On Thursday 1st May, odd log entries were noted on the TurboTas web site. Most strange: with only 10 registered users and 20 posted articles, mirroring the website every 15 minutes
seems a bit overboard.Nevertheless, some plum is WGET’ing the whole site every few minutes and has been doing so for 5 days now.
As the traffic is small, I’ve been bemused to see what would happen. Alas, no phone calls or emails from people loving the site and wanting to buy it for squillions. Today therefore I decided to dig a bit further.
Stats have been on the list of things to do, so I did this first using awstats See Links. Next I used half a days stats to get a feel for the bandwidth this mirror was causing. It works out to quite a few megs:around 14 megs per day.
I figure that it’s one of you guys rather than something deliberately intended to leech the bandwidth:14 megs is pretty hopeless as an attack profile.
Next job was to identify the source.
Okay. The source address is 18.104.22.168. A quick squint at the other stuff on the subnet shows us someone who doesn’t work in IT (HP switch, hah!).
I’ve left the IP address unfiltered as analysing these problems is really interesting.
Stay tuned for the next installment!