i run a forum powered by phpbb version .19...

one of my moderators is very concerned about an ip address been seen logged onto 10-30 pages on the forums, at the exact same time.
spme of these pages were private messages, profiles.anyway the ip is called a googlebot, but this moderator saw the patterns 3 times in one day and yeh each time he said 'that is no way the signature of a cralwer'

'Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing Private Messages 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Varieties 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Member Competitions and Details 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Stoners' Poems 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Member Competitions and Details 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Stoners' Poems 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Member Competitions and Details 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Varieties 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Member Competitions and Details 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Member Competitions and Details 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Virgin Lungs 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Stoners' Poems 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing Private Messages 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Virgin Lungs 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Viewing profile 66.249.72.8
Guest Fri Jan 27, 2006 5:41 am Fri Jan 27, 2006 5:57 am Forum index 68.9.195.215
Guest Fri Jan 27, 2006 5:57 am Fri Jan 27, 2006 5:57 am Stoners' Poems 66.249.72.8 '

sorry if this along post, i just really worried and this seemed like a place to get some help, and fast...

that incident above happened 4 times today, all same ip..
something like this was also noticed a week before we had problems with passwords/random member deactivations/posts made by not right members...

is the above suspicios in any way??

ne help is greatly appreacited..
cheers
ANimAL

That seems perfectly fine to me. Googlebot (google.com's crawler) is well known for visiting many pages at once in bursts that can last up to a couple of hours to a day. They're known as "deep crawls".

No problem. Just to double check, I resolved the IP and, indeed, it goes to a googlebot crawler. This is a good thing. It means your pages will be well-indexed in the Google search engine.

I trace routed the ip of the googlebot, which had mainly legitimate ips.

However one IP, owned by ABOVENET, was in the same range as 4 ips on every trace route taken from the member on the site who is most suspected of been behind any malicious activity.
This same user was using some kind of router/masking device as despite the fact that he says he is from Massechusits( i dont disbelieve this) all his ip's noted on the forums, end in the UK. I tracerouted his ips and 4 out of every 7 ip (which come up for the trace route) share a ip range ,owned by ABOVENET.
I checked trace routes on other US members of the forums and didnt get this ip range again, as of yet..

64.125.30.118 AS6461 was on the googlebots ip traceroute
and
64.125.30.118
64.125.29.133
64.125.28.129
64.125.27.166
are on the traceroutes of the 'uk' ip's logged in the phpbb forums which the suspected member has posted on lots.


does this mean anything??is it a hub which most users online in the US go through???and normal for the googlebot to be going through thee also???

EVery one of the ips we have for this user, yields traceroutes with 4 ips from that (ABOVENET)range.

Also, on every traceroute i have made for the ips from this member, the ending is the same:
[10.x.x.x] AS16559
REALCONNECT-01
[10.x.x.x] AS16559
REALCONNECT-01
then 4 hops that hit a firewall.
the last valid ip before the REALCONNECT hops is always a UK ip.

Am I completely mistaken with these connections?
and what does the REALCONNECT [10,x.x.x] mean on a traceroute???

as ever all help is very greatly appreciated...


(207.234.129.8 is the ip of a user who made threats about hacking our site)
(213.249.245.169 ) ip logged from the active member we suspect(from our phpbb boards)

This question has already been answered. Start a new discussion instead.