PDA

View Full Version : Web site logs



xoltaric
11-20-2003, 02:41 PM
Hi. I'm trying to see what a specific user did on my site. Going through the logs I was able to figure out his IP.

Doing a search of my logs for his IP I discovered more entries a few days later. What confused me was that according to the logs, he hadn't downloaded any HTML pages on the second day, just images. I looked at the log entry directly above these new items and found the expected HTML (well in this case CFM) page, only according to the logs, a different IP requested it. This single line was the only record of this IP at my site... the CFID and CFtoken verified that the requests came from the same computer.. so why the two IPs?

A reverse lookup of the IPs discovered that the IP used most often was in a block belonging to a corporate ISP, while the IP used only once was in a block owned by the company this guy works for.

USALUG
11-21-2003, 04:28 PM
I'm pretty sure they are probably just hotlinking to your images now...... so you will see requests for the images only now...... and no more html request for pages.

If your running apache, use a directive to block this.

xoltaric
11-24-2003, 10:36 AM
I'm pretty sure they are probably just hotlinking to your images now...... so you will see requests for the images only now...... and no more html request for pages.

Thanks for the reply..

I don't think this is the case here because the appropriate HTML file was there as well, just under a different IP. Session tokens were the same for both IPs suggesting it was the same person. Everything that should have been was there.. only the CFM file was requested by a different IP.

USALUG
11-24-2003, 12:31 PM
Perhaps that person was on a dialup service, and had the page stored in the browser, and the session hadn't expired ?? Wouldn't that create a different IP address using the same session information ??

Not sure, but that's my second guess :)

xoltaric
11-24-2003, 12:51 PM
Perhaps that person was on a dialup service, and had the page stored in the browser, and the session hadn't expired ?? Wouldn't that create a different IP address using the same session information ??

Not sure, but that's my second guess :)

Yes that would make sense... but wouldn't the images have been requested by the same IP as the CFM page was? The images all returned 304 so maybe not...

We don't have any log experts here?