New website up - who are all these hits from? - New To Web Development forum at WebmasterWorld

Forum Moderators: mack

Message Too Old, No Replies

New website up - who are all these hits from?

palmpal

1:28 am on Nov 28, 2002 (gmt 0)

Hello,

My new website has been up for about 60 days now. I'm using the FastStats analyzer and have had "visitors" from about 400 unique IP addresses. Some of these I can trace back to good old fashioned public relations and passing out my business cards. Others I can't explain. For instance, my logs show hits from at least 20 different countries! Can someone tell me what these hits could be from and how they found me? I am not listed on the search engines yet and have not submitted to any as of yet. I still need to work on my meta tags and content first.

Thanks,

Mona

Slade

1:31 am on Nov 28, 2002 (gmt 0)

Does your site have a static IP? It's possible some old site had your IP and are spidering looking for it.

Has your domain name ever existed before now? There could be existing links that are now resolving to your site. (This could be a good thing, unless the site was banned by some SEs.)

DiAMOndDavE

2:24 am on Nov 28, 2002 (gmt 0)

We have a .com domain name that gets hundreds of hits a day. The thing is, we have only ever had a temporary page up and have never submitted to search engines (yet). We notice that the majority of 'hits' are from those sad people trying to crack into our server. We seem to get bombed by these low-lifes trying to drop .exe files. They are wasting their time but it's still annoying. As soon as a new server or domain name comes online these script kiddies seem to know about it.

musashi

6:57 pm on Nov 30, 2002 (gmt 0)

Some of the visits are probably spiders. You also might have a domain name that is "type-in".

martinibuster

7:06 pm on Nov 30, 2002 (gmt 0)

If you are using FastStats, try checking the search engine referrers, and the keywords that they are using. Also check the 404 files/errors log. You might see that they're visiting your cgi-bin looking for an unsecure formmail script.

Jon_King

10:06 pm on Nov 30, 2002 (gmt 0)

martinibuster - please explain the unsecured mail cgi intrusion that you mention above...

martinibuster

11:53 pm on Nov 30, 2002 (gmt 0)

I've noticed people/bots digging around the cgi-bin, trying to access formmail.pl

Apparently these are spammers who, once they find a poorly configured script, will use it to launch spam.

I warned a client about it way back in April, they didn't fix their code, and a couple months later were red-faced after they received a bombardment of angry e-mails asking them to stop sending spam.

As I recall, the script has to be configured to launch email only from your domain, and even better, only from a specific page on your domain. Otherwise, anyone will be able to access your script and launch email from it. To further secure your formmail, you can also rename it to random-name-or-words.pl.

Because these people/bots are looking for a specifically named file, (formmail.pl) your renamed file will have the added benefit of being hidden altogether.

People post here about it once a month. I became aware of this flaw while researching mail scripts for my own site.

palmpal

1:13 am on Dec 1, 2002 (gmt 0)

Hello,

Thanks for writing. I looked at my FastStats log and discovered some 404 errors that say "/scripts/yadayadayada/cmd.exe. The yadayada is mostly %255 . . . and other odd text. One entry says "/sumpthin/"

Do these entries mean someone entered this text on the address line after my website url?

I have a button for people to email me and have set the email up through my host. I'm not sure if I have the scenario you are talking about. Can you explain when I would have this type of script set up?

So much to learn!

Mona

Slade

1:52 am on Dec 1, 2002 (gmt 0)

99.99999% of the requests that have cmd.exe in them are scripts hunting for a WinNT server they can crack. They were not typed in by hand.

palmpal: If you're referring to the site in your profile, you're not using a script. What I see is a simple mailto link. This opens the user's default email client, it doesn't interact with your webserver at all.

martinibuster

2:03 am on Dec 1, 2002 (gmt 0)

I looked at the site in your profile, and it's a simple mailto link. I'm not exactly sure what that other stuff is. Whoops, Slade got it!

Also, a friendly heads-up: There's something funky with your code. This looks weird but it doesn't seem to harm anything:
"// End -->"

However, you have two </head> tags and two <body> tags. And despite your little W3C validation tags... You don't validate. (tut-tut)

palmpal

3:29 am on Dec 1, 2002 (gmt 0)

Thanks so much for catching that! I had worked so hard validating my site after learning about HTML - what an experience! It seems the Javascript code I used from another site had the extra head and body tags. Also I was missing an ALT tag from a recent update. I'm still getting an error for this section about the TYPE attribute not being specified for:

Can you point me in the right direction? (Found out it needs to say <SCRIPT type="text/JavaScript">)

My site still needs much work - I've been spending a lot of time researching the topic of Content. I can't tell you how beneficial webmasterworld has been to me over the last few months.

Thanks,

Mona

martinibuster

6:32 am on Dec 1, 2002 (gmt 0)

That's it. Good going on trying to validate! It's a good practice because it makes your site forward compatible.