Welcome to WebmasterWorld Guest from 54.145.173.36

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

IP address misbehaving on my site

Member running scripts on my site?

   
7:58 am on Mar 1, 2003 (gmt 0)

10+ Year Member



I've come across an IP address doing some wierd stuff on my site. 62.253.96.4 has been requesting a couple of pictures from my photogallery thousands of times and to a much more limited extent items from other areas.

When I first saw this I thought a member of my forums was running a script to make those pictures display in the "most popular" section of my photo gallery, but now I'm not so sure.

I've dug around in my phpBB and photo gallery database and haven't seen anything conclusive to connect a username and the IP address. Well, I've seen one of my moderators post on this IP address twice only and six months ago, and I think it's very unlikely to be him for a number of reasons. Going by the accesses, it seems to be only one user currently. I'm guessing it's cable, and the IP address stayed the same over several days.

Should I ban this IP address and redirect all accesses by it to a friendly error page saying there's a problem with this IP address and asking any users who see it to contact me?

8:53 am on Mar 1, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi KakenBetaal,

i first would trace the ip immediatly if this occurs. this could be a dial-up account only. if it's a dial-up account than this is no static ip and it would make no sense to block it because it can expire soon.

i think the only thing you can do is to limit the connections of an ip-adress to a specific number to block traffic misuse on your site.

10:26 am on Mar 1, 2003 (gmt 0)

10+ Year Member



Cool, but how do you find out whether it's dial-up or permanent?

I suspect it's a static IP as it sometimes resolves via dns to cache1-winn.server.ntli.net [62.253.96.4]

It was down for a few hours last night/this morning, and wouldn't resolve then. Strange that they've left the server pingable.

I'm fairly convinced that this is a unique user either on this address or via a proxy, and that he/she is the only one on this IP since the behaviour is consistent over a whole week. So far my theories have been:

* Dodgy proxy server re-requesting pages it shouldn't be?
* User on this ip/via this proxy doing this.
* User spoofing the IP address.

10:46 am on Mar 3, 2003 (gmt 0)

10+ Year Member



cache1-winn.server.ntli.net is an NTL proxy, and I *think* can only be used by NTL customers.

They are currently changing their proxy names as shown at this location h**p://homepage.ntlworld.com/robin.d.h.walker/cmtips/trancache.html#ntl

The NTL proxies are on and off all the time. I'm on NTL btw :(