[This is way into TLDR territory, I’m hoping some might find it interesting enough to check out. Thanks in advance for any info anyone can give.]

I use an apache web server on my home PC to serve files I link to on other web sites, in forums or emails etc so I can keep track of if and when they are accessed. Back in May, I got some weird hits looking like the following, I hope the obfuscations are clear enough.

64.202.160.iii - - [15/May/2018:14:59:18 -0500] "GET /dox/graphic.png HTTP/1.1" 200 36346 "ftp://xxx.xxx.xxx.xxx[my godaddy-hosted website IP]/my-godaddy-hosted-website.org/web-page-file.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0"

There were 14 separate hits from links on 4 different pages, none of the 4 page’s links could be known in any other way than through private email or having access to the files themselves on godaddy’s server. No attempt at robots.txt, no usual attempt at hitting the index.html file directly or a straight hit to web site url only [no 'my-godaddy-hosted-website.org/index.html' or only 'my-godaddy-hosted-website.org']. They had to have accessed the pages beforehand or been given copies of them or the links. Godaddy support said the source IP 64.202.160.iii is a godaddy IP, their own, not a customer hosted web site. I've had no other hits from 64.202.160.iii, and only recently, on the 4th and 13th of this month, I had hits from 64.202.160.jjj, nothing else for 64.202.160.xxx or 64.202.xxx.xxx. [More on these hits later, this is new weirdness.]

My questions:
Should godaddy be mucking about in my files? Is it not possible to have web pages restricted to only those you give the links to? Whoever accessed the files knew they were there and had the exact links to get to them. Can you expect privacy from hosting companies like godaddy?

I'm also really confused by how they used ftp in this way to get to the various files on my server at home? I’m far from an expert on these matters, I just can’t see how to use an ftp client in this way. It seems like it's accessing the pages on the godaddy web site but using links on those pages to access the linked files on my home server? How to make that leap is beyond me.

This sure seems like some kind of security breech to me. Someone at godaddy rummaged about in my file space on godaddy’s server to get the info needed to do this. I called support at godaddy and what they said was vague and didn't really make sense to me. I tried leaving a question on their Facebook and got a reply saying to call support. I don't see an email for support. I'm thinking they don't want a documented trail but maybe I'm paranoid.

The new weirdness now is the 64.202.160.jjj hits, with UA some scrapy.org thing. Scrapy.org is a software package for scraping, you can use the software or they can host your scraping. [Their IP's are 143.204.29.xx which are on Amazon.com ISPs] The source IP is also a godaddy IP, don’t know if it’s supposed to be one of theirs or a hosted something or other. Here are the reverse IPs, I’m not knowledgeable enough to glean much from this info.

64.202.160.iii Hostname tr304-nn.mgmt.phx2.secureserver.net
64.202.160.jjj Hostname ip-64-202-160-jjj.secureserver.net

Both have ISP and Organization GoDaddy.com, LLC, both same type>hosting, same everything but iii is out of Tempe AZ and jjj Scottsdale, at least as reported on an IP lookup site.

Below is the log data for all the hits, it’s kinda weird they go after 9 specific pdf files that are linked to on the web site’s index file, same web site as above. They go after the same 9 files, 9 days apart and all fail even though these files exist, I don’t know why they’re getting ‘400’ errors. There are about 40 pdf’s in total linked to on the web page.

If anyone has any idea at all about what might be going on here, I’d really appreciate hearing their ideas. And is the ftp thing really obvious and I’m an idiot for not understanding or is that another web space oddity [don’t forget to take your protein pills and put your helmet on]?

64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc1.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc2.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc3.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc4.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc5.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/Doc6.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/doc7.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /dox/doc8.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:41 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [04/Oct/2018:20:17:42 -0500] "GET /dox/doc9.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"


64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/doc4.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/Doc2.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/doc8.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /robots.txt HTTP/1.1" 404 208 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/Doc5.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/Doc6.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:29 -0500] "GET /dox/Doc1.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:30 -0500] "GET /dox/doc9.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:30 -0500] "GET /dox/doc7.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"
64.202.160.jjj - - [13/Oct/2018:02:07:30 -0500] "GET /dox/Doc3.pdf HTTP/1.1" 400 226 "-" "Scrapy/1.5.1 (+https://scrapy.org)"

[edited by: phranque at 12:23 am (utc) on Oct 22, 2018]
[edit reason] anonimize IPs and hostnames [/edit]