homepage Welcome to WebmasterWorld Guest from 54.196.63.93
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
The Onion Strikes - TOR Proxy Comment Spammers
tor exit node drive-by
iamzippy

5+ Year Member



 
Msg#: 4447430 posted 9:54 am on Apr 30, 2012 (gmt 0)

Tor Exit Node drive-by at a WordPress site. All are known comment spammers.

"GET /samepage/ HTTP/1.0" ... "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727)"

109.163.233.205 - - [30/Apr/2012:03:28:55 +0200] gorz.torservers.net
66.7.205.164 - - [30/Apr/2012:03:29:01 +0200] torsrvh.snydernet.net
87.225.253.174 - - [30/Apr/2012:03:29:05 +0200] torproject.org.all.de
199.48.147.35 - - [30/Apr/2012:03:29:09 +0200] tor-exit-router35-readme.formlessnetworking.net
93.182.132.100 - - [30/Apr/2012:03:29:13 +0200] exit1.ipredator.se
85.24.188.63 - - [30/Apr/2012:03:29:16 +0200] h-188-63.a189.priv.bahnhof.se
77.247.181.162 - - [30/Apr/2012:03:29:18 +0200] chomsky.torservers.net
84.55.117.251 - - [30/Apr/2012:03:29:19 +0200] 84-55-117-251.customers.ownit.se
46.165.196.182 - - [30/Apr/2012:03:29:37 +0200] ns2.kharlamov.co
199.48.147.36 - - [30/Apr/2012:03:29:38 +0200] tor-exit-router36-readme.formlessnetworking.net
62.113.219.4 - - [30/Apr/2012:03:29:40 +0200] tor11.anonymizer.ccc.de
178.217.184.147 - - [30/Apr/2012:03:29:40 +0200] torexit.pl1.william.ir
77.247.181.163 - - [30/Apr/2012:03:29:41 +0200] lumumba.torservers.net
77.247.181.164 - - [30/Apr/2012:03:29:47 +0200] rainbowwarrior.torservers.net
77.247.181.165 - - [30/Apr/2012:03:29:48 +0200] politkovskaja.torservers.net
93.182.132.103 - - [30/Apr/2012:03:29:50 +0200] exit2.ipredator.se
146.185.23.179 - - [30/Apr/2012:03:29:51 +0200] torland1-this.is.a.tor.exit.server.torland.me

This is the fourth broadside of the Tor-related kind in as many days.

Anyone else picking these up?

 

Staffa

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4447430 posted 10:50 am on Apr 30, 2012 (gmt 0)

Thanks for the heads up, two ranges are new to me

motorhaven

10+ Year Member



 
Msg#: 4447430 posted 4:33 pm on Apr 30, 2012 (gmt 0)

New one for me as well. And not coincidental that I added one of these ranges last night when it caught one of my traps.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4447430 posted 6:52 pm on Apr 30, 2012 (gmt 0)

Already got 'em all, he said smugly. :)

Although I had the range that includes 84.55.117.251 as broadband (which I still think it may be). Blocked it anyway, though.

I may be getting that kind of access attempt but I would need to backtrack in my logs to find out. Unless an IP hits several dozen times in a few seconds I ignore pre-blocked IPs.

iamzippy

5+ Year Member



 
Msg#: 4447430 posted 9:03 pm on Apr 30, 2012 (gmt 0)

@dstiles: Even a cursory Wikipedia-ward glance will inform. Anyone can configure their connection as a Tor exit node. Broadband freetards, mostly. It's the nature of the onion. Then they get hijacked or similar.
Already got 'em all, he said smugly. :)

Hmm. I wish you good luck with that.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4447430 posted 8:27 pm on May 1, 2012 (gmt 0)

My comment referred to the list of IPs. Apart from those, I think I can catch that class of "attack" without too much bother, be it from servers or broadband.

motorhaven

10+ Year Member



 
Msg#: 4447430 posted 8:39 pm on May 1, 2012 (gmt 0)

I have a cron job which refreshes a list of Tor exit nodes hourly, and blocks those automatically. When I find something like this thread, where others list IPs, if I find a server/host IP range I add it to my permanent block list. :)

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4447430 posted 2:15 am on May 2, 2012 (gmt 0)

HostDime
RewriteCond %{REMOTE_ADDR} ^66\.193\.(17[45]|23[01])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.194\.(15[23]|4[01])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.194\.2(3[89]|4[0-9]|5[0-5])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.195\.(1[6-9]|12[4-7]|24[0-3]|25[23])\. [OR]
RewriteCond %{REMOTE_ADDR} ^64\.132\.144\. [OR]

The 66.7. and the 72.29's I had denied previously.

Thanks for the 66.7 heads up or I wouldn't have checked and updated.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4447430 posted 6:57 pm on May 3, 2012 (gmt 0)

I wonder if the sudden hits for tor is related to the post at

https://threatpost.com/en_us/blogs/tor-warns-firefox-bug-threatens-user-privacy-050312

"The developers at the Tor Project are warning users about a serious flaw in Firefox that's included the latest version of the Tor Browser Bundle that could enable an attacker to gather information about the servers a victim is using, poking a hole in the privacy and anonymity that Tor is designed to provide."

Could the hits shown in the OP result from a firefox/tor exposure?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved