I have used cPanel for about the last six months. I recently found something strange in my "recent visitors" log which I will paste to see if someone can answer this for me. I actually know who is doing this... But at any rate the previous site was rife with XML documents and this person generates lots of paper XML documents. I can only assume that he was trying to parse XML documents rather than simply print what was posted on the site, guess he didn't know that the site does not now use XML documents! There are only 2 IPs doing this, one his home IP and the other his office IP - I know from the user agent string which computer at the site is doing it. So let me show you what I found. His excuse was that he was trying to access his email, but none of the 15 or 20 other users produce this when accessing thier emails. the only way that I could duplicate it was to actually type it into a browser. Here it is:
/webmail (here he is accessing his webmail)
Http Code: 301 Date: Oct 28 09:59:33 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0E; AskTbGLSV5/5.8.0.12304)
But then
/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 404 Date: Oct 28 09:59:35 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Here we see him with WinHttpRequest.5 which Im pretty sure can be used as a scraper, and I think that it can be used as a server to server request thing for XML, not really overly familiar with it.
Next he tries it from home, first looking at the portal page of the site, then later trying this thing again. Once again with WinHttpRequest.5 running.
/wpimages/wpea1249c9.jpg
Http Code: 200 Date: Nov 01 17:12:04 Http Version: HTTP/1.1 Size in Bytes: 1023512
Referer: i took this out
Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; AskTB5.6)
/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 404 Date: Nov 02 00:36:41 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Finally I'm am no longer amused and deny his IP. I have also noticed that when he tries the "/cPanel_magic_revision..." thing, the referer line is blank, leading me to believe that the "/cPanel_magic_revision..." has been typed into a browser..
Host: 65.95.114.213
• /cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 403 Date: Nov 06 17:38:43 Http Version: HTTP/1.1 Size in Bytes: 937
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
I would greatly appreciate any insight anyone can offer on this!
Thanks!
/webmail (here he is accessing his webmail)
Http Code: 301 Date: Oct 28 09:59:33 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0E; AskTbGLSV5/5.8.0.12304)
But then
/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 404 Date: Oct 28 09:59:35 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Here we see him with WinHttpRequest.5 which Im pretty sure can be used as a scraper, and I think that it can be used as a server to server request thing for XML, not really overly familiar with it.
Next he tries it from home, first looking at the portal page of the site, then later trying this thing again. Once again with WinHttpRequest.5 running.
/wpimages/wpea1249c9.jpg
Http Code: 200 Date: Nov 01 17:12:04 Http Version: HTTP/1.1 Size in Bytes: 1023512
Referer: i took this out
Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; AskTB5.6)
/cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 404 Date: Nov 02 00:36:41 Http Version: HTTP/1.1 Size in Bytes: 938
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Finally I'm am no longer amused and deny his IP. I have also noticed that when he tries the "/cPanel_magic_revision..." thing, the referer line is blank, leading me to believe that the "/cPanel_magic_revision..." has been typed into a browser..
Host: 65.95.114.213
• /cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico
Http Code: 403 Date: Nov 06 17:38:43 Http Version: HTTP/1.1 Size in Bytes: 937
Referer: -
Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
I would greatly appreciate any insight anyone can offer on this!
Thanks!
