Home / server / Questions / 376839
Accepted
Bill VB
Asked: 2012-04-05 14:57:57 +0800 CST

Mysterious visitor to hidden PHP page

  • 772

On my website, I have a "hidden" page that displays a list of the most recent visitors. There exist no links at all to this single PHP page, and, theoretically, only I know of its existence. I check it many times per day to see what new hits I have.

However, about once a week, I get a hit from a 208.80.194.* address on this supposedly hidden page (it records hits to itself). The strange thing is this: this mysterious person/bot does not visit any other page on my site. Not the public PHP pages, but only this hidden page that prints the visitors. It's always a single hit, and the HTTP_REFERER is blank. The other data is always some variation of

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0; FunWebProducts; .NET CLR 1.1.4322; SpamBlockerUtility 4.8.4; yplus 5.1.04b)

... but sometimes MSIE 6.0 instead of 7, and various other plug ins. The browser is different every time, as with the lowest-order bits of the address.

And it's just that. One hit per week or so, to that one page. Absolutely no other pages are touched by this mysterious visitor.

Doing a whois on that IP address showed it's from the New York area, and from the "Websense" ISP. The lowest order 8 bits of the address vary, but they're always from the 208.80.194.0/24 subnet.

From most of the computers that I use to access my website, doing a traceroute to my server does not contain a router anywhere along the way with the IP 208.80.*. So that rules out any kind of HTTP sniffing, I might think.

How and why is this happening? It seems completely benign, but unexplainable and a little creepy.

security forensics

2 Answers

  1. Best Answer

    Websense? Websense is in the business of classifying URLs and looking for "naughty" things on the Internet. Their products usually show up in corporate environments.

    I'd bet that you accessed your secret page of HTTP from a company that has Websense installed and they automatically added the page to their (presumably gargantuan) list of pages to troll checking for porn, warez, forums, etc.

    As for the varying header, I'm guessing their robot has all manner of possible banners to choose from an intentionally changes them up to mask itself from analysis and pretend it's not a bot. In fact, a quick Google search of FunWebProducts websense all but confirms the theory.

    • 90

  2. The IP address range belongs to Websense. You may have one of their product running.

    $ whois 208.80.194.0
[Querying whois.arin.net]
[whois.arin.net]

NetRange:       208.80.192.0 - 208.80.199.255
CIDR:           208.80.192.0/21
OriginAS:       AS13448
NetName:        WEBSENSE-NET2
NetHandle:      NET-208-80-192-0-1
Parent:         NET-208-0-0-0-0
NetType:        Direct Assignment
RegDate:        2007-07-25
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-208-80-192-0-1
    • 18