1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 9:06 pm May 4, 2026

Forum Moderators: open

Message Too Old, No Replies

Multiple IP Access

Who, What, How? Bot?

         

Latigo

6:14 am on Aug 13, 2003 (gmt 0)

10+ Year Member



Take a look at this log file snippet. The site is 99% ASP but does have these HTM pages, areas 1-17. Check out the session IDs and access times. Is this a bot? How is this possible to have these Multiple IPs? They're so far apart from each other. Who, what is this?

2003-08-04 01:30:47 66.162.147.1 - xxx 80 GET /area1/Default.htm - 200 9656 158 593 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) - -
2003-08-04 01:30:50 216.248.146.51 - xxx 80 GET /area3/Default.htm - 200 9652 227 563 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=DEICAOBACHKKADDPGOEMDACD -
2003-08-04 01:30:53 216.248.146.51 - xxx 80 GET /area4/Default.htm - 200 9603 227 454 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=DEICAOBACHKKADDPGOEMDACD -
2003-08-04 01:30:55 199.103.193.67 - xxx 80 GET /area5/Default.htm - 200 9599 216 406 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=DEICAOBACHKKADDPGOEMDACD -
2003-08-04 01:30:57 199.103.193.67 - xxx 80 GET /area6/Default.htm - 200 9479 216 375 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=DEICAOBACHKKADDPGOEMDACD -
2003-08-04 01:31:00 199.103.193.67 - xxx 80 GET /area7/Default.htm - 200 9501 216 407 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=DEICAOBACHKKADDPGOEMDACD -
2003-08-04 01:31:01 216.248.146.51 - xxx GET /area8/Default.htm - 200 9498 227 390 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:05 212.217.91.70 - xxx 80 GET /area2/Default.htm - 200 9720 214 11422 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=CEICAOBABHIOGCFHJIKHHINH -
2003-08-04 01:31:05 67.33.55.3 - xxx 80 GET /area9/Default.htm - 200 9556 217 547 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:08 216.248.146.51 - xxx 80 GET /area11/Default.htm - 200 9524 228 406 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:08 68.17.21.30 - xxx 80 GET /area10/Default.htm - 200 9508 210 313 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:11 64.5.130.10 - xxx 80 GET /area12/Default.htm - 200 9625 214 328 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:12 68.17.21.30 - xxx 80 GET /area13/Default.htm - 200 9617 210 234 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:13 68.17.21.30 - xxx 80 GET /area16/Default.htm - 200 9547 210 266 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:16 66.162.147.1 - xxx 80 GET /area15/Default.htm - 200 9522 226 453 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:18 63.73.24.2 - xxx 80 GET /area17/Default.htm - 200 9571 230 485 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -
2003-08-04 01:31:22 66.162.147.1 - xxx 80 GET /Views/Default.htm - 200 11693 225 1578 HTTP/1.0 www.my.com Mozilla/4.0+(compatible;+MSIE+4.0;+Windows+95) ASPSESSIONIDSATBQRTD=EEICAOBAACPCIFEMLNAPLLAE -

Thanks,

Latigo

wilderness

12:33 am on Aug 14, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



In 27 seconds (below)it would appear somebody has travelled four continents ;)
Invalid IP and UA'a are growing rapidly.

66.213.126.162 - - [13/Aug/2003:14:23:15 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 403 - "http://www.domain.net/" "-"
200.251.234.144 - - [13/Aug/2003:14:23:27 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 403 - "http://www.domain.net/" "-"
217.110.29.138 - - [13/Aug/2003:14:23:28 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 403 - "http://www.domain.net/" "-"
217.110.29.138 - - [13/Aug/2003:14:23:31 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 403 - "http://www.domain.net/" "-"
161.53.174.3 - - [13/Aug/2003:14:23:42 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 403 - "http://www.domain.net/" "-"

[edited by: littleman at 1:24 pm (utc) on Aug. 14, 2003]

Latigo

6:08 am on Aug 14, 2003 (gmt 0)

10+ Year Member



Thanks Wilderness, gives me something to look forward to :-(

Latigo

cyberkat

3:08 pm on Aug 14, 2003 (gmt 0)

10+ Year Member



We got hits like this also, but a month ago. I know there was the exact same hits posted here a day before they hit us. I did notice the IP and times were exact, only the date was different. I reported all those to the proper ISP and labled it as Formmail Hacking.
Honestly I think that it is the same damn person. To much in common lately.

We got this:

207.248.228.154 - - [05/Jul/2003:20:59:43 -0400] "POST /cgi-bin/FormMail2.cgi HTTP/1.0" 403 219 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
200.251.234.144 - - [05/Jul/2003:20:59:43 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 403 218 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
203.15.126.10 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/formmail.pl HTTP/1.0" 403 217 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
199.3.20.212 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 403 213 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
203.38.116.243 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 403 218 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
216.206.18.12 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/GMFormMail.pl HTTP/1.0" 403 219 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
209.151.129.82 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/mailform HTTP/1.0" 403 214 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
208.147.1.2 - - [05/Jul/2003:20:59:44 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.1" 403 230 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
200.42.95.50 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/form2mail.pl HTTP/1.0" 403 218 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
194.27.49.2 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 403 227 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
207.106.227.5 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 403 215 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
195.141.38.20 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailform.pl HTTP/1.1" 403 229 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
210.187.41.2 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/mailto HTTP/1.0" 403 212 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
66.207.120.227 - - [05/Jul/2003:20:59:45 -0400] "GET /cgi-bin/gmformmail.pl HTTP/1.0" 403 219 "-" "Mozilla/5.0"
213.249.155.237 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/gmformmail.pl HTTP/1.0" 403 219 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
211.248.114.2 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/formmail2.cgi HTTP/1.0" 403 219 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
200.41.4.3 - - [05/Jul/2003:20:59:45 -0400] "POST /cgi-bin/email HTTP/1.1" 403 223 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
203.94.72.219 - - [05/Jul/2003:20:59:46 -0400] "POST /cgi-bin/mail HTTP/1.0" 403 210 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
80.58.4.107 - - [05/Jul/2003:20:59:49 -0400] "POST /cgi-bin/formmail2.pl HTTP/1.0" 403 218 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
200.30.110.246 - - [05/Jul/2003:20:59:49 -0400] "POST /cgi-bin/form2mail.cgi HTTP/1.1" 403 231 "http://mydomain.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"

jpjones

3:35 pm on Aug 14, 2003 (gmt 0)

10+ Year Member



It could be that those IP addresses in your logs are actually open proxies, either static (setup by some ISP, but ill-configured), or desktop machines run by home users (again, probably ill-configured).

It looks like someone has likely made a list of these, and then bounced their "attack", "scan", or whatever you want to call it, through these open proxies, alternating proxy every few hits.

JP

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 9:06 pm May 4, 2026