I’m currently running FreeFixer.com on a shared Dreamhost server. Dreamhost has a monitoring service that keeps an eye on the total resource usage for each user account. If some user consumes to much resources on the server, the monitoring service starts killing off processes for that user and an email report is sent. This is great since it saves me much of the performance problems caused by other users on the same server.
Some time ago, the resource usage for freefixer.com started hitting the limit but I didn’t notice any additional traffic when I examined the Google Analytics report. This led me to investigate Apache’s access.log file. Here are two example entries from the log:
220.127.116.11 - - [25/Jun/2019:02:37:05 -0700] "GET /library/file/UninstallTP.exe-
154295/ HTTP/1.1" 200 17986 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot. htm)"
18.104.22.168 - - [25/Jun/2019:02:37:10 -0700] "GET /b/tag/fake-flash-software/ HTTP/1.1" 200 18719 "-" "Barkrowler/0.9 (+http://www.exensa.com/crawl)
The first entry (22.214.171.124) claims to be the bingbot and the second (126.96.36.199) is a crawler called Barkrowler (exensa.com).
When examining the access.log a bunch of questions are raised:
- Let’s say the crawler claims to be BingBot or GoogleBot, but is it the real one coming from one of Google’s or Microsoft’s data centers, or is it a bot that falsely set its user agent to GoogleBot or BingBot?
- What about all the other bots out there? Their crawling uses quite a lot of resources, but do they bring any value or users to your web site.
- What about all the other high usage IP-numbers that claims to be ordinary users? Are their claims correct, or are they just bots in disguise?
I’ll simply post each IP number that I investigate below and you can check out the details by clicking on it. You can find the list down below.
How To Determine If a Bot is Fake
Let’s say you see an entry in the log coming from 188.8.131.52 and it claims to be bingbot. How can we determine that the traffic is from a real bingbot? We can do this using the following two steps:
1) First we do a reverse DNS lookup using the IP from the log.
$ host 184.108.40.206 252.39.55.157.in-addr.arpa domain name pointer msnbot-157-55-39-252.search.
The DNS responds with [msnbot-157-55-39-252.search.
2) Then we do a forward DNS lookup on the hostname we got from the reverse lookup.
$ dig +short msnbot-157-55-39-252.search.
So, to summarise: 220.127.116.11 points to [msnbot-157-55-39-252.search.
Another way to check if an IP belongs to bingbot, if you don’t have the host and dig command line tools available, is to use Bing’s Verify Bingbot Tool. You simply type in the IP address, in this case 18.104.22.168, and solve the captcha.
I’m not aware of web verification tools for the other search engines such as Google or Yandex. If you know about such a tool, please let me know.
- 22.214.171.124 – Code injection
- 126.96.36.199 – Downloads .RSS feeds. Claims to be Bingbot.
- 188.8.131.52 – GoogleBot
- 184.108.40.206 – YandexBot
- 220.127.116.11 – ? Downloads RSS feeds.
- 18.104.22.168 – Code Injection
- 22.214.171.124 – Code Injection
- 126.96.36.199 – Code Injection
- 188.8.131.52 – Code Injection
- 184.108.40.206 – Code Injection
- 220.127.116.11 – Code Injection
- 18.104.22.168 – Code Injection
- 22.214.171.124 – Code Injection
- 126.96.36.199 – Hacking. Scanning for Crypto Wallets, etc.
- 188.8.131.52 – Megaindex.ru
- 184.108.40.206 – Code injection
- 220.127.116.11 – Bingbot