly to get everything. And per instructions Iím not posting the IP addresss.
So thatís 14 listings that I captured for a guest with the same IP address. How can that be?
Now, I have no members with a User ID "guest". I banned that name. So how could a guest be viewing a private message.
Oh yes, thank you everyone for the help.
You can't post the IP, but since you've got my curiosity up, send me a sticky mail of the IP, but just the IP please, I hate it when people ask me questions in sticky mail, i'd rather keep the discussion on the boards and not private.
As for one IP having many connections being allowed, that seems reasonable. If your software only allowed one connection per IP it would cause problems with schools or business's where hundreds of people run through a proxy.
(how in the world do you spell business's correctly?)
Thank you, twist. It's been sent.
You spell it "business'" but you don't need the possesive in the sentance you are referencing so it would be "businesses".
phpBB counts anyone viewing your pages who is not logged in as "guest". While it is possible for 14 different unregistered and/or logged off users to surf your site from the same IP address at the same time, it is not probable. My guess is it is a bot, probably malicious if the lookup yields no results. If it is accessing your site using multiple connections it very well could be slowing down your server. Take a look at this post on ways to identify and ban bad bots:
I am hoping this is ok to post since it refers to the owner of the IP range and not the specific IP, but here is the information I found for the IP address you gave me.
Here is what ARIN WHOIS says,
|OrgName: Japan Network Information Center |
Address: Kokusai-kougyou-Kanda Bldg 6F
Address: 2-3-4 Uchikanda
NetRange: 220.127.116.11 - 18.104.22.168
NetType: Direct Allocation
Comment: Japan Network Information Center(JPNIC) is an
Comment: National internet registry of Japan. Please search
Comment: whois.nic.ad.jp for more information about this range.
Comment: % whois -h whois.nic.ad.jp ***.***.***.***/e
RTechName: Japan Network Information Center
OrgTechName: Japan Network Information Center
# ARIN WHOIS database, last updated 2005-11-10 19:10
# Enter? for additional hints on searching ARIN's WHOIS database.
It says to search whois.nic.ad.jp which gives this result,
|Network Information: |
a. [Network Number] 22.214.171.124/16
b. [Network Name] WASEDA-NET
g. [Organization] WASEDA University
m. [Administrative Contact] SH4668JP
n. [Technical Contact] AI016JP
n. [Technical Contact] HW1297JP
n. [Technical Contact] KO5486JP
n. [Technical Contact] TY6273JP
p. [Nameserver] ns.cfi.waseda.ac.jp
p. [Nameserver] ns2.cfi.waseda.ac.jp
[Assigned Date] 1989/05/01
[Last Update] 2005/08/22 10:52:26(JST)
Less Specific Info.
More Specific Info.
and Administrative Contact gives this information,
|Contact Information: |
c. [Last, First] Hirasawa, Shigeichi
g. [Organization]WASEDA University
l. [Division] Media Network Center
n. [Title] Dean and Director
I'm seems that your IP is coming from the WASEDA University in Japan - [waseda.jp...]
I've often got many many different pages of a phpBB forum open in Firefox, Mozilla, newer Netscape, or Opera browsers. I could conceivably open multiple reply-to-message pages, compose replies to all of them, and then post them in quick succession. What user-agent is your visitor using?
Well, well, well! I sure do appreciate that assist there, twist. I can't imagine how come I couldn't track that, but I'll go back and work on that. Unfortunately, your info there rings serious alarm bells that an idiot with malicious intent has followed me from a previous gig to the new one. I'll just ban that IP address and have a chat with Mr. Hirasawa. Waseda takes matters like this very seriously.
Again, I sure appreciate the help.
I do have one more question, if ya'll don't mind. I seem to recall on another forum I worked that I also saw guests listed as reading a private message. My recollection may be wrong, but in this latest case I've definitely got the proof.
So my question is how that is possible? What would be the mechanics of that? A guest obviously has no private messages, so why would that be showing?
jdMorgan, you seem to have posted while I was doing my two-finger dance on the keyboard. I'm so slow. The response is appreciated.
But when you ask about "user-agent" are you referring to info in twist's message? I'm not quit sure I understand "user-agent"?