revjim.net

April 15th, 2004:

people are stupid…

I’ve become a bit annoyed that Candian Citizen in the US post has become the hub for communication regarding Canadian Citizens denied at the border. It’s also a tiny bit obnoxious that my post looking for a French Penpal has found me quite a few posts (and text messages) of people looking for someone to teach them English. And who could forget the girl who thought I was the official compliant department for Albertson’s food stores simply because I bought cat food there and wrote about it? But this takes the cake.

Apparently, Gadgetopia’s mention of “Bill Gates the Philanthropist”:http://www.gadgetopia.com/2003/11/23/BillGatesPhilanthropist.html (maybe that link will help them on their way to the number one result in a search for “philalthropist” on google) had found hundreds of people looking for charitable donations for various inventions from, none other than, Bill Gates himself.

I mean, really. How stupid can people be?

something on the box… FIGURED IT OUT!

So…

yes. The process is running on the box. There is a script in a site on the box that is, in turn, making a request for this image… over and over again.

Accessing a particular page within that site causes it to happen predictably — one hit on a certain image per request.

Who’s site would do such a thing… and why?

*MINE!*

Yes, ladies and gentlemen, *revjim.net* is the culprit.

As I’ve mentioned before, I use “textile”:http://textism.com/tools/textile/ to style some of my posts. However, I rarely use it for images because it doesn’t allow me the placement control I desire. However, in a few cases, I did use it for images. And textile, you see, puts height and width specs on the image tags for you. And, in order to do that, it must request the image. Therefore, since my site doesn’t cache the Textile output (because it sucks), this determination is made every time a page is requested. Therefore, if you request a page on *revjim.net* in which I used Textile to style an image, that image gets a hit, from the box, without a referrer or a user agent specified.

So there you have it. It was my fault all along.

something on the box… a detailed look

It appears as though this has actually been happening since March 17th. The first request for the image of Jess and I was on Apr 11th.

On March 13th the request came for an image of our Plano Apartment:


69.56.172.226 - - [13/Mar/2004:06:07:43 -0600] "GET /albums/planoapt/img_0507.thumb.jpg HTTP/1.0" 200 11518 "-" "-"

The only came for about 5 minutes and then stopped. 13 days later (March 26th), a Soul Glow photoshoot image started being requested:


69.56.172.226 - - [26/Mar/2004:07:12:50 -0600] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"

Requests for this image came in every couple of seconds and then slowly tapered off. They lasted until Apr 11th, at which time, requests for the picture of Jess and I began coming in, mixed in with requests for the Soul Glow picture:


69.56.172.226 - - [11/Apr/2004:20:54:12 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:20:54:19 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:20:55:13 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:20:55:17 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:20:55:21 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:20:55:23 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

The requests for the Soul Glow picture tapered off but the picture of Jess and I continued to be requested.

Slightly later that evening, a with the requests for the picture of Jess and I continued, a few stray requests for the Soul Glow photo came in:


69.56.172.226 - - [11/Apr/2004:22:24:50 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:24:52 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:24:52 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:25:02 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:25:05 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:25:06 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:25:07 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:22:25:08 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

And another one a bit later on, still, that day:


69.56.172.226 - - [11/Apr/2004:23:10:47 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [11/Apr/2004:23:10:48 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [11/Apr/2004:23:10:57 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

Another one the next day:


69.56.172.226 - - [12/Apr/2004:03:22:38 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [12/Apr/2004:03:22:45 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [12/Apr/2004:03:22:49 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

It seems that, every now and then, a single request will come in for the Soul Glow image, mixed in with lots of requests for the image of Jess and I.

Yesterday, I moved the image, causing it to 404. Here is that portion of the log:


69.56.172.226 - - [14/Apr/2004:16:31:45 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:02 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:02 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:06 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:08 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:09 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:15 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:32:31 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:33:02 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:33:03 -0500] "GET /albums/ps20040321/img_0651.thumb.jpg HTTP/1.0" 200 9740 "-" "-"
69.56.172.226 - - [14/Apr/2004:16:33:18 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

Today, again, I moved the image. Here is that part of the log:


69.56.172.226 - - [15/Apr/2004:09:21:57 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:22:21 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:22:35 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:25:06 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:26:24 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:27:21 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:34:12 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"

And so it continues. The image of Jess and I is being requested fairly often. The Soul Glow image, every now and then.

I’ve checked all entry points on the box for logs of accesses that could be redirected towards the box (i.e. proxy servers and the likes. There are no requests for these resources). I’ve checked all running processes on the box, and none of them seem like they would be the culprit.

I killed both proxy servers on the box (oops, and danted) and waited for another request to come in. Just to make sure that they weren’t broken and trying to update cache files or something. The requests still came in.

Here is the list of running processes (with oops and danted killed):


USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1484 360 ? S Feb04 0:02 init [2]
root 2 0.0 0.0 0 0 ? SW Feb04 0:01 [keventd]
root 3 0.0 0.0 0 0 ? SWN Feb04 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? SW Feb04 10:10 [kswapd]
root 5 0.0 0.0 0 0 ? SW Feb04 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW Feb04 0:04 [kupdated]
root 33 0.0 0.0 0 0 ? SW Feb04 12:27 [kjournald]
root 147 0.0 0.0 0 0 ? SW Feb04 0:00 [eth0]
daemon 168 0.0 0.0 1600 384 ? S Feb04 0:00 /sbin/portmap
root 281 0.0 0.0 1532 468 ? S Feb04 2:23 /sbin/syslogd
root 284 0.0 0.0 2032 368 ? S Feb04 0:00 /sbin/klogd
root 296 0.0 0.0 2300 380 ? S Feb04 0:00 /usr/lib/courier/authlib/authdaemond.mysql start
root 297 0.0 0.1 2344 552 ? S Feb04 0:09 /usr/lib/courier/authlib/authdaemond.mysql start
root 299 0.0 0.1 2344 540 ? S Feb04 0:09 /usr/lib/courier/authlib/authdaemond.mysql start
root 300 0.0 0.1 2344 540 ? S Feb04 0:08 /usr/lib/courier/authlib/authdaemond.mysql start
root 301 0.0 0.1 2344 544 ? S Feb04 0:09 /usr/lib/courier/authlib/authdaemond.mysql start
root 302 0.0 0.1 2344 560 ? S Feb04 0:09 /usr/lib/courier/authlib/authdaemond.mysql start
root 307 0.0 0.0 1764 392 ? S Feb04 0:10 /usr/sbin/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -root 311 0.0 0.0 1652 364 ? S Feb04 0:10 /usr/sbin/courierlogger imaplogin
root 329 0.0 0.0 1760 388 ? S Feb04 0:03 /usr/sbin/couriertcpd -pid=/var/run/courier/pop3d.pid -stderrlogger=/usrroot 333 0.0 0.0 1648 356 ? S Feb04 0:04 /usr/sbin/courierlogger courierpop3login
root 363 0.0 0.0 1520 404 ? S Feb04 0:06 /usr/sbin/inetd
root 508 0.0 0.0 1480 312 tty1 S Feb04 0:00 /sbin/getty 38400 tty1
root 509 0.0 0.0 1480 312 tty2 S Feb04 0:00 /sbin/getty 38400 tty2
root 510 0.0 0.0 1480 312 tty3 S Feb04 0:00 /sbin/getty 38400 tty3
root 511 0.0 0.0 1480 312 tty4 S Feb04 0:00 /sbin/getty 38400 tty4
root 512 0.0 0.0 1480 312 tty5 S Feb04 0:00 /sbin/getty 38400 tty5
root 513 0.0 0.0 1480 312 tty6 S Feb04 0:00 /sbin/getty 38400 tty6
root 19058 0.0 0.0 1764 236 ? S Feb10 0:00 /usr/sbin/couriertcpd -pid=/var/run/courier/pop3d-ssl.pid -stderrlogger=root 19064 0.0 0.0 1516 80 ? S Feb10 0:00 /usr/sbin/courierlogger pop3d-ssl
root 19080 0.0 0.0 1764 236 ? S Feb10 0:00 /usr/sbin/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -root 19086 0.0 0.0 1520 80 ? S Feb10 0:00 /usr/sbin/courierlogger imapd-ssl
root 19093 0.0 0.0 20824 400 ? S Feb10 0:13 /usr/bin/perl /usr/sbin/spamd -D -c -m 10 -x --virtual-config-dir=/var/sroot 19144 0.0 0.1 3072 696 ? S Feb10 0:39 /usr/sbin/sshd
root 25243 0.0 0.0 1500 428 ? S Feb21 0:00 mini-inetd 5000 /usr/bin/php php /etc/panel/paneld.php
root 29746 0.0 0.1 1740 572 ? S Mar12 0:03 /usr/sbin/cron
root 30897 0.0 0.1 2348 516 ? S Mar25 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 30938 0.0 1.7 52220 9124 ? S Mar25 0:30 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 30939 0.0 1.7 52220 9124 ? S Mar25 0:26 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 30940 0.0 1.7 52220 9124 ? S Mar25 0:04 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 30941 0.0 1.7 52220 9124 ? S Mar25 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 30984 0.0 1.7 52220 9124 ? S Mar25 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 31220 0.0 1.7 52220 9124 ? S Mar25 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 31409 0.0 1.7 52220 9124 ? S Mar25 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 31502 0.0 1.7 52220 9124 ? S Mar25 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 32141 0.0 1.7 52220 9124 ? S Mar25 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --root 31908 0.0 0.4 2216 2208 ? SL Apr11 0:00 /usr/sbin/ntpd
root 12732 0.0 0.1 2668 616 ? S Apr12 0:00 vtund[s]: waiting for connections on port 5050
nobody 30209 0.0 0.1 2500 860 ? S Apr14 0:00 /usr/sbin/danted -D
root 30647 0.0 0.6 149036 3444 ? S Apr14 0:00 /usr/sbin/apache
root 863 0.0 0.1 2672 712 ? S< Apr14 0:01 vtund[s]: inkpub01 tun tun0
root 2988 0.0 0.2 7352 1044 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2989 0.0 0.6 7912 3472 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2990 0.0 0.6 7756 3048 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2991 0.0 0.6 7900 3060 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2992 0.0 0.6 7900 3052 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2993 0.0 0.6 7780 3072 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
root 3005 0.0 0.5 147792 2976 ? S Apr14 0:00 /usr/sbin/apache-ssl
www-data 3006 0.0 0.1 4316 836 ? S Apr14 0:00 /usr/lib/apache-ssl/gcache 33 /var/run/gcache_port
www-data 3009 0.0 2.0 153412 10252 ? S Apr14 0:10 /usr/sbin/apache-ssl
www-data 3010 0.0 2.0 152872 10652 ? S Apr14 0:10 /usr/sbin/apache-ssl
mail 3186 0.0 0.3 7624 1916 ? S Apr14 0:00 /usr/sbin/exim4 -bd -q30m
www-data 3335 0.0 0.6 7960 3092 ? S Apr14 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 5177 0.0 2.1 153392 11024 ? S Apr14 0:08 /usr/sbin/apache-ssl
www-data 5178 0.0 2.1 153556 11124 ? S Apr14 0:07 /usr/sbin/apache-ssl
revjim 25873 0.0 0.2 3344 1192 ? S 08:52 0:00 /usr/bin/imapd Maildir
revjim 25876 0.0 0.2 3340 1200 ? S 08:52 0:00 /usr/bin/imapd Maildir
root 26170 0.0 0.3 6040 1640 ? S 08:58 0:00 sshd: biggest [priv]
biggest 26173 0.0 0.3 6040 1728 ? S 08:58 0:00 sshd: biggest@pts/0
biggest 26174 0.0 0.2 2624 1476 pts/0 S 08:58 0:00 -bash
revjim 26424 0.0 0.2 3344 1268 ? S 09:02 0:00 /usr/bin/imapd Maildir
root 26568 0.0 0.3 5952 1668 ? S 09:05 0:00 sshd: revjim [priv]
revjim 26570 0.0 0.3 5952 1748 ? S 09:05 0:00 sshd: revjim@pts/2
revjim 26571 0.0 0.3 2648 1528 pts/2 S 09:05 0:00 -bash
root 26646 0.0 0.3 5952 1668 ? S 09:06 0:00 sshd: revjim [priv]
revjim 26663 0.0 0.3 6100 1816 ? S 09:06 0:01 sshd: revjim@pts/3
revjim 26664 0.0 0.3 2648 1532 pts/3 S 09:06 0:00 -bash
root 26671 0.0 0.3 2652 1536 pts/3 S 09:06 0:00 bash
nobody 27737 0.0 0.2 2732 1304 ? S 09:20 0:00 /usr/sbin/mydns -b
mysql 27738 0.0 1.7 52220 9124 ? S 09:20 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --mysql 27739 0.0 1.7 52220 9124 ? S 09:20 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --farris 28092 0.0 0.2 3376 1356 ? S 09:26 0:00 /usr/bin/imapd Maildir
bookriot 30092 0.0 0.2 3324 1140 ? S 10:01 0:00 /usr/bin/imapd Maildir
www-data 30175 0.2 1.5 150512 7692 ? S 10:02 0:00 /usr/sbin/apache
mysql 30181 0.0 1.7 52220 9124 ? S 10:02 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --root 30275 0.0 0.1 2044 540 pts/3 S 10:04 0:00 tail -f /var/sites/photos.revjim.net/logs/access.log
www-data 30283 0.2 1.4 150476 7344 ? S 10:04 0:00 /usr/sbin/apache
www-data 30294 0.0 1.2 149568 6424 ? S 10:04 0:00 /usr/sbin/apache
www-data 30297 1.0 1.5 150608 7684 ? S 10:04 0:01 /usr/sbin/apache
root 30303 0.0 0.2 2652 1512 pts/2 S 10:04 0:00 bash
www-data 30320 0.0 0.8 149172 4292 ? S 10:05 0:00 /usr/sbin/apache
www-data 30321 0.0 0.8 149036 4372 ? S 10:05 0:00 /usr/sbin/apache
www-data 30330 0.0 0.8 149036 4372 ? S 10:05 0:00 /usr/sbin/apache
www-data 30331 0.0 0.8 149036 4396 ? S 10:05 0:00 /usr/sbin/apache
www-data 30332 0.7 1.4 150604 7344 ? S 10:05 0:00 /usr/sbin/apache
www-data 30335 0.0 0.8 149036 4364 ? S 10:05 0:00 /usr/sbin/apache
biggest 30429 1.4 0.2 2336 1396 pts/0 S 10:06 0:00 pico -w index.php
root 30430 0.0 0.1 2848 824 pts/2 R 10:06 0:00 ps auwx

Nothing seems out of place.

Unless user "biggest" is doing some port forwarding with his SSH connection and has something on HIS machine that is doing this (rob? is that possible?), I can't see any other explanation other than that some process somewhere is spoofing the box's IP only to make this same silly request again and again.

Can any Linux/network admins offer any advice here?

NASA?

Do I know anyone that works for NASA? I don’t think so, but maybe. Because this situation regarding “something on the box”:http://revjim.net/item/9991/ constantly requesting the photograph of Jess and I is getting absurd.

Look at this log file sample:


69.56.172.226 - - [15/Apr/2004:09:21:28 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:21:44 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:21:48 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:21:50 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:21:52 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:21:57 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 200 17586 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:22:21 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:22:35 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
128.149.26.211 - - [15/Apr/2004:09:23:35 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040411"
69.56.172.226 - - [15/Apr/2004:09:25:06 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"
69.56.172.226 - - [15/Apr/2004:09:26:24 -0500] "GET /albums/jessanddaniel/dsc_0040.thumb.jpg HTTP/1.0" 404 307 "-" "-"

The first 6 requests you see above came from it. Then I moved the item it’s attempting to access. The next two requests for it generated a 404 (because I moved it). Then another request comes in from an IP address (128.149.26.211) belonging to NASA (rlstep-xp.jpl.nasa.gov) that also had no referrer (but did have a User Agent). I could be wrong, of course, but it seems too close to be a coincidence. Why would someone request that photograph specifically, minutes after I removed it, either by going directly to it (bookmark, cut and paste, typing directly into URL bar) or while using a browser that strips referrer information. That IP address is in my logs in other locations. Many of them do not have a referrer, but some of them do, which leads me to believe that the browser being used does indeed send a referrer. Additionally, the User Agent is the same in all cases.

The earliest record I have of this IP is from August of 2003 to revjim.net (which is the oldest records I have). They appear to be using the Aggie feed reader to access revjim.net’s RSS feed. I do show that it seems that whenever they encounter an image in my feed, it is requested by their browser in the same fashion as above without any referrer information. So, I guess it’s possible that it is merely a coincidence and that this person, whoever they are, just happened to read that post of mine in his/her RSS reader while I was investigating. It’s just an odd coincidence if that is the case.

If the owner of that IP is reading this, please speak up so I’ll know who you are and then can discount you as the person responsible for whatever is causing these hits on my site.

Whoever or whatever is responsible for this is either spoofing the sending IP address to appear to by my own machine, or has managed to install a script running on the machine that I cannot seem to find.