Welcome to Webmaster World ebend.

Looks very much like robot activity, I'll have a look at my list and see if I can't identify it.

Thanks. I've been looking up many of the addresses in APNIC and ARIN but most are just Telecom Companies -- hkcable.com.hk, Dancom Online Services Pakistan, Hanaro Telecom, Inc etc.

The visits just don't look like any of the other spiders or bots that hit my sites - and this site is so small that google doesn't even visit that often. 17,000 visits (out of 18,0000 total) all have the same browser profile: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) and each time the log says zero bytes transfered. It just seems too uniform to be unrelated spiders. Probably harmless, but it has me baffled.

Are your libraries connected into some sort of consortium? Maybe these people are searching for something in a larger library network, and that network is checking your libraries but getting turned down.

The presence of default.htm suggests a default FrontPage installation, which is hackable. You may be seeing scans...

There was no result code reported above. If the result code was a 304, it usually means that the page was locally cached, possibly at the user's ISP. The requestor is merely checking to see if the cached version is the same as the file on your web server. If it is the same it will show as a 0 byte transfer in the log.

Could be lots of very legal reasons for this to happen, particularly if the ISP employs acceleration software.

Just throwing a slightly less-sinister explanation out there.

Mark.

Thanks for the ideas and apologies for long follow-up -- I'm just trying to cover all the bases. Just to reiterate, this is a web site that usually just averages about 10 to 15 visits a day.

We do not use front page and I just checked to make sure that FP Server Extensions are not loaded -- they are not.

Result codes are all 200 - here are some samples from this morning

2004-05-19 11:18:09 61.42.54.62 /Default.htm - 200 0 191 516 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 11:19:00 219.137.21.95 /Default.htm - 200 6924 191 0 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 11:19:36 211.205.244.237 /Default.htm - 200 0 191 546 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 11:46:59 82.130.132.24 /Default.htm - 200 0 191 437 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 11:48:47 24.165.224.170 /Default.htm - 200 0 191 172 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 12:02:33 211.249.145.106 /Default.htm - 200 0 191 282 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 12:12:51 211.142.247.11 /Default.htm - 200 0 214 828 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 12:38:57 209.23.201.199 /Default.htm - 200 0 191 188 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 12:40:13 80.109.31.157 /Default.htm - 200 0 191 187 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-05-19 12:41:15 211.162.194.65 /Default.htm - 200 0 191 2922 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -

Of these, only the second one (219.137.21.95 CHINANET) shows data transfer. The others I checked are also coming out of Asia.

We do have multiple domains on our server, but there are no corresponding visits or corresponding 404s on any of our other domains.

I can trace the first occurance of this type of request to Feb. 9. One thing that shows up across five different domains on our server is a 501 error code (could be related to trying to open up a front page web, or just a syntax error) This exact request occurs in five seperate log files at the exact same time. After that I start getting the repeat Defualt.htm requests (but only on one domain). Also, the log file stops for three hours (but only for the domain in question) followed by some worm attack.

2004-02-09 11:20:35 195.205.253.221 - - 501 236 33 0 - -
2004-02-09 12:22:18 210.180.25.128 /Default.htm - 200 0 191 235 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-02-09 15:00:11
#Fields: date time c-ip cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs(User-Agent) cs(Referer)
2004-02-09 15:00:11 61.40.75.15 /Default.htm - 200 0 191 516 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-09 15:55:10 204.183.119.20 /Default.htm - 200 281 42 16 - -
2004-02-09 15:55:10 204.183.119.20 /MSADC/root.exe /c+dir+c:\ 404 143 67 0 - -
2004-02-09 15:55:10 204.183.119.20 /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 143 111 15 - -
2004-02-09 15:55:10 204.183.119.20 /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 404 143 105 0 - -

etc.

The requests also originally occured in relationship to two default.ida request, one on the 9th and one on the 13th. We are patched for Code Red, but I'm wondering if the problem could be related?

2004-02-13 16:05:07 61.253.129.201 /Default.htm - 200 0 191 532 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-13 16:08:02 217.210.77.220 /Default.htm - 200 0 191 187 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-13 16:11:33 80.58.36.239 /Default.htm - 200 0 314 2859 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-13 16:36:41 61.3.218.68 /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 165 3818 375 - -
2004-02-13 16:39:54 61.234.182.41 /Default.htm - 200 0 191 1266 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-13 16:42:29 61.110.135.234 /Default.htm - 200 0 191 2406 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
2004-02-13 17:21:09 81.203.131.38 /Default.htm - 200 0 191 516 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -

Thanks again for taking a look.