homepage Welcome to WebmasterWorld Guest from 54.224.202.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Softlayer
Ken_S




msg:4546751
 1:11 pm on Feb 19, 2013 (gmt 0)

New Visitor

Syskay Systems - syskay.xxx (Nigeria, Africia) - (Softlayer Dutch Holdings Bv - Dallas, Texas)

159.253.128.0/19 = 159.253.128.0 - 159.253.159.255 = ^159\.253\.(1[2-5][89])\.

159.253.142.194 - - [19/Feb/2013:01:36:07 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 3573 "http://example.COM/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

 

dstiles




msg:4546882
 8:52 pm on Feb 19, 2013 (gmt 0)

We see hundreds of phpadmin and similar requests each day, all trying to hack in. Unless you actually have phpadmin on your server it pays to block all accesses to that path. In my case I do not use php at all, so I can also block any script ending in .php.

As to the IP range - I have a LOT of softlayer ranges blocked - in fact, any IP range that looks anything like a server farm.

If the issue is new to you then learn how to block user-agents, scripts and IPs, then look through this forum for IP ranges and user-agents to block - there are hundreds of them! :)

And then there are the other headers...

keyplyr




msg:4546996
 5:07 am on Feb 20, 2013 (gmt 0)


159.253.128.0/19 = 159.253.128.0 - 159.253.159.255


Parts of that range doesn't check out as Softlayer. Where did you verify this?

lucy24




msg:4547065
 11:49 am on Feb 20, 2013 (gmt 0)

All's I know is, one of the worst robots I've met in my life came from that very neighborhood. 159.253.143.53 and ..145.175. They can try to hide behind /26 slivers but they sure do all look alike.

NG can't possibly be New Guinea can it?

:: shuffling papers ::

Nigeria. Figures.

wilderness




msg:4547072
 1:15 pm on Feb 20, 2013 (gmt 0)

Nigeria. Figures.


I'm sure you site (s) are not advantageous to visitors from
afrinic

dstiles




msg:4547222
 8:05 pm on Feb 20, 2013 (gmt 0)

Keyplr - if the record is served up bu arin you need to scroll down to the bottom of the record:

inetnum: 159.253.128.0 - 159.253.159.255
netname: NL-SOFTLAYER-EU-20110921
descr: SoftLayer Dutch Holdings BV
country: NL

NOTE: Some ranges are /26 or whatever - put in a few IPs until you get the full range as above. I found the above for 159.253.139.0

keyplyr




msg:4547228
 8:36 pm on Feb 20, 2013 (gmt 0)

dstiles, I know how to use ARIN. That's not the point.


Parts of that range doesn't check out as Softlayer.

keyplyr




msg:4547250
 10:04 pm on Feb 20, 2013 (gmt 0)

This is what I have for Softlayer (including the above mentioned range which I believe has many holes in it. I had it broken up into 6 smaller ranges since my information shows Softlayer does not own the entire scope of that range.)


50.22.0.0 - 50.23.255.255
50.22.0.0/15

50.97.0.0 - 50.97.255.255
50.97.0.0/16

66.228.112.0 - 66.228.127.255
66.228.112.0/20

67.228.0.0 - 67.228.255.255
67.228.0.0/16

74.86.0.0 - 74.86.255.25
74.86.0.0/16

75.126.0.0 - 75.126.255.255
75.126.0.0/16

108.168.128.0 - 108.168.255.255
108.168.128.0/17

159.253.128.0 - 159.253.159.255
159.253.128.0/19

173.192.0.0 - 173.193.255.255
173.192.0.0/15

174.140.18.0 - 174.140.18.255
174.140.18.0/24

174.140.29.0 - 174.140.29.255
174.140.29.0/24

174.140.33.0 - 174.140.33.255
174.140.33.0/24

174.140.36.0 - 174.140.36.255
174.140.36.0/24

174.140.51.0 - 174.140.51.255
174.140.51.0/24

208.43.0.0 - 208.43.255.255
208.43.0.0/16

208.101.0.0 - 208.101.63.255
208.101.0.0/18

lucy24




msg:4547276
 1:10 am on Feb 21, 2013 (gmt 0)

159.253.128.0/19

If you don't believe it, why is it still on the list?

Softlayer may be subletting parts of its range to other entities-- it would hardly be the first-- but the chances of an undesirable host subletting to desirable humans are pretty slim. ("Oh, sorry, didn't realize it was a crack house. I'm just renting a room.")

keyplyr




msg:4547301
 2:44 am on Feb 21, 2013 (gmt 0)


If you don't believe it, why is it still on the list?

You answered your own question.

As I said, I had it divided up as 6 different smaller ranges that *did* show as Softlayer. The holes were all different companies with different hosts, none of them Softlayer, however in the big picture of things, I decided to fault on the side of probability :)

wilderness




msg:4547303
 3:02 am on Feb 21, 2013 (gmt 0)

I realize you kids are having fun in the sandbox. . . .

FWIW:

RewriteCond %{REMOTE_ADDR} ^159\.(121|134|14[789])\. [OR]
RewriteCond %{REMOTE_ADDR} ^159\.(213|224\.120|226|253)\. [OR]

dstiles




msg:4547643
 9:26 pm on Feb 21, 2013 (gmt 0)

Keyplr - the NETNAME seems to resolve to softlayer throughout the 159.253.128.0/19 range (I tried it every /23). The description and sometimes country vary but that is simply sub-letting. Most large companies sub-let.

keyplyr




msg:4547655
 9:43 pm on Feb 21, 2013 (gmt 0)


Thanks dstiles. I also think that up-to-date- info may take a while to propagate around. It would be interesting to find a source where we could view when IP ranges are sold/traded/assigned/re-allocated in real time.

Quite often I see that what I had noted as one company is now being listed at a WHOIS as another owner/host.

That's one argument for using CIDR for blocking instead of mod_rewrite. It gives a much clearer picture when ranges are inside of another without checking notes (ah'em Don - LOL.)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved