The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to figure out why visits without correct nameservers

Discussion in 'Bind / DNS / Nameserver Issues' started by m8internet, Jan 4, 2012.

  1. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    A client asked to move their Domain Name to another provider, as they had downloaded all the data from my server
    I completed the transfer
    The customer is retaining the data on my server, as they have paid to 2013
    It will simply kept in case their current provider has an issue

    I have now suspended the customers cPanel account (as I do for all unresolved Domain Names)
    I then modified the disc space and bandwidth to near what it was at suspension
    Three weeks has now passed and I started to receive copies of the bandwidth warning

    It would appear some bots are still visiting the server (customer website)
    Why would this be?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might check to make sure the domain was updated to the new server. If the account is suspended there is no way for it to be accessed.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,738
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    What's the actual bandwidth usage and limit for the account? Have you accessed the Bandwidth icon in the account's cPanel to get an idea of where the usage is coming from?

    Feel free to submit a ticket if you would like for us to check further:

    Submit A Ticket

    Thank you.
     
  4. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    The customer updated the nameservers on their Domain Name around the end of October 2011
    The account was then suspended within WHM (from WHMCS) on 12 December 2011

    As the account had been suspended the disc space and bandwidth were reduced manually, rather than the default package settings
    The account has remained on the server as the customer has paid for it until 2013


    03 January 23:30
    80% of their bandwidth limit (8.07/10.00 Megs)

    04 January 07:04
    90% of their bandwidth limit (9.09/10.00 Megs)

    04 January 15:20
    99% of their bandwidth limit (9.93/10.00 Megs)

    04 January 17:08
    reached their bandwidth limit (10.16/10.00 Megs)

    The final one resulted in the dual suspension notice (also exceeding bandwidth)
     
  5. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    Posted the bandwidth and limit above
    from the Server Logs the visits are coming from something called :
    /http://www.baidu.com/search/spider.html
    roughly every 10 minutes

    AWStats returns :
    Jan 2012 :

    Month Unique visitors Number of visits Pages Hits Bandwidth
    Jan 2012 0 0 0 0 0

    Summary
    Reported period Month Jan 2012
    First visit NA
    Last visit NA
    Unique visitors Number of visits Pages Hits Bandwidth
    Viewed traffic * 0
    0
    (0 visits/visitor) 0
    (0 Pages/Visit) 0
    (0 Hits/Visit) 0
    (0 KB/Visit)
    Not viewed traffic *
    1,596 1,599 8.85 MB

    I suspect this spider is using the temporary IP address, rather than the Domain Name
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Did the account have a dedicated IP?
     
  7. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    I suspect it does, as the visits have only been using the IP address, rather than the Domain Name
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You could always remove the IP from the server until you need to use it again or block port 80 on the firewall for that IP.
     
  9. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    Not sure which IP address you are referring to

    A
    The customers need the temporary IP address, to upload their files, until the nameservers propogate
    So can't delete the IP address

    or
    B
    I viewed the IP addresses from within the Last Visitors and I tried the deny IP address within WHM but it made no difference
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You said you believe the account had a dedicated IP:

    If it had a dedicated IP, that IP could be removed or blocked for port 80. It's pretty easy to determine if the IP were dedicated or not after all. So, is it actually a dedicated IP that it had or not?
     
  11. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    As above, I want to ensure whether you mean the account or the visitor?

    A is the server and is a dedicated IP address / temporary IP address, from the customer account and Domain Name

    B is the visitor and is an IP range, found through the Last Visitors which was then applied to the Deny IP

    As above, these visits are from an IP range and applying the Deny IP had made no difference
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It doesn't matter where the IP is coming from that is visiting the server. It matters how they are reaching the server. If the old account had a dedicated IP, then you should be able to remove that account's dedicated IP from the machine or block that IP on port 80. The only time asking about a dedicated IP matters is when it is a server you control. The visitor's IP address doesn't play into this.

    What is the exact url they are using to access the site? If it is the IP of the old account and that IP is a dedicated IP that was assigned to that account originally, you can either remove the IP or block port 80 traffic for it.
     
  13. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    I only have three IP addresses, and can only use one for the temporary IP address
    Deleting it means the customer can no longer view their website
     
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So they aren't accessing the site that was on a dedicated IP at all but using http://sharedIP#/~username or what precisely? When asking what url they are using, what is the url they are using to access the site? Otherwise, if we cannot know what these visitors are using, it becomes incredibly difficult to understand how to prevent it.
     
  15. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    Yes, in that format
    I have three IP addresses that can be applied

    As above

    See post #5 above
    It appears to be a bot / spider
    This visits two different pages, every 10 minutes
    These pages form part of a (now suspended) gallery with over 500 pages / images

    It should have picked up the Domain Name a long, long time ago (early 2011)
    As per post #11, I noted the IP addresses of these visits from the Last Visitors, but adding the range to Deny IP has made no difference
     
    #15 m8internet, Jan 10, 2012
    Last edited: Jan 10, 2012
  16. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you using mod_security? If so, you could block the requests they are making for that username and gallery folder in mod_security by creating a rule.

    More importantly, can you please try opening up a ticket so we can see how they are accessing a suspended site using the temporary url? A ticket can be opened in WHM > Support Center > Contact cPanel or using the link in my signature.
     
  17. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    I am unable to open a Support Ticket
    The link to
    How do I find my support access ID?
    does not respond in IE9
     
    #17 m8internet, Jan 11, 2012
    Last edited: Jan 11, 2012
  18. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    The issue has finally been traced to Hotlinking and applying this appears to have corrected the issue
    No visits within the last hour
     
Loading...

Share This Page