homepage Welcome to WebmasterWorld Guest from 54.227.160.102
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Softlayer
Ken_S



 
Msg#: 4546749 posted 1:11 pm on Feb 19, 2013 (gmt 0)

New Visitor

Syskay Systems - syskay.xxx (Nigeria, Africia) - (Softlayer Dutch Holdings Bv - Dallas, Texas)

159.253.128.0/19 = 159.253.128.0 - 159.253.159.255 = ^159\.253\.(1[2-5][89])\.

159.253.142.194 - - [19/Feb/2013:01:36:07 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 3573 "http://example.COM/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

 

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4546749 posted 8:52 pm on Feb 19, 2013 (gmt 0)

We see hundreds of phpadmin and similar requests each day, all trying to hack in. Unless you actually have phpadmin on your server it pays to block all accesses to that path. In my case I do not use php at all, so I can also block any script ending in .php.

As to the IP range - I have a LOT of softlayer ranges blocked - in fact, any IP range that looks anything like a server farm.

If the issue is new to you then learn how to block user-agents, scripts and IPs, then look through this forum for IP ranges and user-agents to block - there are hundreds of them! :)

And then there are the other headers...

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 5:07 am on Feb 20, 2013 (gmt 0)


159.253.128.0/19 = 159.253.128.0 - 159.253.159.255


Parts of that range doesn't check out as Softlayer. Where did you verify this?

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4546749 posted 11:49 am on Feb 20, 2013 (gmt 0)

All's I know is, one of the worst robots I've met in my life came from that very neighborhood. 159.253.143.53 and ..145.175. They can try to hide behind /26 slivers but they sure do all look alike.

NG can't possibly be New Guinea can it?

:: shuffling papers ::

Nigeria. Figures.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 1:15 pm on Feb 20, 2013 (gmt 0)

Nigeria. Figures.


I'm sure you site (s) are not advantageous to visitors from
afrinic

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4546749 posted 8:05 pm on Feb 20, 2013 (gmt 0)

Keyplr - if the record is served up bu arin you need to scroll down to the bottom of the record:

inetnum: 159.253.128.0 - 159.253.159.255
netname: NL-SOFTLAYER-EU-20110921
descr: SoftLayer Dutch Holdings BV
country: NL

NOTE: Some ranges are /26 or whatever - put in a few IPs until you get the full range as above. I found the above for 159.253.139.0

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 8:36 pm on Feb 20, 2013 (gmt 0)

dstiles, I know how to use ARIN. That's not the point.


Parts of that range doesn't check out as Softlayer.

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 10:04 pm on Feb 20, 2013 (gmt 0)

This is what I have for Softlayer (including the above mentioned range which I believe has many holes in it. I had it broken up into 6 smaller ranges since my information shows Softlayer does not own the entire scope of that range.)


50.22.0.0 - 50.23.255.255
50.22.0.0/15

50.97.0.0 - 50.97.255.255
50.97.0.0/16

66.228.112.0 - 66.228.127.255
66.228.112.0/20

67.228.0.0 - 67.228.255.255
67.228.0.0/16

74.86.0.0 - 74.86.255.25
74.86.0.0/16

75.126.0.0 - 75.126.255.255
75.126.0.0/16

108.168.128.0 - 108.168.255.255
108.168.128.0/17

159.253.128.0 - 159.253.159.255
159.253.128.0/19

173.192.0.0 - 173.193.255.255
173.192.0.0/15

174.140.18.0 - 174.140.18.255
174.140.18.0/24

174.140.29.0 - 174.140.29.255
174.140.29.0/24

174.140.33.0 - 174.140.33.255
174.140.33.0/24

174.140.36.0 - 174.140.36.255
174.140.36.0/24

174.140.51.0 - 174.140.51.255
174.140.51.0/24

208.43.0.0 - 208.43.255.255
208.43.0.0/16

208.101.0.0 - 208.101.63.255
208.101.0.0/18

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4546749 posted 1:10 am on Feb 21, 2013 (gmt 0)

159.253.128.0/19

If you don't believe it, why is it still on the list?

Softlayer may be subletting parts of its range to other entities-- it would hardly be the first-- but the chances of an undesirable host subletting to desirable humans are pretty slim. ("Oh, sorry, didn't realize it was a crack house. I'm just renting a room.")

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 2:44 am on Feb 21, 2013 (gmt 0)


If you don't believe it, why is it still on the list?

You answered your own question.

As I said, I had it divided up as 6 different smaller ranges that *did* show as Softlayer. The holes were all different companies with different hosts, none of them Softlayer, however in the big picture of things, I decided to fault on the side of probability :)

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 3:02 am on Feb 21, 2013 (gmt 0)

I realize you kids are having fun in the sandbox. . . .

FWIW:

RewriteCond %{REMOTE_ADDR} ^159\.(121|134|14[789])\. [OR]
RewriteCond %{REMOTE_ADDR} ^159\.(213|224\.120|226|253)\. [OR]

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4546749 posted 9:26 pm on Feb 21, 2013 (gmt 0)

Keyplr - the NETNAME seems to resolve to softlayer throughout the 159.253.128.0/19 range (I tried it every /23). The description and sometimes country vary but that is simply sub-letting. Most large companies sub-let.

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4546749 posted 9:43 pm on Feb 21, 2013 (gmt 0)


Thanks dstiles. I also think that up-to-date- info may take a while to propagate around. It would be interesting to find a source where we could view when IP ranges are sold/traded/assigned/re-allocated in real time.

Quite often I see that what I had noted as one company is now being listed at a WHOIS as another owner/host.

That's one argument for using CIDR for blocking instead of mod_rewrite. It gives a much clearer picture when ranges are inside of another without checking notes (ah'em Don - LOL.)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved