It may be worth running an in-depth anti-virus, anti-spyware, and malware scan on all your home computers.

It could be a DOS attack with spoofed packets as well. But that would still mean something is compromised because whoever it is figured out your home IP.

I forget the name of it... but I installed an app at one point on my machine that tracked bandwidth usage by application and was surprised to find some applications using a lot of bandwidth. You might be able to do the same and see if something running in the background, whether malware or just some bad setting, is hitting your site like crazy.

I didn't want to say hacked PC out loud. It is a up to date Debian Linux. I don't even know of any scanners for Linux. I'll look at anything I may have installed, app / package wise. I guess I could reinstall the OS.

But the conclusion so far would be that something is going on with PC's? I was looking for a way that this was not the case, but I'll proceed as if it is the case.

One other thing is that it doesn't happen every day and nothing is going on with sites. Aside from these massive hits, twice in as many months.

Thanks

>>looking for a way that this was not the case

As I say, the possible but unlikely option is a spoofed IP being used in a DOS attack. Is this a shared server? Multiple IPs on this box? Multiple sites on this box? If so you might want to ask the host if they see a similar pattern elsewhere.

What's new on your CMS... anything? Did a plugin update? You may have a loop.

The site(s) is on a shared server. What do you mean by box? My computer?

I do use ftp to work with site files


I reported it to host. I reported it the one other time it happened. The guy I talked with didn't know. We've talked quite a bit so it wasn't like he was ignoring it. Same conclusion: my IP; my computer

But the times and dates confuse me. Why always 12: something and why only two days out of two months? I can also usually feel when there's something buggy on a computer. I feel it on one, but not the one I use to work on sites.

I'm looking for a packet tool for Linux.

Keyplyr - Ha, for years I've read Kepler, I get it now... anyway I didn't see your comment as I followed ergo's from mail. I'm thinking about that too. I did test some caching plugins. I also recall I did some downloading via the browser that seemed to go on for hours and actually failed at one point. That'd be my IP...

I also tested SuperCache' preloader, though it didn't seem to cache anything. But that'd be the server IP wouldn't it?

I've been running top, for hours, and see only me, me for user/group and root is running system. It seems there's nothing going on that shouldn't be. But I don't know a great deal about processes. I did type some in and they all seem to belong there

The hits are from my home IP address

What is telling you this? Have you looked at your server access logs for these respective requests? That would be the definitive info.

Awstats. I'm still looking at raw logs

I think I figured out where all the page loads from my IP come from. I tracked down the high number to this "/wp-admin/admin-ajax.php". So if I leave my admin page(s) open (sometimes for hours), wordpress heartbeat, if I'm reading it right, makes a post request every 15 seconds or so. Combine that with an auto post grabber...

There is a plugin that will reset the heartbeat schedule. If I can find out where this reset is made I can do it myself. I'm looking right now for some current heartbeat articles. Anyway, good to have some possible explanation

Good job on finding the source.

Relief. And thanks, all, for making me think

Thanks for reporting back dougwilson.

InMotion Hosting has a nice article about the issue by Jeff Matson, who is also the developer of the Heartbeat Control plugin
- [inmotionhosting.com...]
- [wordpress.org...]

And WP Tavern goes over some of the same ground, but with an account of how this issue got the site banned on Hostgator... which is amusing since WPTavern is actually owned by Matt Mullenweg.
- the ban: [wptavern.com...]
- the owner: [wptavern.com...]

I would like to know where the plugin is making the adjustment. It's not in the wp config or settings that I could find. I try to only use plugins I really need. For now I'll keep it installed because I reckon it's better for the server

I did see another article that explained how to make changes with a custom function to tweak this as well.

It looked like with a few lines of code you coudl dispense with the plugin. Sorry, but it was as I was closing the page that I saw that, so I didn't copy the link in my previous post.

In the end it turned out to be a plugin that I use on all sites EWWW. A site I'd moved had a bad path to wp upload directory. When I got around to correcting the database and optimizing all the sites images WHAMMO...

Every image was recorded as a hit to a page. It was that word, Page, that through me. Thanks again