I have seen things like this on my log (a lot!)- and I just want to get a feel for what is actually going on.

Here is from my log file- all the times are real, but the URL's are changed to keep me a member of this forum!

First (Usually) I get a link in from a SE:

209.214.61.197 - - [29/Sep/2002:18:30:59 -0600] "GET /a/real/page/on/my domain HTTP/1.1" 301 346 "http://ixquick.com/do/metasearch.pl?cat=web&cat=web&cmd=process_search&language=english&query=[TERMS DELETED]&engine0=alltheweb&engine1=teoma&engine2=entireweb&engine3=findwhat&engine4=go&engine5=hotbot&engine6=kanoodle&engine7=looksmart&engine8=msn&engine9=ixdmoz&engine10=goto" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; YComp 5.0.0.0; Hotbar 4.0)"

OK, that is straighforward, as are the next couple entries, which look like loading a page... like this:

209.214.61.197 - - [29/Sep/2002:18:31:22 -0600] "GET /pages/images/powered.gif HTTP/1.1" 200 2087 "http://page/on/my/site/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; YComp 5.0.0.0; Hotbar 4.0)"

But after that last one, the guy started a mass-d/l (or TRIED to!) from my site. The IP stays the same, but referer and UA dissapear...

209.214.61.197 - - [29/Sep/2002:18:31:27 -0600] "GET /cgi/search.cgi HTTP/1.0" 403 3534 "-" "-"

and a couple dozen more...

Note the 403... caught him!

But anyway, obviously (to me at least!), all the d/l's in the blizzard were all linked from the original page he grabbed...

did he open another program to grab them all, or does some program suddenly loose all the UA data when it starts it's attack (Note the two above were only 5 seconds apart... the big d/l started 4 seconds after the last legit request and 28 seconds after the first request...)

So, what is it, do you think?

dave