Anyone know why random requests for hypersphere-2010.png are in my logs?
I'm not sure how long it's been going on but we are getting somewhat random requests for /images/hypersphere-2010.png showing up in our error logs. We've never had such a file on our site. Google-ing it hasn't revealed much except that it appears in a small number of other website log files also. We cannot duplicate the requests when we test things ourselves. The logs show a rate of about 10 requests per hour (average) from a wide number of IP addresses and various user agents. Here's a sample from the past couple of days (in order of popularity):
1Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.165022.831050
2Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.244319.634703
3Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.162611.872146
4Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16188.219178
5Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.32 (KHTML, like Gecko) Chrome/13.0.748.0 Safari/534.32188.219178
6Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16156.849315
7Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/13.0.761.0 Safari/534.35156.849315
8Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16104.566210
9Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.2462.739726
10Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1652.283105
11Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1652.283105
12Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.57 Safari/534.2452.283105
13Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/5126.96.36.1993242
14Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.2410.456621
Clearly Chrome seems to be a common thread. (There is one non-Chrome Safari in there however, #13). Unclear why that would matter though.
When there is a referrer entry in the logs, it shows that the request is coming from one of our own webpages but there is no discernible pattern to those pages. We've looked into the possibility that it was coming from an advertising script, but many of the referring pages don't have ads on them which shoots a hole in that theory.
Anyone know anything about this file? Anyone else seeing similar log entries?
Thanks in advance!
I am having the exact same issue, exact same symptoms, and haven't been able to discern and reason behind it, either :-/
Are they coming from iPads? Could they be looking for some kind of favicon?
|Are they coming from iPads? |
The user-agents listed above are Windows XP, Vista and 7, plus Mac Snow Leopard.
|Chrome seems to be a common thread |
As you almost pointed out, the common factor appears to be the WebKit engine.
I haven't seen this garbage myself, but found the following SERPs amusing:
* Shop for Hypersphere 2010.png online - Read Reviews, Compare
* pictures of hypersphere-2010.png
* Buy hypersphere 2010 png items and find other similar products
Search engines should ban sites like those IMHO.
When researching something like this, always remember that anyone or any botnet can send requests to your server for any filename they can think of or invent and using any referer and any user-agent string they want you to see or that they want to experiment with. None of the web page names, referers, or UA's necessarily have any basis in reality.
When any robot sends a referer string, it's probably fake anyway - robots do direct requests. And when robots send user-agent strings that look like browsers, those are fake, too.
Looking up some of the IP addresses might help throw some light on it. Are they webhosting companies, for example, which would suggest a network of possibly hacked websites. Or if they are consumer broadband companies, it could be a network of zombie (hacked) PCs.
It's caused by the plugin/extension/whateveryouwannacallit Hyperwords which is available for Safari, Chrome and Firefox. That's why there doesn't appear to correlate to a particular browser. This has taken me a few weeks to find (and I just did) and I put in a trouble ticket with them and they've gotten back to me already for more info.
Thanks for tracking that down!
welcome to WebmasterWorld, michvhf!
and thanks for that information.
and a belated round of welcomes go to both of our recently recovered lurkers, chipa and bj61251.