I'm a webmaster of a site that has been having some weird behavior the last two months, noticed when checking stats on awstats. I'm not a newbie when it comes to analyzing log files, but I'm not an expert either. Need a little assistance with this one:

I have a single IP that makes requests for the same three pages on my client's site (a museum), once an hour and always in the same order. Log file entry as follows:

207.250.30.3 - - [12/Jan/2006:05:21:54 -0600] "GET /zoo_info/ HTTP/1.1" 200 7465 "-" "Mozilla/4.0 (compatible;)" 
207.250.30.3 - - [12/Jan/2006:05:23:07 -0600] "GET /store.php HTTP/1.1" 200 3946 "-" "Mozilla/4.0 (compatible;)" 
207.250.30.3 - - [12/Jan/2006:05:23:15 -0600] "GET /attractions/ HTTP/1.1" 200 6271 "-" "Mozilla/4.0 (compatible;)"

As you can see, no referrer and no system information. IP resolves to "207-250-30-3.gen.twtelecom.net" (looks like a Time Warner cable connection) and comes from within the United States. No other suspicious behavior that I can see in my log files, and it makes no request for any other graphics/css on these pages.

My best guesses:

1. Someone could have the page loading as their start page, but that wouldn't explain the other follow-up requests. And I am guessing that no graphics/css are made as these have already been cached on the terminal in question.

2. Some kind of attack/spam issue, but the hits aren't even close to crippling the server. But it is hurting my efforts to track the success of my client's site.

I'm out of ideas on this one... any ideas, or any way to track down the machine(s) in question? Thanks in advance.

[edited by: tedster at 4:45 am (utc) on Jan. 13, 2006]
[edit reason] disable graphic smile faces [/edit]