IIS logs, repeated hits to a car picture? [interesting story!]

G

Gil Grissom, CSI

Hi there,

If you can think of a more appropriate newsgroup to post this question, please let me know.

I have a web server (IIS) running on an old Win2000 machine. This web server contains a couple of .aspx pages that display contact info for my company. I also use it to post files and pictures for friends/family to see. About a year ago, I bought a new car and posted a picture (JPG) of it in a temp folder off of my web site. I posted the URL to the picture in a Porsche newsgroup so that I could discuss my car with some of the newsgroup participants there.

In the 5 or 6 days following my post, my IIS log showed a couple dozen hits to that picture -- presumably from people on that newsgroup. After 5-6 days, the hits went to zero since my message had probably expired from most newsservers at that point. No surprise, but here's where it gets weird.

About a week ago, 10 months after my original post, I started receiving a bunch of hits for that picture again. I have no idea why. Certainly, someone could have found my old message via google and clicked on the link... but these hits are coming from many different IP addresses from all over the world (according to WHOIS). Certain IP addresses appear over and over again (for weeks!).

Most of the hits come from real browsers using Internet Explorer, but about 35-40% of the hits aren't from IE. According to my IIS logs, they're coming from something called ActiveWorlds. Here are some excerpts from the log:

2004-04-10 21:02:06 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:02:10 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:03:27 69.10.96.182 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:16 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:20 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 304 ActiveWorlds/3.40+(498)
2004-04-10 21:09:18 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:10:02 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:16:35 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 22:41:37 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)

What does "ActiveWorlds" mean? Just for kicks, I went to www.ActiveWorlds.com. That appears to be some sort of virtual reality game site, not likely the source of these hits. I'm absolutely baffled as to where these hits are coming from? Not that I mind or anything... but my curiosity is killing me. Any ideas how to investigate?
 
K

Kristofer Gafvert

Hello,

Log the referer, and you will see where everyone is coming. They are
probably hotlinking the image on a webpage, and that is why you get so many
hits.

--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
http://www.ilopia.com/


Hi there,

If you can think of a more appropriate newsgroup to post this question,
please let me know.

I have a web server (IIS) running on an old Win2000 machine. This web
server contains a couple of .aspx pages that display contact info for my
company. I also use it to post files and pictures for friends/family to see.
About a year ago, I bought a new car and posted a picture (JPG) of it in a
temp folder off of my web site. I posted the URL to the picture in a Porsche
newsgroup so that I could discuss my car with some of the newsgroup
participants there.

In the 5 or 6 days following my post, my IIS log showed a couple dozen
hits to that picture -- presumably from people on that newsgroup. After 5-6
days, the hits went to zero since my message had probably expired from most
newsservers at that point. No surprise, but here's where it gets weird.

About a week ago, 10 months after my original post, I started receiving
a bunch of hits for that picture again. I have no idea why. Certainly,
someone could have found my old message via google and clicked on the
link... but these hits are coming from many different IP addresses from all
over the world (according to WHOIS). Certain IP addresses appear over and
over again (for weeks!).

Most of the hits come from real browsers using Internet Explorer, but
about 35-40% of the hits aren't from IE. According to my IIS logs, they're
coming from something called ActiveWorlds. Here are some excerpts from the
log:

2004-04-10 21:02:06 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:02:10 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:03:27 69.10.96.182 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:16 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:20 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 304 ActiveWorlds/3.40+(498)
2004-04-10 21:09:18 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:10:02 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:16:35 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 22:41:37 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)

What does "ActiveWorlds" mean? Just for kicks, I went to
www.ActiveWorlds.com. That appears to be some sort of virtual reality game
site, not likely the source of these hits. I'm absolutely baffled as to
where these hits are coming from? Not that I mind or anything... but my
curiosity is killing me. Any ideas how to investigate?
 
D

David Sworder

Hello,
Log the referer, and you will see where everyone is coming. They are
probably hotlinking the image on a webpage, and that is why you get so many
hits.
Click to expand...

Aha, brilliant! I didn't realize that IIS could do such a thing. Ok, take a
look at this referring page:

aw://81.137.226.230:5670/hangout

the protocol is "aw" instead of "http"... and the port# is 5670... ?
 
K

Kristofer Gafvert

I think that this really has something to do with Active World. But i'm
afraid i cannot say anymore, because i hardly know what Active World is. A
quick search on google tells me however that Active World seems to use port
5670.

If you do not want them to download the picture, you can do as Jeff said,
and change the URL.

--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
http://www.ilopia.com/
 
L

Larry Hyman

somebody got the url for the picture and posted someplace public, easy to
put an end to this, remove or rename the picture, that's all

--
And if you have time, check out my new website:

http://hyman.sytes.net


Hi there,

If you can think of a more appropriate newsgroup to post this question,
please let me know.

I have a web server (IIS) running on an old Win2000 machine. This web
server contains a couple of .aspx pages that display contact info for my
company. I also use it to post files and pictures for friends/family to see.
About a year ago, I bought a new car and posted a picture (JPG) of it in a
temp folder off of my web site. I posted the URL to the picture in a Porsche
newsgroup so that I could discuss my car with some of the newsgroup
participants there.

In the 5 or 6 days following my post, my IIS log showed a couple dozen
hits to that picture -- presumably from people on that newsgroup. After 5-6
days, the hits went to zero since my message had probably expired from most
newsservers at that point. No surprise, but here's where it gets weird.

About a week ago, 10 months after my original post, I started receiving
a bunch of hits for that picture again. I have no idea why. Certainly,
someone could have found my old message via google and clicked on the
link... but these hits are coming from many different IP addresses from all
over the world (according to WHOIS). Certain IP addresses appear over and
over again (for weeks!).

Most of the hits come from real browsers using Internet Explorer, but
about 35-40% of the hits aren't from IE. According to my IIS logs, they're
coming from something called ActiveWorlds. Here are some excerpts from the
log:

2004-04-10 21:02:06 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:02:10 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:03:27 69.10.96.182 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:16 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:20 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 304 ActiveWorlds/3.40+(498)
2004-04-10 21:09:18 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:10:02 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:16:35 217.137.95.142 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 22:41:37 24.45.148.88 - 192.168.0.15 80 GET
/david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)

What does "ActiveWorlds" mean? Just for kicks, I went to
www.ActiveWorlds.com. That appears to be some sort of virtual reality game
site, not likely the source of these hits. I'm absolutely baffled as to
where these hits are coming from? Not that I mind or anything... but my
curiosity is killing me. Any ideas how to investigate?
 
D

Dave

activeworld appears to be a 3d interactive chat room type of operation.
someone has probably latched onto your picture for some part of their
environment so everytime they get visited or enter the particular room your
image gets hit. if you don't mind them using your image just leave it...
personally i would replace it with something funny and tell them to 'ask
before linking to my image'... as such things can get out of control and
cause extra traffic on your server for totally unrelated activities.
 
S

Sartan Dragonbane

Active Worlds...
Active Worlds is a client for a 3d 'universe' - It's like a realtime chat room.
Maybe someone is using your porche picture in their active worlds store, and it's downloaded any time somebody walks into it.

Hi there,

If you can think of a more appropriate newsgroup to post this question, please let me know.

I have a web server (IIS) running on an old Win2000 machine. This web server contains a couple of .aspx pages that display contact info for my company. I also use it to post files and pictures for friends/family to see. About a year ago, I bought a new car and posted a picture (JPG) of it in a temp folder off of my web site. I posted the URL to the picture in a Porsche newsgroup so that I could discuss my car with some of the newsgroup participants there.

In the 5 or 6 days following my post, my IIS log showed a couple dozen hits to that picture -- presumably from people on that newsgroup. After 5-6 days, the hits went to zero since my message had probably expired from most newsservers at that point. No surprise, but here's where it gets weird.

About a week ago, 10 months after my original post, I started receiving a bunch of hits for that picture again. I have no idea why. Certainly, someone could have found my old message via google and clicked on the link... but these hits are coming from many different IP addresses from all over the world (according to WHOIS). Certain IP addresses appear over and over again (for weeks!).

Most of the hits come from real browsers using Internet Explorer, but about 35-40% of the hits aren't from IE. According to my IIS logs, they're coming from something called ActiveWorlds. Here are some excerpts from the log:

2004-04-10 21:02:06 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:02:10 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:03:27 69.10.96.182 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:16 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:20 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 304 ActiveWorlds/3.40+(498)
2004-04-10 21:09:18 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:10:02 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:16:35 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 22:41:37 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)

What does "ActiveWorlds" mean? Just for kicks, I went to www.ActiveWorlds.com. That appears to be some sort of virtual reality game site, not likely the source of these hits. I'm absolutely baffled as to where these hits are coming from? Not that I mind or anything... but my curiosity is killing me. Any ideas how to investigate?
 
D

David Sworder

Hi.. I'm the original poster...

I had fun exploring ActiveWorlds, but alas, was unable to find my car. :(


Hi there,

If you can think of a more appropriate newsgroup to post this question, please let me know.

I have a web server (IIS) running on an old Win2000 machine. This web server contains a couple of .aspx pages that display contact info for my company. I also use it to post files and pictures for friends/family to see. About a year ago, I bought a new car and posted a picture (JPG) of it in a temp folder off of my web site. I posted the URL to the picture in a Porsche newsgroup so that I could discuss my car with some of the newsgroup participants there.

In the 5 or 6 days following my post, my IIS log showed a couple dozen hits to that picture -- presumably from people on that newsgroup. After 5-6 days, the hits went to zero since my message had probably expired from most newsservers at that point. No surprise, but here's where it gets weird.

About a week ago, 10 months after my original post, I started receiving a bunch of hits for that picture again. I have no idea why. Certainly, someone could have found my old message via google and clicked on the link... but these hits are coming from many different IP addresses from all over the world (according to WHOIS). Certain IP addresses appear over and over again (for weeks!).

Most of the hits come from real browsers using Internet Explorer, but about 35-40% of the hits aren't from IE. According to my IIS logs, they're coming from something called ActiveWorlds. Here are some excerpts from the log:

2004-04-10 21:02:06 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:02:10 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:03:27 69.10.96.182 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:16 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:04:20 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 304 ActiveWorlds/3.40+(498)
2004-04-10 21:09:18 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:10:02 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 21:16:35 217.137.95.142 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)
2004-04-10 22:41:37 24.45.148.88 - 192.168.0.15 80 GET /david_car/Car_001.jpg - 200 ActiveWorlds/3.40+(498)

What does "ActiveWorlds" mean? Just for kicks, I went to www.ActiveWorlds.com. That appears to be some sort of virtual reality game site, not likely the source of these hits. I'm absolutely baffled as to where these hits are coming from? Not that I mind or anything... but my curiosity is killing me. Any ideas how to investigate?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SUSADMIN not updating on client side 1
Problem installing IIS on XP Pro 7
Interpreting Site Reports 4
Saving Fax Console to reinstall after a full wipe restore 1
How to convert this unicode string to a normal string? 2
IE Immediately Crashes When Loading A HTML Page From A CD/DVD 2
Game issues with Frame rate 2
How to solve a complex problem using Excel 2003 2

Top