Some of my more loyal readers may have noticed that this site has been unreachable a few times in the past week or so. Given the miserable heat of the day here in New England, it seemed like a good day to tackle a nasty, persistent technical problem. And after a bunch of poking around in my logfiles, I discovered that each crash I’d experienced lately was preceded by a bunch (usually 70+ in 4-5 minutes) requests for very odd-looking URLs:
188.8.131.52 – – [02/Aug/2006:14:48:56 +0000] “GET /blog/?p=561%22%20gping=%22/GLinkPing.aspx?/_1_9SE
POS=2&CM=WPU&CE=2&CS=AWP&SR=2&sample=0 HTTP/1.1” 200 14189 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5”
These URLs produce pages on my blog, but it’s an awfully convoluted way of loading that page. I’m wondering whether the URL is doing something else as well: copying the source of the page for use for spam farms? Passing the page as an input to another URL (encoded in the “IG=” string perhaps?) Or is this the result of a new search engine spider that’s being insufficiently considerate?
I ran nslookup on the different IPs making these requests. They’re all in Asia, mostly in Malaysia, with one or two in Hong Kong. Many are owned by the same company – some are not – but they all appear to be tech companies. If they’d all been the same company, I’d respond with an email to the firm – with origins from all over, I’m less tempted to do this.
In the meantime, I’ve blocked the offending IPs (thanks to iptables and the lovely folks at Rimu). But before I fix the problem correctly (probably blocking “GLinkPing.aspx” using mod_rewrite), I’d love to know what the heck “GLinkPing” is?
My current theory: it has something to do with Gravee.com, which advertises itself as a new type of search engine, sharing revenue with listed sites. Viewing source on their search results pages gives lots of these “GLinkPing.aspx?” strings – they appear to be triggered when someone clicks a link turned up by their search engine.
Anyone else got a theory on this? Anyone else seeing a lot of these turning up in their search logs? (Yes, obviously, I’m going to write to Gravee and see if they tell me anything… I’ll post any responses I get.)