homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

WebNX Hosting Source of PHP Probe/Hack Attempts

 7:07 pm on Apr 30, 2012 (gmt 0)

UA: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)

Probe/hack attempts to gain access to php - all blocked.

colo and dedi hosting -

A couple of mentions in previous threads:





 6:17 pm on May 27, 2012 (gmt 0)

I got hit by another webnx IP today, bringing my total set of ranges to... - - - - -


 6:29 pm on May 27, 2012 (gmt 0)

Thanks, I didn't have those last 3 ranges.


 7:51 pm on May 27, 2012 (gmt 0)

Here's some more - -


 12:00 am on May 28, 2012 (gmt 0)

Thanks Don


 12:53 am on May 28, 2012 (gmt 0)

I have the following range as dedicated hosting

NetRange: -


 1:19 am on May 28, 2012 (gmt 0)

Those last two lines came from a WHOIS on the NetName.]

Arin doesn't work for much of anything these days, however it still works on Netnames (WEBNX)


 4:10 am on May 28, 2012 (gmt 0)

Good catch Staffa. I would not have known these WebNX ranges were inside AWKNET. Much easier to manage.


 4:01 am on Sep 8, 2012 (gmt 0)

:: bump ::

Never mind the rest of 'em. I want to know exactly who these people are:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Here's why.

Yesterday-- just a bit over 24 hours ago-- I uploaded a cluster of very large e-books. I have just rechecked the timestamp to make sure I haven't misplaced a day or week. (Been known to happen.) First the e-books, then their shared index file, and last of all a revised /ebooks/ index file to incorporate the new links.

After some final spot-checking, I fed one file to google and a different one to bing in order to jump-start them: - - [06/Sep/2012:19:53:37 -0700] "GET /ebooks/paston/paston2.html HTTP/1.1" 200 118260 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
and - - [06/Sep/2012:20:20:52 -0700] "GET /ebooks/paston/paston3.html HTTP/1.1" 200 304166 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

(There's some technicalia in the background that I don't understand. The actual filesizes are each around 900K; apparently google took a partial chomp and flagged it for later, while bing got the whole thing in some kind of gzip mode.)

Haven't heard any more from bing, but google came back an hour later for the whole file: - - [06/Sep/2012:20:46:18 -0700] "GET /ebooks/paston/paston2.html HTTP/1.1" 200 318875 "-" <etc.>

and then, after another hour (numbering is wonky, so they got everything that's available), - - [06/Sep/2012:21:37:35 -0700] "GET /ebooks/paston/ HTTP/1.1" 200 4664 "-" <etc.> - - [06/Sep/2012:21:43:54 -0700] "GET /ebooks/paston/paston3.html HTTP/1.1" 200 304166 "-" <etc.> - - [06/Sep/2012:21:48:41 -0700] "GET /ebooks/paston/sample.pdf HTTP/1.1" 200 223867 "-" <etc.> - - [06/Sep/2012:21:51:14 -0700] "GET /ebooks/paston/paston4.html HTTP/1.1" 200 298260 "-" <etc.>

And the point is... - - [07/Sep/2012:08:23:09 -0700] "GET /ebooks/paston/paston3.html HTTP/1.1" 200 304110 "http://www.example.com/ebooks/paston/paston3.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"


As of this instant, g has indexed vol. 2, the cover page and (!) the pdf, while b has indexed vol. 3 (the page I fed them). Of course I have no idea whether they'd already done so by 8AM.

If it weren't for the auto-referer, I would assume I'd stumbled across yet another plainclothes bingbot.


 6:52 pm on Sep 8, 2012 (gmt 0)

I'd be inclined to block such a simple UA. It's obviously fake. has rDNS of gridlesshosting.com registered 2009 by Cameron Brunner using a gmail address (which is immediately suspicious). Address is Queensland, Australia according to DNS.

Check out DNS for domain and IP. Also check intodns.com for full setup incl. A and MX records.

Use the "proxy" view on ixquick to view the web page - it seems to be a support service for hosting customers.

Robtex shows the domain linkjuicefactory dot com on the same IP - now I wonder... :)

For info: I blocked the IP range - in Apr 2011.


 8:12 am on Sep 9, 2012 (gmt 0)

Yah, but you can't run around blocking every /18 you meet. You'd never see the end of it :)

Anyway, I am more concerned with how the phhzzt this previously unknown robot homed right in on a brand spankin new file. Unless bing told them.


 9:12 pm on Sep 9, 2012 (gmt 0)

I block a LOT of /24 to /16 and all increments inbetween. It's either that or block "real" users within larger ranges.

Could there have been a "page update" checker in operation, either within that IP range or on a DSL range used by the server owner? Since there seems to be a "link juice factory" on the IP I would say that's a possibility, perhaps checking for their customers?

I would not expect bing or any other reputable SE to tell-tale directly, although the offender may be periodically scraping SEs for such things.

Timing may be coincidental? Perhaps, say, a 4-hour cycle might do the job and a page-checker visit (or SE scrape) coincided with your update?

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved