Forum Moderators: DixonJones
I have question that was not answered yet (if that's possible at all) Well, I have about 150 to 180 requests from IP address in Luxemburg. This IP is: 158.64.87.113 and request is always:
GET /?XGW_url=http://www.mydomain.com HTTP/1.1" 200 12294 "-" "Mozilla/4.0 (compatible; MSIE 4.01 compatible; Plumtree 4.0; Windows NT)
So, my question is: what the /?XGW_url is for?
What is this for? I only found some info about plumtree portal software but no any references to request like this.
I can possibly live with this but, I am sure that You understand that I want to know ...
Thanks for all Your help.
Krzys
the / is the url
the? is to signify that the rest of the request are parameters to pass to the url...
XGW is the parameter
what they are attempting to do is totally unknown... likely nothing... but one can never tell... since your initial page doesn't appear to be a script that can process parameters, it shouldn't be hurting anything...
the only other thing i can think of is a tracking method for logfile parsers...
So, your site is most likely being ripped and included in a portal somewhere. Or perhaps it's just being spidered, but since the URLs are being modified, i'd vote for the rip.
/claus
I'm a bit curious given that: "List price: For 250 users, $100,000 and up; volume pricing available." doesn't seem to be for single-users.
Pendanticist.
I don't know, it's the "Ministry of Education Grand-Duchy of Luxembourg" that uses it. There's no specific indication that it is individual users as far as i can see - it's just a piece of software generating 150 requests+ on krzys' site. The contents of his site could be all over their intranet or the site could just be spidered by the Ministry, i have no chance of telling that.
>> In what manner
I'm assuming that the URL query string of:
?XGW_url=http://www.mydomain.com...is something that is added to all urls on this intranet, and that there's something wrong with the procedure that's supposed to clean his original urls from his pages and insert these local relative urls in stead (the relative URLs get appended in stead of replacing the original ones).
I might be wrong about this, but it seems logical to me - perhaps it's just a little late in the evening and perhaps i'm just a bit tired.
One other thing - it could also be a badly configured link-checker that's built into the portal software. In that case it often pays to write to the offending site and ask them to lower the frequency, i've had good results with this (when IP's are from well-known firms, i think a ministry qualifies ; ).
/claus
Pendanticist.
...is something that is added to all urls on this intranet, and that there's something wrong with the procedure that's supposed to clean his original urls from his pages and insert these local relative urls in stead (the relative URLs get appended in stead of replacing the original ones).
I just wasn't sure but traffic to my site was little slower during last week and these request started about week ago. I just checked today's log file and this thing was asking for my site 221 times during last 21 hours. There is no any, absolutely any time rule. There is no any regular sequence. Sometimes it is just few times in one minute, sometimes one time an hour.
I don't know what this portal system does but I was afraid that they are redirecting traffic from my site to a copy of my site made on their system. Sort of a fake DNS, at least for users of their system.
It does not matter for me that it is "Ministry of Education Grand-Duchy.. " or whatever sort of Institution. Part of my site was already stolen by few sites that belongs to institutions which can afford making their own sites. I have enough experience with this. My everyday problem is tons of hotlinked images from my site and site rippers. I have very large gallery online and put a lot of work in it. It is horrible a lot of work to make over 2300 high quality photographs for the web. And I am really upset when I see something strange like these request from Luxemburg.
It is strange that after I blocked this IP, it still repeat the same request as before. It is logged as denied. I will look at my logs to see what happens.
Thanks again for Your answers.
Have a good day, or night if You are at other part of the globe.
Krzys.
That's far too many in any respect. If you do a whois-lookup like this one:
http://www.dnsstuff.com/tools/whois.ch?ip=158.64.87.113... you will find the email address of a Technical contact for the domain (TechEmail). As it's a ministry, try sending him an email and explain what has happened, and that you don't like this behavior, and have banned their IP. Being a ministry, this ought to have some effects so as to make them investigate and correct the problem - it's bad PR after all.
/claus
Try the "site search" on top of this page and search for "image hotlinking" - there's a lot of threads giving advice on how to prevent it.
