without seeing log excerpts, no one can even truely begin to guess... for anyone to post an idea or guess at this point, with no further info, would be making a WAG (wild arsed guess) ;)

Good point, thanks wkitty42.

Here is an example:

63.207.15.100 - - [28/Sep/2003:04:26:56 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
24.242.209.209 - - [28/Sep/2003:04:30:24 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
64.216.47.33 - - [28/Sep/2003:04:35:57 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.156.113.66 - - [28/Sep/2003:04:38:36 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.106.19.51 - - [28/Sep/2003:04:39:32 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.57.159.49 - - [28/Sep/2003:04:47:37 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
81.103.189.64 - - [28/Sep/2003:04:56:26 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
66.203.188.73 - - [28/Sep/2003:05:05:28 -0400] "GET / HTTP/1.1" 200 11774 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

each of the log files is exactly like the ones above except for a different ip number on each (and the time).

with an arin whois search on the ips, I came up with:
63.207.15.100 is Pac Bell Internet Services.
24.242.209.209 is ROADRUNNER-SOUTHWEST.
64.216.47.33 is SBC Internet Services – Southwest.
66.156.113.66 is BellSouth.net Inc.
66.106.19.51 is Internet Allegiance, Inc. Texas.
66.57.159.49 is Road Runner-VA.
81.103.189.64 is RIPE Network Coordination Centre Amsterdam.
66.203.188.73 is Execulink Internet Services Corporation NJ.

When I do a find on the log list for any one ip number, it comes up as only one visit in a week.
On average the hits come in consistently at 5-8 minutes apart.

dav

first - i forgot my manners... welcome to webmaster world!

based on the description, other discussions and a bit of WAG, it sounds like your site may be getting tapped by a lot of trojan infected machines looking for their controller... different ips may be due to them being on dialup connections... the posted UA strings appear to be valid... is your site new? have you recently acquired that ip number? i'm thinking that it may be possible that you might have been assigned an address that was determined to be used by something like the blaster worm... IIRC, didn't it try to contact certain sites to download some payload on a certain day?

what you have there is really wierd... hopefully others are watching this thread and will join in with anything they might have... if you've just recently acquired that ip number, you may want to see about swapping it out for another... talk to your host and explain the situation ot them... it shouldn't be that much of a problem to switch the dns and your machine(s)... it definitely looks like something phoning home with a spoofed UA...

Thanks for the Welcome! I have found this site really interesting.

I have had my site on the same ip for 4-5 years (the server is unix). The increase in traffic started Aug 18 (not sept 18 as I said in my original post). Of interest Aug 18 was the date for W32.Blaster worm.

From jan 2003 to sept 2003 the site had a couple pages, but I never got into promoting the url in search engines, or leaving links anywhere. In late sept I decided to start using the url and that is when I checked webtrends and log files thereby discovering the activity.

The fact that the GET command for each connection terminates after the index html is sent (11774 bytes, apparently a successful transfer), and that no follow up call for images for the html page is sent, I find especially weird. I agree with you that it looks like a phoning home. And I guess it is possible that some trojan author included a phony controller ip, and it turned out to be mine. If nothing more than trying to create more bandwidth wasting without the visitors knowing their computer is spinning.

I hate to think about it but I guess switching my host ip is probably what I should do.

dav

Hey there, davarian...

Just thought I'd let you know that you're not alone. Starting at 02:29 AM GMT on August 18 the visits began for me, and haven't stopped...

Only one of my sites has been affected, and funnily enough, it's a very similiar setup to you; a single page with only 4 graphics - no text - not advertised or submitted anywhere. My only visitors are the occasional spammer or script kiddie...

What's interesting in my case is that I got the IP for this site at the start of August. I too wonder if there's a connection to Blaster.

I did a sort of "IP versus time" analysis of the visits and saw that the visits started from China, South Korea & the States, spread to North America & the south Pacific and were global in nature within a week.

The IPs themselves have been traced from dial-up ISPs to government machines, with everything imaginable inbetween (although I haven't noticed any military IPs in the collection.)

Given those facts, I decided that it was just more stupid carp going 'round and took the drastic step of banning the UA. (My 403 page is much smaller than my homepage, so I save some bandwidth...)