homepage Welcome to WebmasterWorld Guest from 54.198.185.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Bergdorf Group
keyplyr




msg:4346444
 12:59 am on Aug 2, 2011 (gmt 0)

Evidence of SPAM bot running in WWW.

91.224.160.** - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Scraped a 200 page site, HTML pages only, short crawl duration.

91.224.160.0 - 91.224.161.255
91.224.160.0/23

 

Pfui




msg:4346483
 3:17 am on Aug 2, 2011 (gmt 0)

(WWW = here?)

I watched Bergdorf Group machines/IPs ramp-up even after 403s, ditto 200s to bot-bait. After multiple blocked URI=REF hits from five of their IPs, I finally killfiled 91.224.160.0/24 on July 3.

JULY 3
91.224.160.132
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)
91.224.160.129
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
91.224.160.90
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

JUNE 13
91.224.160.91
Opera/8.00 (Windows NT 5.1; U; en)

JUNE 11
91.224.160.90
Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

So many faked UAs, so little time... [projecthoneypot.org...]

keyplyr




msg:4346511
 4:44 am on Aug 2, 2011 (gmt 0)

(WWW = here?)

No, here would be WW. By WWW I'm referring to World Wide Web :) In other words searching for that IP range returns many account of SPAM bot activity, with various UAs (as you've attested.)

caribguy




msg:4346738
 4:37 pm on Aug 2, 2011 (gmt 0)

Indeed... Checked my logs, has the signature of a blog / forum spammer. Thanks for the heads-up.

dstiles




msg:4346856
 9:42 pm on Aug 2, 2011 (gmt 0)

Blocked the /23 back on April Fools day. Seems appropriate. :)

caribguy




msg:4348386
 8:11 pm on Aug 5, 2011 (gmt 0)

And this is pretty timely, via the Sans Incident Handlers: a new Mac OSX Lion trojan is being distributed through the Bergdorf network. [isc.sans.edu...]

This is a DNS changer type malware that modifies the hosts file to redirect
google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.

Pfui




msg:4348408
 8:47 pm on Aug 5, 2011 (gmt 0)

Wow. And talk about small world.

Also interesting is F-Secure's article detailing the degrees to which the Bad Guys go to fake people out. [f-secure.com...]

NOTE: The trojan is a fake FlashPlayer.pkg installer for Mac; it has zero connection to Lion per se, or Apple, etc. Lion doesn't include a Flash package.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved