The following are the top 50 entries for IP addresses visiting my
website for July. As you can see the IPs are from several different
countries. I am surprised to see that the visits and hits from each IP
are virtually identical suggesting that there is some software at the
machines at these IPs instead of people performing the access to my
site. As far as I can tell these IPs do not originate from spiders,
but I may be wrong. Can anyone explain what may be causing these
entries in my server logs? The same scenario is repeating itself thus
far in August.

	Host	Country	Hits	Visitors	Bandwidth (KB)
1	66.73.21.196	United States 	18,600	742	66,498
2	62.161.199.13	France 	        18,575	741	66,407
3	206.16.199.206	United States 	18,575	740	66,407
4	209.225.1.31	United States 	18,550	739	66,320
5	63.111.10.27	United States 	18,575	739	66,409
6	211.234.98.243	Korea, Republic 18,575	739	66,408
7	63.241.11.45	United States 	18,525	739	66,230
8	213.121.212.226	United Kingdom 	18,550	739	66,320
9	208.45.169.26	United States 	18,549	738	66,284
10	206.55.116.70	United States 	18,526	738	66,231
11	216.250.186.198	United States 	18,575	738	66,398
12	12.129.197.141	United States 	18,550	738	66,320
13	63.146.123.50	United States 	18,387	738	65,737
14	198.173.181.76	United States 	18,550	738	66,320
15	66.150.40.130	United States 	18,524	738	66,197
16	63.236.106.98	United States 	18,382	737	65,696
17	63.123.132.207	United States 	18,552	737	66,327
18	209.83.184.120	United States 	18,550	737	66,320
19	195.27.248.35	United States 	18,475	737	66,050
20	63.240.118.74	United States 	18,600	737	66,498
21	207.61.242.130	Canada 	        18,501	737	66,141
22	38.119.239.86	United States 	18,239	736	65,152
23	207.90.78.22	United States 	18,575	736	66,409
24	63.208.48.152	United States 	18,551	736	66,320
25	209.67.40.109	United States 	18,575	736	66,407
26	12.129.95.154	United States 	18,237	736	65,135
27	195.145.133.83	United States 	18,550	736	66,318
28	63.123.37.115	United States 	18,551	736	66,320
29	65.216.76.185	United States 	18,550	736	66,320
30	208.254.51.202	United States 	18,550	736	66,318
31	63.146.186.181	United States 	18,330	735	65,517
32	63.168.1.147	United States 	18,285	735	65,339
33	202.221.226.208	Japan 	        18,525	735	66,230
34	212.155.201.42	France 	        18,550	735	66,320
35	61.120.152.236	Japan 	        18,500	735	66,140
36	63.240.180.163	United States 	18,550	735	66,318
37	63.215.250.216	United States 	18,452	735	65,961
38	208.36.120.75	United States 	18,574	735	66,403
39	67.114.49.67	United States 	18,308	735	65,428
40	64.221.239.216	United States 	18,475	734	66,052
41	66.10.215.35	United States 	18,500	734	66,139
42	204.2.18.10	United States 	18,551	734	66,317
43	63.150.168.73	United States 	18,306	734	65,426
44	207.189.100.54	United States 	18,500	733	66,141
45	65.194.51.24	United States 	18,237	733	65,160
46	63.67.132.69	United States 	18,406	733	65,784
47	208.27.160.12	United States 	18,273	733	65,294
48	12.41.62.61	United States 	18,525	733	66,230
49	63.241.138.26	United States 	18,551	733	66,322
50	205.163.212.102	United States 	18,525	733	66,230
	Subtotal		924,547	36,812	3,304,996
	Total		3,597,956	116,902	20,682,331

---

Request for Question Clarification by keystroke-ga on 22 Aug 2006 15:51 PDT

Can you give a log containing any other information?

When I ran an APACHE server during the Code red days I suddenly
started getting a lot of HTTP traffic however after performing in
depth log analysis I was able to work out that my website had not
gained overnight popularity but was in fact being hit by a string of
different viruses.

Can you provide more log information?

--Keystroke-ga

---

Clarification of Question by londonplayer-ga on 22 Aug 2006 20:47 PDT

Which specific additional log information would be helpful? Please let
me know and I will try to provide it asap.

---

Request for Question Clarification by keystroke-ga on 23 Aug 2006 04:59 PDT

I am mainly looking for what exactly each of the IP addresses went to
on your website.

Was it just index.html

or are you getting logs like this

    /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
    u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
    b%u53ff%u0078%u0000%u00=a 

The "Code Red" worm activity can be identified on a machine by the
presence of that string in the web server log files. The presence of
this string in your log file does not neccessarily indicate
compromise. Rather it only implies that a "Code Red" worm attempted to
infect the machine. It could be that someone infected with the worm is
attempting to compromise your machine which is why you keep getting
the same logs in your IP access list.

If you can give a brief list of the pages that these IP addresses have
visited while being at your website this could give us a better clue
as to what is causing the problem.

--Keystroke-ga

---

Clarification of Question by londonplayer-ga on 23 Aug 2006 20:21 PDT

The IPs visited index.html (default.asp in my particular case).

Most of the requests seems to originate from IP addresses owned by
Keynote Systems, a web site measurement and monitoring service
provider. You can find the owner of the ipaddress by doing a whois
database search in one of the following web sites...

Americas: www.arin.net
Europe: www.ripe.net
Asia Pacific: www.apnic.net

Ok, that's interesting. Wonder if some third party is monitoring my
site! I'll contact Keynote and see if they can shed some light.