5

I have a web site that uses a couple hundred domain aliases, including franchise-dallas.info, franchise-delaware.info, and detroitfranchise.info (see more below).

I have been getting ten to twenty hits per day via Google AdWords PPC. I set up a log file so that I could see the variables in the URL.

I was surprised to see that the page is getting hit about once per minute. I looked up the IPs and they are all in China.

My site has ZERO content that would be of use to anyone outside the U.S.A.

Can you tell me why my site would be getting this type of hit? Is this normal? Is this a bot?

TIME, IP, DOMAIN, PAGE
20:9, 66.249.71.138, franchise-st-petersburg.info, Why-Buy-a-Franchise
20:13, 66.249.71.21, franchise-ok.info, Frequently-Asked-Questions-About-Franchises
20:16, 66.249.71.44, franchise-dallas.info, Frequently-Asked-Questions-About-Franchises
20:20, 66.249.71.36, franchise-delaware.info, Frequently-Asked-Questions-About-Franchises
20:21, 66.249.71.136, detroitfranchise.info, What-We-Do-Free-Franchise-Advice
20:21, 66.249.71.10, philadelphiafranchise.info, Privacy-Policy
20:21, 66.249.71.144, denverfranchise.info, Franchise-Terminology
20:22, 66.249.71.59, franchise-tx.info, Get-Started-Ask-a-Franchise-Expert
20:24, 67.195.114.240, franchise-ky.info, Franchise-Terminology
20:27, 66.249.71.138, franchise-st-petersburg.info, Why-Buy-a-Franchise
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
Evik James
  • 257
  • 3
  • 9
  • Are the above IPs the ones that have been hitting your website? If so, I believe you're incorrect stating that they're in China. `whois` is showing them as allocated to Google, and a ping shows latency *way* to low for a trans-pacific transit. – EEAA Mar 02 '11 at 21:39
  • Erik, when I first looked up the IP adresses, the IP lookup site said they were all from China. I considered your answer and looked them up on http://ip-lookup.net/index.php. Now I see that they are from Yahoo and Google. Hmmmm. Maybe the first IP lookup site I used was wrong. Thanks so much for your info. – Evik James Mar 04 '11 at 16:22
  • That's a very strange log. What generated it? – Michael Hampton Mar 11 '13 at 23:12

5 Answers5

10

Welcome to hosting a website on its own IP address. You can put a host on a public IP nowadays and chances are you'll get hit with a scan before the end of the day, probably sooner. Often times the source is just scanning up and down the IP ranges looking for running web, mail or shell servers to attack. They may not even know your website's proper domain name.

Updating my answer since I notice its now the top site that comes up when you ask this question and similarly worded ones. So much has happened in this field since 2011, when I originally answered your question.

China has a sophisticated state funded cyberattack force that is constantly scanning most of the Internet on a daily basis looking for vulnerable website software and services. They will do repeat scans so you'll see the same IPs over and over again in your logs and site stats. This has been going on since at least as far back as the late 1990s, but in recent years has increased significantly.

Chances are your site is going to be hit by other countries and from inside the US as well by adversaries also looking for vulnerable sites, but right now China is by far the largest source of these types of attacks. As always, you should make sure your website's software is kept up to date because if you are running any vulnerable version of popular software you can bet it will be exploited quickly.

deltaray
  • 1,435
  • 9
  • 14
  • This is a reasonable explanation, but it doesn't answer the question of "why only China?" And why continuously? It seems like the bot or spider would move on to other sites and server. – Evik James Mar 02 '11 at 21:17
3

Can you tell me why my site would be getting this type of hit? Is this normal? Is this a bot?

Because you're hosting a website, wait for it, on the World Wide Web. Not the United States Web.

Don't worry about it. If you really don't want China to hit your website then put appropriate firewall rules in place to block that traffic.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I am completely aware of the fact that the site is available to everyone, including those in China. While I appreciate your attempt at humor, you didn't even approach an answer. 1) The hits of coming from China and no other countries. Those other countries probably have more access to my site than China does. If the site was getting hits from many countries, your joke wouldn't have fallen so flat. 2) This is a web site. I am a web developer. I don't have access or control to the firewall. 3) I am looking for an explanation, not "don't worry about it". – Evik James Mar 02 '11 at 21:15
  • @Evik James - Honestly, there's not much more to say. How can any of us know why this certain IP is hitting your website? Why does it matter? Like Tchalvak said, as long as it's not causing performance problems, it's really not worth even looking into. And yes, it's *completely* normal for IPs from anywhere to hit open webservers. – EEAA Mar 02 '11 at 21:32
  • Additionally, since these hits are not appearing on Google Analytics, it's likely a bot or some other automated tool. GA relies on javascript, so if js isn't available, then the hit won't get counted. – EEAA Mar 02 '11 at 21:35
2

Many chinese people also speak the lingua-franca of the web, which is essentially english. I'd set up google analytics to track who's referring links to your site.

As long as it isn't a Denial of service situation, it might be positive for your sites.

Kzqai
  • 1,278
  • 4
  • 17
  • 32
  • These hits do not appear anywhere on Google Analytics. These hits are not registering on GA. That was a good idea though. Thanks! – Evik James Mar 02 '11 at 21:18
1

Evik - it's possible that franchoice or bison were trying to gain organic search dominance by purchasing up multiple keyword heavy domain names and pointing them to the same codebase. They might have even promoted some of these domains by purchasing links on affiliate websites which in turn get spidered by the search robots which then show up in your log files - It's not possible to know if it's robot traffic or user traffic with only log data. You might have better luck collecting user agent data.

Nick
  • 11
  • 1
-2

The Chinese are scanning / attacking everything, everywhere.

For the sites I run, I don't want any Chinese or African traffic - there's no reason for it, and so I consider any hits from there as an attack.

To accomplish the ban, I created a table to store IPs that hit the sites, and a php script that uses the geoplugin API to identify the origin of the IP. When the site is hit, the script checks the table to see if it's already there, if not it's stored. If the IP is from China or Africa, the app dies and displays "FORBIDDEN", for now. Once I'm more sure of the comprehensiveness of the code, I'll let it die silently.

b..
  • 1
  • 1