Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied.
Any hint is appreciated. Thanks in advance.
I'm guessing your user has spyware on his machine. If its windows he should try spybot search and destroy or adaware.
This was my first thought, too. But spybot and an additional virus scan did not produce any significant result.
If it is limited to that single user it would have to be somewhere on his end, or along the route to you. Perhaps a traceroute from his end would reveal something - maybey a caching proxy server between him and you.
Also a netstat -an from his machine immediatly (within a second) of requesting a page on your site might reveal odd connections to some other site.
If you ever figure it out besure to post here as this is quite interesting.
I gathered some additional info on this topic: I'm running different webservers (virtual hosts) on one ip address. If the "supicious" user connects to server A the request is doubled. At host B not. Another user connecting to host A show _no_ doubled request, too. This problem only occurs if this specific user connects to host A. I reviewed all scripts (.php, .cgi) and their rights on host A but I didn't find any suspicous changes. If this problem would be related to this user than it must occur on every host he connects to. If it is related to my host A than it should occur with every user. My paranoia is still rising :) Any clues? Regards Andreas