homepage Welcome to WebmasterWorld Guest from 54.196.195.158
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Selenium Server Question
What is the purpose of this type of activity...
grandma genie




msg:4487052
 11:43 pm on Aug 21, 2012 (gmt 0)

Hello,
I'm not sure what forum to post this in, so if this is the wrong one, please redirect me.

I am finding this type of activity in my server logs and I'm not sure what the purpose of the visit is. Can anyone explain this behavior?

Thank you in advance.

-- gg

37.59.4.nnn "GET / HTTP/1.1" 403 - "http://localhost:4444/selenium-server/core/Blank.html" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
37.59.4.nnn "GET /favicon.ico HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
37.59.4.nnn "GET /favicon.ico HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"

 

phranque




msg:4487093
 2:08 am on Aug 22, 2012 (gmt 0)

selenium is a test tool for web applications.

http://seleniumhq.org/docs/07_selenium_grid.html#installation
The default port the hub uses to listen for new requests is port 4444. This is why port 4444 was used in the URL for locating the hub. Also the use of ‘localhost’ assumes your node is running on the same machine as your hub.


does the IP address look familiar?
any idea what is throwing the 403 status code?

grandma genie




msg:4487098
 3:30 am on Aug 22, 2012 (gmt 0)

There are several different IPs that have come onto the server with that referer. Two are from France. One is Chicago. This has been happening for a few months, so I blocked the IPs. That is why they are getting the 403s.

188.165.221.nnn - OVH SAS
173.208.87.nn - Ubiquity Server Solutions Chicago
37.59.4.nnn - OVH SAS

My site is in the USA. I'm assuming that whatever they are attempting isn't working. But they keep doing it, nevertheless.

It appeared to be some type of test. Is this something other webmasters are seeing in their logs? What does it mean? Should I be concerned?

wilderness




msg:4487243
 2:32 pm on Aug 22, 2012 (gmt 0)

gg,
Are you getting sales from RIPE ranges?

Seem to recall that at one time I provided a bunch of Class A IP's for you to use?

Don

grandma genie




msg:4487272
 3:51 pm on Aug 22, 2012 (gmt 0)

On rare occasions I will get an order from the UK, France, Norway, Denmark, Italy, but postage is so high most don't order from overseas. This is the info you sent, Don:

RewriteCond %{REMOTE_ADDR} ^11[0-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^12[1-6]\. [OR]
RewriteCond %{REMOTE_ADDR} ^8[0-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^9[0-5]\. [OR]
RewriteCond %{REMOTE_ADDR} ^17[5-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^18[0-35-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^19[01]\. [OR]
RewriteCond %{REMOTE_ADDR} ^20[01]\. [OR]

Got more?

By the way, when the Selenium-Server stuff started showing up, before it was blocked, it was grabbing css files. Home page, css files and the favicon.ico.

Would blocking selenium as a referer be a solution? Was this some type of remote control activity?

-- gg

Leosghost




msg:4487274
 4:01 pm on Aug 22, 2012 (gmt 0)

By the way, when the Selenium-Server stuff started showing up, before it was blocked, it was grabbing css files. Home page, css files and the favicon.ico.

If that is all it( they ) took each time ?
Sounds to me like someone running a bot ( from various places ) to get an image of your home page to put on a whois or some such..

France has some big server farms run by OVH, and 1&1 and others..the country spread you report matches 1&1 in Europe..

<OT>btw ..you think postage to Europe is bad :) try it the other way..costs me 3 or 4 times more, to send a a given weight package to you in to the USA via UPS / DLH/ parcel post, than it does for you to send it to me ...ouch!</OT>

wilderness




msg:4487278
 4:12 pm on Aug 22, 2012 (gmt 0)

Got more?

RewriteCond %{REMOTE_ADDR} ^14\. [OR]
RewriteCond %{REMOTE_ADDR} ^141\. [OR]
RewriteCond %{REMOTE_ADDR} ^150\. [OR]
RewriteCond %{REMOTE_ADDR} ^19[3-6]\. [OR]
RewriteCond %{REMOTE_ADDR} ^27\. [OR]
RewriteCond %{REMOTE_ADDR} ^22[012]\. [OR]
RewriteCond %{REMOTE_ADDR} ^31\. [OR]
RewriteCond %{REMOTE_ADDR} ^3[789]\. [OR]
RewriteCond %{REMOTE_ADDR} ^4[1369]\. [OR]

Would blocking selenium as a referer be a solution? Was this some type of remote control activity?


gg,
I'd never seen that prior to your posting, however there is certainly NOT any reason to allow the refers:

SetEnvIfNoCase Referer selenium

however I would suggest adding both "selenium" and "server" (the later may catch some other strays)
into mod-rewrite refer lines similar in format to what I used to combine your UA's.
Ex:

#if refer contains deny
RewriteCond %{HTTP_REFERER} (selenium|server) [NC]
RewriteRule .* - [F]

grandma genie




msg:4487281
 4:27 pm on Aug 22, 2012 (gmt 0)

Yes, they only grabbed home page, 4 css files (including the stylesheet) and the favicon.ico. The IPs that came in (four different ones) included 173.234.62.nnn. Agreed it is some type of bot activity.

Is this something a webmaster would want to see in their logs. Or should the red flags be going up?

By the way, postage is bad enough here at home. I'm surprised anyone buys anything online these days.

grandma genie




msg:4487282
 4:28 pm on Aug 22, 2012 (gmt 0)

OK, thanks Don.

grandma genie




msg:4487285
 4:45 pm on Aug 22, 2012 (gmt 0)

One more question. Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.

wilderness




msg:4487292
 5:05 pm on Aug 22, 2012 (gmt 0)

One more question. Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.


Yes.
In fact, I get some 500 errors (loops) when a page request is caught from some UA and IP duplications requests.

I've no idea of the cause on my end, possibly some inconsistency on my part.
I don't explore resolution because the frequencies are few and the 500 serves the same end result as the 403.

FWIW, I use deny from and SetEnIf in conjunction with similar rules in mod_rewrite, which is generally a no-no.

grandma genie




msg:4487295
 5:17 pm on Aug 22, 2012 (gmt 0)

OK, thanks. I'm going to adjust the deny, allow list so it does not conflict with the IPs in the RewriteCond list.

I appreciate the additional IP range info.

Leosghost




msg:4487297
 5:36 pm on Aug 22, 2012 (gmt 0)

BTW..a bit of research shows that selenium is a downloadable server, can be run as a standalone or a service..with amongst other uses a "browser automation framework" for various browsers..
[code.google.com...]

lucy24




msg:4487359
 9:14 pm on Aug 22, 2012 (gmt 0)

Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.

Only if one of your blocks also prevents the server from displaying your ErrorDocument. (Been there. Done that.) This results in an infinite loop winding up in a 500 error.

If you think about it, low-budget robots are almost bound to be blocked in more than one way. For example, someone claiming to be MSIE 3 referred by a bogus Russian site coming from an IP in the Ukraine is going to run into the full belt-plus-suspenders-plus-trouserbutton combo :)

So each category of blocks needs to come with a separate exemption for the error document. Core-level "Deny from..." directives go with a <Files> or <FilesMatch> to let them see your custom 403. Denials via mod_rewrite similarly need some type of escape clause. You generally don't need to do anything in SetEnvIf, because the module itself isn't issuing the lockout; it's just passing information to the core.

Incidentally, your OP looked familiar to me. It's the same configuration I see in my logs when I'm testing something offline that includes an absolute link to material on my site. So "localhost" as referer isn't intrinsically evil. But the harmless ones will come from a familiar IP.

MxAngel




msg:4487876
 4:48 am on Aug 24, 2012 (gmt 0)

3. The RC server then opens a URL connection specified by the client API with a /selenium-server/core/Blank.html?start=true. (Note that when creating a Selenium instance, a specific URL must also be provided.) If this connection was successful, it also helps to verify that the proxy configuration was setup properly.


[hustoknow.blogspot.com...]


Selenium appending "selenium-server/core/Blank.html?start=true" while opening a URL
https://groups.google.com/forum/#!topic/selenium-users/m__EUnm8BZY

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved