Welcome to WebmasterWorld Guest from 54.167.157.247

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

curious about continuously timed downloads

   
4:05 pm on May 24, 2013 (gmt 0)



Hello board,

In my server logs, some suspicious hits caught my attention:

123.125.67.181 - - [23/May/2013:04:04:10 +0200] "GET /xxxx/video1.avi HTTP/1.0" 200 34500 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
220.181.51.218 - - [23/May/2013:04:17:59 +0200] "GET /xxxx/video2.avi HTTP/1.0" 200 34500 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.125.67.181 - - [23/May/2013:04:34:28 +0200] "GET /xxxx/video1.avi HTTP/1.0" 200 16653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
220.181.51.217 - - [23/May/2013:04:48:19 +0200] "GET /xxxx/video2.avi HTTP/1.0" 200 15180 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.125.67.181 - - [23/May/2013:05:04:48 +0200] "GET /xxxx/video1.avi HTTP/1.0" 200 40020 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
220.181.51.156 - - [23/May/2013:05:18:36 +0200] "GET /xxxx/video2.avi HTTP/1.0" 200 49680 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


This has been going on for months. As you can see, these IPs hit quite regularly every 1/2 hour. They only download small parts of some media files (video/audio), never do they request the webpage associated with those files - which does not really make sense in this case, and also no other files from this server. The traffic they produce still moves these files to the front in the stats.
All the requests come from a narrow range of IPs located in Beijing, China. ISP: Data Communication Division

First, I suspected some kind of proxy but seeing that they seem to never get the whole file, yet request these files with timed regularity, I guess it's some bot... but for what purpose?

I decided to block the IP ranges:

Deny from 123.125.67.180/31 123.125.67.242/31 220.181.51.155/32 220.181.51.156/31
Deny from 220.181.51.158/32 220.181.51.217/32 220.181.51.218/31 220.181.51.220/32


Does anybody here know of such a thing?

Edit: Beijing, not Hong Kong.
5:30 pm on Jun 6, 2013 (gmt 0)



UPDATE

Blocking stopped the spook after two days.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month