hi. the same kind of requests are showing up on one of my sites. they started appearing on 2/15. since then there are between 2 & 10 every hour. they all have the same user agent, request the default document at the ip address, and don't request anything else. i havn't found them to repeat, but i haven't searched every logfile for every address. most interesting to me is that i don't see anything like it on other sites, even with consecutive ip addresses. it almost looks like newly created zombies checking in, but there's nobody here for them to talk to. i'm including an excerpt from an iis logfile.
mf

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-02-15 00:42:35
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes cs(User-Agent) cs(Referer)
2004-02-15 00:42:35 218.X45.25.11 - 172.30.X23.115 80 GET /Default.asp - 200 236 194 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-15 00:47:59 219.X45.68.166 - 172.30.X23.115 80 GET /Default.asp - 200 212 190 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-15 00:50:56 203.X22.25.30 - 172.30.X23.115 80 GET /Default.asp - 200 212 190 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -

[edited by: DaveAtIFG at 6:51 pm (utc) on Feb. 25, 2004]
[edit reason] Abbreviated log sample and obscured IPs [/edit]

RoseMarie,

The user-agent is requesting your default (home) page from www.yourdomain.com/
It appears that your server is misconfigured, because its response is a 302-Moved Temporarily redirect.

It is usual to serve your "home page" in response to a request for "/" without requiring a redirect. You can, of course, do anything you like, but this is the usual method.

Blank referrers occur with typed-in URLs, right-click-Saves, download assistants, and robots good and bad. There's not enough information to determine if this is a problem in this case. However, if you don't do much business with Japan, it is probably some kind of 'bot.

mpfog,
Welcome to WebmasterWorld [webmasterworld.com]!
Your visitors are from Korea, China, and either India or Taiwan, and that's all I can tell.

In both of your cases, these could be proxied requests, in which case these IP addresses would belong to the proxies, and there would be no way to tell where the actual "users" are from the info posted here.

Jim

hi jim. thanks for the input. those 3 in my post are from asia but there are plenty from the us too, from assorted broadband and dialup isps. they started 2/15 and each ip address sends just the one GET request and then never returns as far as i have seen. this particular site is languishing right now with no real traffic so these hits are just about the only thing in the logs. i'd be glad to send a few days worth of them if anyone would like to see them.
thanks,
mf

I've been reading this forum for quite some, but finally decided to register. It is a great source of information. Many thanks.

I am seeing the same exact thing as RoseMarie and mpfog. It started on 2/11 against a domain without any root pages so they are getting served 403s. It's not happening to the other domain I handle here. It's always the same UA string - Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) but the IP changes every time from all over the globe. It happens about 5 to 20 times a day. They are the only entries hitting this empty domain except for the occasional options request with a webdav UA string etc.

It does not appear to be what the UA claims.

I was just about to post asking this very question. All of the IP's I've checked are from China. It's interesting that they seem to be requesting the IP of my site and not a www address.

I host multiple sites on this ip so I depend on the typed in address to know where to send them. Since all I'm getting is the IP, that's as far as they go.

Why would so many people suddenly be requesting sites via IP and not addresses?

Why would so many people suddenly be requesting sites via IP and not addresses?

One possibility is a program designed to scan blocks of IP ranges - almost every vulnerability scanner works this way.

Well, then I guess it's a good thing I'm giving it a 301 and then leaving it hanging...

Even if it is a computer, it's probably scratching it's head wondering what that's all about, LOL.