Welcome to WebmasterWorld Guest from 54.162.167.40

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Selenium Server Question

What is the purpose of this type of activity...

     
11:43 pm on Aug 21, 2012 (gmt 0)



Hello,
I'm not sure what forum to post this in, so if this is the wrong one, please redirect me.

I am finding this type of activity in my server logs and I'm not sure what the purpose of the visit is. Can anyone explain this behavior?

Thank you in advance.

-- gg

37.59.4.nnn "GET / HTTP/1.1" 403 - "http://localhost:4444/selenium-server/core/Blank.html" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
37.59.4.nnn "GET /favicon.ico HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
37.59.4.nnn "GET /favicon.ico HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
2:08 am on Aug 22, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



selenium is a test tool for web applications.

http://seleniumhq.org/docs/07_selenium_grid.html#installation
The default port the hub uses to listen for new requests is port 4444. This is why port 4444 was used in the URL for locating the hub. Also the use of ‘localhost’ assumes your node is running on the same machine as your hub.


does the IP address look familiar?
any idea what is throwing the 403 status code?
3:30 am on Aug 22, 2012 (gmt 0)



There are several different IPs that have come onto the server with that referer. Two are from France. One is Chicago. This has been happening for a few months, so I blocked the IPs. That is why they are getting the 403s.

188.165.221.nnn - OVH SAS
173.208.87.nn - Ubiquity Server Solutions Chicago
37.59.4.nnn - OVH SAS

My site is in the USA. I'm assuming that whatever they are attempting isn't working. But they keep doing it, nevertheless.

It appeared to be some type of test. Is this something other webmasters are seeing in their logs? What does it mean? Should I be concerned?
2:32 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



gg,
Are you getting sales from RIPE ranges?

Seem to recall that at one time I provided a bunch of Class A IP's for you to use?

Don
3:51 pm on Aug 22, 2012 (gmt 0)



On rare occasions I will get an order from the UK, France, Norway, Denmark, Italy, but postage is so high most don't order from overseas. This is the info you sent, Don:

RewriteCond %{REMOTE_ADDR} ^11[0-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^12[1-6]\. [OR]
RewriteCond %{REMOTE_ADDR} ^8[0-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^9[0-5]\. [OR]
RewriteCond %{REMOTE_ADDR} ^17[5-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^18[0-35-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^19[01]\. [OR]
RewriteCond %{REMOTE_ADDR} ^20[01]\. [OR]

Got more?

By the way, when the Selenium-Server stuff started showing up, before it was blocked, it was grabbing css files. Home page, css files and the favicon.ico.

Would blocking selenium as a referer be a solution? Was this some type of remote control activity?

-- gg
4:01 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



By the way, when the Selenium-Server stuff started showing up, before it was blocked, it was grabbing css files. Home page, css files and the favicon.ico.

If that is all it( they ) took each time ?
Sounds to me like someone running a bot ( from various places ) to get an image of your home page to put on a whois or some such..

France has some big server farms run by OVH, and 1&1 and others..the country spread you report matches 1&1 in Europe..

<OT>btw ..you think postage to Europe is bad :) try it the other way..costs me 3 or 4 times more, to send a a given weight package to you in to the USA via UPS / DLH/ parcel post, than it does for you to send it to me ...ouch!</OT>
4:12 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Got more?

RewriteCond %{REMOTE_ADDR} ^14\. [OR]
RewriteCond %{REMOTE_ADDR} ^141\. [OR]
RewriteCond %{REMOTE_ADDR} ^150\. [OR]
RewriteCond %{REMOTE_ADDR} ^19[3-6]\. [OR]
RewriteCond %{REMOTE_ADDR} ^27\. [OR]
RewriteCond %{REMOTE_ADDR} ^22[012]\. [OR]
RewriteCond %{REMOTE_ADDR} ^31\. [OR]
RewriteCond %{REMOTE_ADDR} ^3[789]\. [OR]
RewriteCond %{REMOTE_ADDR} ^4[1369]\. [OR]

Would blocking selenium as a referer be a solution? Was this some type of remote control activity?


gg,
I'd never seen that prior to your posting, however there is certainly NOT any reason to allow the refers:

SetEnvIfNoCase Referer selenium

however I would suggest adding both "selenium" and "server" (the later may catch some other strays)
into mod-rewrite refer lines similar in format to what I used to combine your UA's.
Ex:

#if refer contains deny
RewriteCond %{HTTP_REFERER} (selenium|server) [NC]
RewriteRule .* - [F]
4:27 pm on Aug 22, 2012 (gmt 0)



Yes, they only grabbed home page, 4 css files (including the stylesheet) and the favicon.ico. The IPs that came in (four different ones) included 173.234.62.nnn. Agreed it is some type of bot activity.

Is this something a webmaster would want to see in their logs. Or should the red flags be going up?

By the way, postage is bad enough here at home. I'm surprised anyone buys anything online these days.
4:28 pm on Aug 22, 2012 (gmt 0)



OK, thanks Don.
4:45 pm on Aug 22, 2012 (gmt 0)



One more question. Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.
5:05 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



One more question. Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.


Yes.
In fact, I get some 500 errors (loops) when a page request is caught from some UA and IP duplications requests.

I've no idea of the cause on my end, possibly some inconsistency on my part.
I don't explore resolution because the frequencies are few and the 500 serves the same end result as the 403.

FWIW, I use deny from and SetEnIf in conjunction with similar rules in mod_rewrite, which is generally a no-no.
5:17 pm on Aug 22, 2012 (gmt 0)



OK, thanks. I'm going to adjust the deny, allow list so it does not conflict with the IPs in the RewriteCond list.

I appreciate the additional IP range info.
5:36 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



BTW..a bit of research shows that selenium is a downloadable server, can be run as a standalone or a service..with amongst other uses a "browser automation framework" for various browsers..
[code.google.com...]
9:14 pm on Aug 22, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.

Only if one of your blocks also prevents the server from displaying your ErrorDocument. (Been there. Done that.) This results in an infinite loop winding up in a 500 error.

If you think about it, low-budget robots are almost bound to be blocked in more than one way. For example, someone claiming to be MSIE 3 referred by a bogus Russian site coming from an IP in the Ukraine is going to run into the full belt-plus-suspenders-plus-trouserbutton combo :)

So each category of blocks needs to come with a separate exemption for the error document. Core-level "Deny from..." directives go with a <Files> or <FilesMatch> to let them see your custom 403. Denials via mod_rewrite similarly need some type of escape clause. You generally don't need to do anything in SetEnvIf, because the module itself isn't issuing the lockout; it's just passing information to the core.

Incidentally, your OP looked familiar to me. It's the same configuration I see in my logs when I'm testing something offline that includes an absolute link to material on my site. So "localhost" as referer isn't intrinsically evil. But the harmless ones will come from a familiar IP.
4:48 am on Aug 24, 2012 (gmt 0)



3. The RC server then opens a URL connection specified by the client API with a /selenium-server/core/Blank.html?start=true. (Note that when creating a Selenium instance, a specific URL must also be provided.) If this connection was successful, it also helps to verify that the proxy configuration was setup properly.


[hustoknow.blogspot.com...]


Selenium appending "selenium-server/core/Blank.html?start=true" while opening a URL
[groups.google.com...]
 

Featured Threads

Hot Threads This Week

Hot Threads This Month