Wow. I knew there were some heavy hitters involved in the mysterious web traffic I’ve been seeing, but I had no idea of the scope of the web visitors. Check out this list:
figment22.gs.com
stl-proxy-07.boeing.com
cache4.nccr.epa.gov
proxyAladdin.meteo.fr
gate1-norfolk.nmci.navy.mil
gate3-norfolk.nmci.navy.mil
gate4-norfolk.nmci.navy.mil
gate6-norfolk.nmci.navy.mil
gate2-bremerton.nmci.navy.mil
gate1-hawaii.nmci.navy.mil
lsg.kaiserslautern.army.mil
lsg.wiesbaden.army.mil
dormy.newsint.co.uk
justbrowsing.nrc.gov
stillbrowsing.nrc.gov
inet-bc01-o.oracle.com
weppsb02.northropgrumman.com
swarrayisa.dot.state.fl.us
webcrawler01.kroger.com
pc9627.temp2.co.la.ca.us
ny-sbld-zop04.wachovia.com
amcproxy.faa.gov
sherman.state.gov
proxy2a.external.lmco.com
proxy2b.external.lmco.com
proxy1.hct.ac.ae
uu194-7-161-147.unknown.uunet.be
n198-169-188-000.static.online-age.net
us02-cip.synopsys.com
datafrw001.msbs.net
gb2.hydro.qc.ca
bcbvo.tcif.telstra.com.au
gateway.sccs.com.au
cis.nccourts.org
ftppxgso.srv.volvo.com
httppxgso.srv.volvo.com
hqinbcgw02.ms.com
pxyhostlyn.genworth.com
pxyhostral.genworth.com
jstasa.alaskausa.org
m115-133.on.tac.net
no-dns-yet.demon.co.uk
smtp.diasa.es
crawl-1c.cuil.com
static-acs-24-154-0-21.zoominternet.net
AONReedStenhouse.demarc.cogentco.com
54.60.in-addr.arpa
proxy002.cheuvreux.com
bcp2.cbp.dhs.gov
natadd226.schomp.com
host178.innovestsystems.com
static-addr-66-248-141-146.ip-address-reassigned.net
70-91-142-242-ma-ne.hfc.comcastbusiness.net
spider42.yandex.ru
162.Red-81-47-192.staticIP.rima-tde.net
cache-kho3.itc.net.sa
baserver.proservis.net
Now, are all of these networks home of compromised hosts? No. But each has visited a rather dull post on my blog dating from years back, with no rational explanation for doing so. Each has also opted to cloak its identity as simply:
“Mozilla/4.0 (compatible;)”
I can think of a few possibilities:
- Each site is using a common proxy or network security application that insists on visiting an obscure web post for reasons unknown.
- Each site is home to compromised hosts on a botnet being controlled from elsewhere: a botnet which also visits this page for some reason.
- Each site is part of some larger, unknown government indexing system that for some reason insists on reindexing the same obscure blog post.
- Space aliens. Every mystery should have some space aliens.
More investigation is required, alas.
I think that the traffic is coming from multiple users that sit behind a common proxy gateway. That would explain the simultaneous connections and random URLs. Just a thought.
Yes, that is what one would be lead to believe if one saw a few of these come in. However, I’ve seen many obscure hits from different sources: things that no human would want to read. Therefore I don’t think this is users behind a proxy.