A cautionary tale for anyone running their own web server – something I’d never considered previously.

We’ve all been there – you’re setting up your web server, and request a bunch of IP addresses from your hosting provider. You then assign these IPs to your various web sites, and off you go…

But how many of you actually check the history of these IP addresses?

I always assumed that I was getting pristine, brand-new addresses that had never been used before. So I set up my new server, transferred all my sites from my old server, and everything seemed fine. But then I started noticing quite a number of odd requests in the logs:

http://94.76.220.233/forumdisplay.php?fid=61
http://94.76.220.234/archiver/?tid-144650.html
http://94.76.220.232/19
http://94.76.220.232/index.php?fromuid=83714

These were certainly nothing to do with me, and the fact that they were accessing the IP directly rather than using a domain name seemed suspicious. So, being an inquisitive type, I started to investigate.

Tracing back the referrers, I found out a number of things:

  • The referring pages were all based in China, but were directly linking to an IP address in the UK
  • They were nearly all chat forums
  • …most of which were inaccessible without logging in
  • …and those which were accessible seemed concerned with pictures of young Chinese boys and girls
  • …at which point I stopped my digging.

Now, quite aside from the fact that I didn’t want any increased traffic caused by my IPs being linked to, I really didn’t want my clients’ websites tainted by anything like this.

My hosting company was very helpful – within an hour they’d given me a new batch of IP addresses, and time to switch over before they remove the old ones. So I’m now just waiting for DNS servers around the world to catch up…

There are a few things you can do to check your new IP addresses:

1. Check against IP blacklists

Run a check at rbls.org for each of your IP addresses. Admittedly, in my case this didn’t turn up any information, but it might disclose previous misuse of your IP address.

2. Look up the IP address in search engines

Do a search on Google for the IP address. If your IP is clean, you’ll see a number of results anyway, but they will just be lists of allocated IP addresses. Search for a good IP first so you know what clean results look like.

If you get results like the one below, you might want to request new addresses…

Google results for a contaminated IP

After seeing my log files, I also checked against baidu.com, since a number of referrals came from there.

3. Check for unexpected traffic

OK, this one needs to be done once the server’s up and running. But if you see lots of unexpected requests, you could have a problem.

I have my default missing page handler set up to log any request which results in a 404. Not only does this help track unexpected behaviour, it’s also a good tool to make sure all your sites are running as they should…

4. Take action!

If you find anything suspect about your new IPs – ask your host for some new ones. It’s not worth the risk, however small, of your sites’ reputations being tarnished.