Welcome to WebmasterWorld Guest from 54.146.201.80

Forum Moderators: phranque

Message Too Old, No Replies

hypersphere-2010.png requests?

Anyone know why random requests for hypersphere-2010.png are in my logs?

     
4:58 am on May 16, 2011 (gmt 0)

New User

10+ Year Member

joined:June 24, 2003
posts: 2
votes: 0


I'm not sure how long it's been going on but we are getting somewhat random requests for /images/hypersphere-2010.png showing up in our error logs. We've never had such a file on our site. Google-ing it hasn't revealed much except that it appears in a small number of other website log files also. We cannot duplicate the requests when we test things ourselves. The logs show a rate of about 10 requests per hour (average) from a wide number of IP addresses and various user agents. Here's a sample from the past couple of days (in order of popularity):

1Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.165022.831050
2Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.244319.634703
3Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.162611.872146
4Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16188.219178
5Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.32 (KHTML, like Gecko) Chrome/13.0.748.0 Safari/534.32188.219178
6Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16156.849315
7Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/13.0.761.0 Safari/534.35156.849315
8Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16104.566210
9Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.2462.739726
10Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1652.283105
11Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1652.283105
12Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.57 Safari/534.2452.283105
13Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.120.913242
14Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.2410.456621

Clearly Chrome seems to be a common thread. (There is one non-Chrome Safari in there however, #13). Unclear why that would matter though.

When there is a referrer entry in the logs, it shows that the request is coming from one of our own webpages but there is no discernible pattern to those pages. We've looked into the possibility that it was coming from an advertising script, but many of the referring pages don't have ads on them which shoots a hole in that theory.

Anyone know anything about this file? Anyone else seeing similar log entries?

Thanks in advance!
- Chip
12:22 pm on June 1, 2011 (gmt 0)

New User

5+ Year Member

joined:Nov 30, 2010
posts:3
votes: 0


I am having the exact same issue, exact same symptoms, and haven't been able to discern and reason behind it, either :-/
1:13 am on June 6, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:2686
votes: 97


Are they coming from iPads? Could they be looking for some kind of favicon?
1:58 am on June 6, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 29, 2006
posts:1312
votes: 0


Are they coming from iPads?

The user-agents listed above are Windows XP, Vista and 7, plus Mac Snow Leopard.

Chrome seems to be a common thread

As you almost pointed out, the common factor appears to be the WebKit engine.

I haven't seen this garbage myself, but found the following SERPs amusing:

* Shop for Hypersphere 2010.png online - Read Reviews, Compare
* pictures of hypersphere-2010.png
* Buy hypersphere 2010 png items and find other similar products

Search engines should ban sites like those IMHO.

...
11:17 am on June 6, 2011 (gmt 0)

Preferred Member

5+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


When researching something like this, always remember that anyone or any botnet can send requests to your server for any filename they can think of or invent and using any referer and any user-agent string they want you to see or that they want to experiment with. None of the web page names, referers, or UA's necessarily have any basis in reality.

When any robot sends a referer string, it's probably fake anyway - robots do direct requests. And when robots send user-agent strings that look like browsers, those are fake, too.

Looking up some of the IP addresses might help throw some light on it. Are they webhosting companies, for example, which would suggest a network of possibly hacked websites. Or if they are consumer broadband companies, it could be a network of zombie (hacked) PCs.
5:27 pm on June 21, 2011 (gmt 0)

New User

joined:June 21, 2011
posts: 6
votes: 0


It's caused by the plugin/extension/whateveryouwannacallit Hyperwords which is available for Safari, Chrome and Firefox. That's why there doesn't appear to correlate to a particular browser. This has taken me a few weeks to find (and I just did) and I put in a trouble ticket with them and they've gotten back to me already for more info.
8:01 pm on June 21, 2011 (gmt 0)

New User

10+ Year Member

joined:June 24, 2003
posts: 2
votes: 0


Thanks for tracking that down!
10:38 pm on June 21, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10544
votes: 8


welcome to WebmasterWorld, michvhf!
and thanks for that information.

and a belated round of welcomes go to both of our recently recovered lurkers, chipa and bj61251.
=8)