Pfui
msg:4346483 | 3:17 am on Aug 2, 2011 (gmt 0) |
(WWW = here?)
I watched Bergdorf Group machines/IPs ramp-up even after 403s, ditto 200s to bot-bait. After multiple blocked URI=REF hits from five of their IPs, I finally killfiled 91.224.160.0/24 on July 3.
JULY 3
91.224.160.132
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)
91.224.160.129
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
91.224.160.90
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
JUNE 13
91.224.160.91
Opera/8.00 (Windows NT 5.1; U; en)
JUNE 11
91.224.160.90
Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
So many faked UAs, so little time... [projecthoneypot.org...]
|
keyplyr
msg:4346511 | 4:44 am on Aug 2, 2011 (gmt 0) |
No, here would be WW. By WWW I'm referring to World Wide Web :) In other words searching for that IP range returns many account of SPAM bot activity, with various UAs (as you've attested.)
|
caribguy
msg:4346738 | 4:37 pm on Aug 2, 2011 (gmt 0) |
Indeed... Checked my logs, has the signature of a blog / forum spammer. Thanks for the heads-up.
|
dstiles
msg:4346856 | 9:42 pm on Aug 2, 2011 (gmt 0) |
Blocked the /23 back on April Fools day. Seems appropriate. :)
|
caribguy
msg:4348386 | 8:11 pm on Aug 5, 2011 (gmt 0) |
And this is pretty timely, via the Sans Incident Handlers: a new Mac OSX Lion trojan is being distributed through the Bergdorf network. [isc.sans.edu...]
This is a DNS changer type malware that modifies the hosts file to redirect
google sites to 91.224.160.26. Which appears to be in the British Virgin Islands. |
|
|
Pfui
msg:4348408 | 8:47 pm on Aug 5, 2011 (gmt 0) |
Wow. And talk about small world.
Also interesting is F-Secure's article detailing the degrees to which the Bad Guys go to fake people out. [f-secure.com...]
NOTE: The trojan is a fake FlashPlayer.pkg installer for Mac; it has zero connection to Lion per se, or Apple, etc. Lion doesn't include a Flash package.
|
|
