56

On my website, I have a "hidden" page that displays a list of the most recent visitors. There exist no links at all to this single PHP page, and, theoretically, only I know of its existence. I check it many times per day to see what new hits I have.

However, about once a week, I get a hit from a 208.80.194.* address on this supposedly hidden page (it records hits to itself). The strange thing is this: this mysterious person/bot does not visit any other page on my site. Not the public PHP pages, but only this hidden page that prints the visitors. It's always a single hit, and the HTTP_REFERER is blank. The other data is always some variation of

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0; FunWebProducts; .NET CLR 1.1.4322; SpamBlockerUtility 4.8.4; yplus 5.1.04b)

... but sometimes MSIE 6.0 instead of 7, and various other plug ins. The browser is different every time, as with the lowest-order bits of the address.

And it's just that. One hit per week or so, to that one page. Absolutely no other pages are touched by this mysterious visitor.

Doing a whois on that IP address showed it's from the New York area, and from the "Websense" ISP. The lowest order 8 bits of the address vary, but they're always from the 208.80.194.0/24 subnet.

From most of the computers that I use to access my website, doing a traceroute to my server does not contain a router anywhere along the way with the IP 208.80.*. So that rules out any kind of HTTP sniffing, I might think.

How and why is this happening? It seems completely benign, but unexplainable and a little creepy.

Ilmari Karonen
  • 895
  • 5
  • 11
Bill VB
  • 603
  • 6
  • 12
  • 11
    Very interesting; googling for `FunWebProducts` - the second result is `How do I uninstall Fun Web Products from my computer? ` – Mark Henderson Apr 04 '12 at 23:42
  • 3
    Loving these answers, my first question was going to be - ... is it you? – lsl Apr 05 '12 at 01:01
  • 1
    FYI, drop an htaccess on the page causing it to require username and pass and websense will only hit it one more time before giving it up – SpYk3HH Apr 05 '12 at 16:42

2 Answers2

90

Websense? Websense is in the business of classifying URLs and looking for "naughty" things on the Internet. Their products usually show up in corporate environments.

I'd bet that you accessed your secret page of HTTP from a company that has Websense installed and they automatically added the page to their (presumably gargantuan) list of pages to troll checking for porn, warez, forums, etc.

As for the varying header, I'm guessing their robot has all manner of possible banners to choose from an intentionally changes them up to mask itself from analysis and pretend it's not a bot. In fact, a quick Google search of FunWebProducts websense all but confirms the theory.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • 7
    +1 because I like the use of the word gargantuan :-) And because it's the most likely reason why this happens. – aseq Apr 05 '12 at 00:33
  • 1
    `s/troll/trawl` :-) – Matty Apr 05 '12 at 03:17
  • 3
    @Matty Good point... trolling is baiting for something, trawling is dragging for it... – Jeff Ferland Apr 05 '12 at 03:27
  • 2
    @Matty Troll as a verb also has the meaning: search, look, prowl. Derived from the fishing technique. – Plutor Apr 05 '12 at 12:10
  • Thanks... That's probably it. I guess only one remaining question is why this ONE page in particular, and why isn't it crawling? – Bill VB Apr 05 '12 at 13:03
  • 1
    And this page is already the second Google result for "FunWebProducts websense" – Ben Brocka Apr 05 '12 at 13:31
  • @B.VB., Maybe you accessed this link directly? And it was your first hit to the website? – user606723 Apr 05 '12 at 14:59
  • No, definitely not. I checked that possibility first thing. The IP didn't make sense, nor did the headers (I never use IE, and don't have any of those silly plugins installed, and I know for a fact I didn't visit the page at those times). – Bill VB Apr 05 '12 at 15:08
18

The IP address range belongs to Websense. You may have one of their product running.

$ whois 208.80.194.0
[Querying whois.arin.net]
[whois.arin.net]

NetRange:       208.80.192.0 - 208.80.199.255
CIDR:           208.80.192.0/21
OriginAS:       AS13448
NetName:        WEBSENSE-NET2
NetHandle:      NET-208-80-192-0-1
Parent:         NET-208-0-0-0-0
NetType:        Direct Assignment
RegDate:        2007-07-25
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-208-80-192-0-1
Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Raffael Luthiger
  • 2,011
  • 2
  • 17
  • 26