| 3:17 am on Aug 2, 2011 (gmt 0)|
(WWW = here?)
I watched Bergdorf Group machines/IPs ramp-up even after 403s, ditto 200s to bot-bait. After multiple blocked URI=REF hits from five of their IPs, I finally killfiled 220.127.116.11/24 on July 3.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Opera/8.00 (Windows NT 5.1; U; en)
Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
So many faked UAs, so little time... [projecthoneypot.org...]
| 4:44 am on Aug 2, 2011 (gmt 0)|
No, here would be WW. By WWW I'm referring to World Wide Web :) In other words searching for that IP range returns many account of SPAM bot activity, with various UAs (as you've attested.)
| 4:37 pm on Aug 2, 2011 (gmt 0)|
Indeed... Checked my logs, has the signature of a blog / forum spammer. Thanks for the heads-up.
| 9:42 pm on Aug 2, 2011 (gmt 0)|
Blocked the /23 back on April Fools day. Seems appropriate. :)
| 8:11 pm on Aug 5, 2011 (gmt 0)|
And this is pretty timely, via the Sans Incident Handlers: a new Mac OSX Lion trojan is being distributed through the Bergdorf network. [isc.sans.edu...]
|This is a DNS changer type malware that modifies the hosts file to redirect |
google sites to 18.104.22.168. Which appears to be in the British Virgin Islands.
| 8:47 pm on Aug 5, 2011 (gmt 0)|
Wow. And talk about small world.
Also interesting is F-Secure's article detailing the degrees to which the Bad Guys go to fake people out. [f-secure.com...]
NOTE: The trojan is a fake FlashPlayer.pkg installer for Mac; it has zero connection to Lion per se, or Apple, etc. Lion doesn't include a Flash package.