My EE gallery has just in the last week started receiving loads more page views than normal. Great I thought, but now I'm actually wondering if there is something wrong, and it's not really lots of people visiting my site. I'm currently hosting on the University server where I work, so it's all tied in with my accounts there.

I had about 5000 photo views in total in the first 4 months of operation, then in the last could of weeks it has gone up to 150000, and is currently increasing about 3000 every 8 hours.

So I had one of the admins here contact me saying something crazy is going on with ftp access from my account, that there are hundreds of connections being made to the fileserver, which is screwing their system up. At first I thought this was due to a new sftp client I am using; however I am now wondering if it is actually coming from my EE installation.

There are three things I can think of: firstly they changed the security policy on the network recently to disallow certain connections - it's possible that EE is getting blocked from communicating via between the web server and the server holding the photos, though I doubt this as they're both internal. [aside - It'd be really useful if EE could support sftp access rather than just ftp, as ftp is not so secure and, besides some hosts such as mine only allow sftp access from the outside world].

The second possibility is that my gallery has been hacked - I don't know if there's any way to tell, but it's not so beyond the realms of possibility: before I installed EE I had my own script which the same admins actually disabled due to a security breach with someone using my php script to send spam emails! I reckoned EE looked like having better security than my own bodged efforts, but I can't rule out this possibility yet...

The other thing I thought of is that it is just some kind of robot crawling my pages but getting stuck somehow and generating loads of page views. I had the obfuscation settings switched on; am I right in thinking that this involved an FTP operation to make a temporary file for every photo page view? I've now turned that off, just in case, and disabled my FTP servers in the EE settings, just to make sure this isn't what's causing the problems. Unfortunately I need to turn it on again if I am to upload any more photos! Moreover, the page views keep rising and I just can't believe so many people are looking at my photos!

my web page: http://www.tombishop.net/

Anyone got any suggestions of how I could find out what is going on? Any logs generated by EE that I could look at to see where all the photo page views are coming from?

I think that you are found by some search engine, but then still those numbers are realy high.....

Maybe you can (temporarely) add an visit counter? One of those free ones that shows locations, etc etc.

Change your

a) EE admin folder name
b) EE admin username and password
b) ftp password

in that order. Update new ftp password in EE editor. Now see if there is any more ftp activity. Log all ftp actions to see more.

ftp is quite secure when you use usernames and passwords with high random character count and limit access from any other username. I open ftp server only when I upload and close it when not needed.

FTP obfuscation will create lots of ftp access because it transfers each image every time it is viewed.

Lots of image fetch activity might happen when you do not have robots.txt to deny indexing of images. Only way to check it out is to look at http logs.

Check your webserver for image hotlinking protection capability.

Limit number of sizes you offer, that limits visits by spiders (make those extra size paths protected in path editor).

Also, it could be just that you have been slashdotted (linked in some very popular site). That would also be easily seen in http logs (Webalizer, awstats etc).

You have many great images there, no wonder it gets popular!

thanks for the suggestions. I'll try finding a counter to track down where the hits are coming from (not sure if I can get access to the webserver logs).

Pekka, thanks for the compliments, and more importantly for providing (& supporting) EE!
However I've searched for links to my site and I can't find anything out of the ordinary that would generate lots of hits. I suspect the robot is the most likely cause, I'll check out setting up the robots.txt. I've try changing the passwords anyway just to be safe.

Well I've turned off the ftp for now so no more admin complaints about that, though the page views are still rising. If I can't find out another way, is there an option I've missed within EE to log all ftp actions - I can't see anything in the messages window?

Page counter in EE is advanced when photo.php is loaded. That has nothing to do with ftp. If you have turned off ftp OR stopped using ftp obfuscation in EE there can not be any ftp activity in EE public area. If you have ftp on and you upload photos to EE then that makes ftp activity.

If you have shell access you can use netstat command to see network activity and where it comes from. Command

netstat -n | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

shows a list of IP numbers connected to port 80 and sorts them by amount of connections. When analyzing the list keep in mind that most ISP's may serve thousands of customers from one IP.

You can use http://www.iptools.com/dnstools.php?tool=ipwhois&user_data=74.6.24.26&submit=Go for getting IP info.

To see who is connected to ftp (does not mean logged in), use

netstat -n | grep :21 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

It shows all attempted connections to port 21 even whenyour ftp server is off.

I recently had the same problem. Almost al my trafic went to the same ip adress. Afterblokking those ip adresses with .htacces things where normal again