1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:25 pm May 22, 2026

Forum Moderators: phranque

Message Too Old, No Replies

How does he do it?

interesting log entries

         

drd06

12:45 am on Jul 10, 2006 (gmt 0)

10+ Year Member



Here are some entries from my log (lines truncated for brevity and clarity), two users loading my home page and demo. Nothing unusual about user #1, but note that user #2 gets each individual piece of the page from a different IP. How did he do that? It's like each request is from a dynamically generated IP. Pretty cool, but of course seeing tricksters like that in my log makes me nervous. Would like to have that capability though.

USER #1
-------------
**.**.251.60 - - [09/Jul/2006:04:58:35 -0700] "GET /style.css HTTP/1.1" 200 2245 "
**.**.251.60 - - [09/Jul/2006:04:58:36 -0700] "GET /twatch/jslogger.php?ref=http%
**.**.251.60 - - [09/Jul/2006:04:58:37 -0700] "GET /images/strippoker3.gif HTTP/1
**.**.251.60 - - [09/Jul/2006:04:58:35 -0700] "GET /images/small_logo.gif HTTP/1.
**.**.251.60 - - [09/Jul/2006:04:58:35 -0700] "GET /images/line.gif HTTP/1.1" 200
**.**.251.60 - - [09/Jul/2006:04:58:36 -0700] "GET /images/screen_captures.gif H
**.**.251.60 - - [09/Jul/2006:04:58:36 -0700] "GET /images/x-click-but23.gif HTTP
**.**.251.60 - - [09/Jul/2006:04:58:38 -0700] "GET /images/bullet.gif HTTP/1.1" 2
**.**.251.60 - - [09/Jul/2006:04:58:45 -0700] "GET /demo.html HTTP/1.1" 200 2
**.**.251.60 - - [09/Jul/2006:04:58:47 -0700] "GET /yosp.js HTTP/1.1" 200 43 "h
**.**.251.60 - - [09/Jul/2006:04:58:47 -0700] "GET /twatch/jslogger.php?ref=http
**.**.251.60 - - [09/Jul/2006:04:58:46 -0700] "GET /images/yosp2.gif HTTP/1.1
**.**.251.60 - - [09/Jul/2006:04:58:46 -0700] "GET /images/bullet2.gif HTTP/1.

USER #2
-------------
***.**.21.69 - - [09/Jul/2006:06:17:58 -0700] "GET / HTTP/1.1" 200 2401 "http:/
***.**.21.10 - - [09/Jul/2006:06:17:59 -0700] "GET /style.css HTTP/1.1" 200
***.**.21.138 - - [09/Jul/2006:06:18:02 -0700] "GET /twatch/jslogger.php?ref=
***.**.21.65 - - [09/Jul/2006:06:18:03 -0700] "GET /images/small_logo.gif H
***.**.21.34 - - [09/Jul/2006:06:18:03 -0700] "GET /images/screen_captures.g
***.**.21.97 - - [09/Jul/2006:06:18:01 -0700] "GET /images/line.gif HTTP/1.1" 2
***.**.21.36 - - [09/Jul/2006:06:18:03 -0700] "GET /images/strippoker3.gif HTT
***.**.21.38 - - [09/Jul/2006:06:18:01 -0700] "GET /images/x-click-but23.gif HT
***.**.21.5 - - [09/Jul/2006:06:18:04 -0700] "GET /images/bullet.gif HTTP/1.1"
***.**.21.72 - - [09/Jul/2006:06:18:37 -0700] "GET /demo.html HTTP/1.1" 200
***.**.21.138 - - [09/Jul/2006:06:18:40 -0700] "GET /yosp.js HTTP/1.1" 200 43
***.**.21.138 - - [09/Jul/2006:06:18:38 -0700] "GET /twatch/jslogger.php?ref=h
***.**.21.38 - - [09/Jul/2006:06:18:41 -0700] "GET /images/yosp2.gif HTTP/1.1
***.**.21.74 - - [09/Jul/2006:06:18:42 -0700] "GET /images/bullet2.gif HTTP/1.

[edited by: tedster at 5:05 pm (utc) on Aug. 6, 2006]
[edit reason]
[1][edit reason] make ip addresses anonymous [/edit] [/edit][/1]

kaled

12:52 am on Jul 10, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't believe this is a hacker - I've seen the same thing in my logs. I think it must be an ISP thing.

Kaled.

Staffa

1:02 am on Jul 10, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Your USER #2 is visiting your site via A O L, it's typical behaviour from them.

tedster

5:07 pm on Aug 6, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Staffa has it nailed. It is a frustrating thing for log analysis with AOL (and other ISPs who assign many IP addresses dynaimically to the same visitor) but it's what we have to deal with. There's nothing sneaky here, just AOL's standard behavior.

FourDegreez

5:56 pm on Aug 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



But for AOL the IP should be consistent so long as the user doesn't log on and off repeatedly, no?

encyclo

10:44 pm on Aug 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



But for AOL the IP should be consistent so long as the user doesn't log on and off repeatedly, no?

Not for AOL - a user can request ten files on your site at the same instant (ie. ten images on the same page) and the requests can come from ten different IP addresses.

Easy_Coder

3:36 am on Aug 8, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



agreed with encyclo... I've seen aol ips swap out every 25 seconds or less while trouble shooting a session state issue that was attempting to rely on the users ip address

waziwazo

2:11 am on Aug 15, 2006 (gmt 0)

10+ Year Member



I have some AOL users that can have up to fifty different IP on a single browsing session. This is very anoying when you have to extract stats from your web log. Since there is many AOL users, it would not be a good idea to block these peoples.

AOL proxy server IP Ranges (there is maybe more)
64.12.0.0/16 64.12.0.0 – 64.12.255.255
149.174.0.0/16 149.174.0.0 – 149.174.255.255
152.163.0.0/16 152.163.0.0 – 152.163.255.255
195.93.0.0/17 195.93.0.0 – 195.93.127.255
198.81.0.0/19 198.81.0.0 – 198.81.31.255
202.67.64.0/18 202.67.64.0 – 202.67.127.255
205.188.0.0/16 205.188.0.0 – 205.188.255.255
207.200.64.0/18 207.200.64.0 – 207.200.127.255

AOL dynamically-assigned user IP ranges
172.128.0.0/10 172.128.0.0 - 172.216.255.255
172.192.0.0/12
172.208.0.0/13
172.216.0.0/16

A few Others ISP have "multi ip" One of them that i got in my log is from Saudi Arabia.

There is also a few peoples using dual 56k modem, these users usualy have 2 different IP.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:25 pm May 22, 2026