homepage Welcome to WebmasterWorld Guest from 23.23.57.182
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Bad behavior from Microsoft IP
keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4573351 posted 10:19 pm on May 12, 2013 (gmt 0)



IP: 137.116.226.239
NetRange: 137.116.0.0 - 137.116.255.255
CIDR: 137.116.0.0/16

UA: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Numerous attempts to gain entry into restricted areas:
GET www.example.com/register/
GET www.example.com/login.php
GET www.example.com/signup.php

Each attempt 2x and none of these files exist. I do not use a forum or other type of cookie-cutter members area. My restricted areas are all custom written and illicit attempts like these always blocked.

 

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4573351 posted 7:17 pm on May 14, 2013 (gmt 0)

I have the range 137.116.0.0/15 blocked.

Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.

Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"

I do not have anything from this range in my current logs (from 1st May to date).

Anyone else have information on this?

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4573351 posted 8:20 pm on May 14, 2013 (gmt 0)

fresh from ARIN

NTINET-NASH
HandleNET-137-116-0-0-1
OrganizationMicrosoft Corp (MSFT-Z)

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4573351 posted 9:52 pm on May 14, 2013 (gmt 0)

:: detour to raw logs ::

Bingo. Nothing at 137.116. but found one at 137.117. from the index.php botnet. (My personal name for them. I have no pages-- whether URL or physical file-- named index.php.) Identifiable by pattern, not by IP:

some random page with auto-referer
/fonts/ with auto-referer
/fonts/index.php with www.example.com/index.php as referer
/ with again www.example.com/index.php as referer

That means humans with compromised machines, right?

keyplyr

WebmasterWorld Senior Member keyplyr us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4573351 posted 10:15 pm on May 14, 2013 (gmt 0)


I just noticed I have this M$ range blocked for the same reason:

131.107.0.0 - 131.107.255.255
131.107.0.0/16

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4573351 posted 6:46 pm on May 15, 2013 (gmt 0)

lucy - not sure if it's compromised machines - I seldom pay attention to referers. Could be just an idiot with a bot, even on a DSL range.

keyplr - yes, blocked.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4573351 posted 8:02 pm on May 15, 2013 (gmt 0)

I seldom pay attention to referers.

In this case I have to because it's part of the pattern-- the stuff profilers look at. Unfortunately I can only spot it after the fact. And one of those after-the-facts was from the IP range under discussion. It's a bit worrying when a range belonging to a major software company is still vulnerable to botnet infestation.

I remember the 131.107. range. I have it in notes as "other people's robot" ;)

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4573351 posted 6:50 pm on May 16, 2013 (gmt 0)

Don't get me wrong: I have referer traps, I just do not find them the most common reason for trapping.

If it really is a DSL range then it is no different from any other ISP's IPs being compromised. There are millions of compromised computers at any given time. For a few to be on a high-profile company's broadband system is no surprise. Although, in this case, ironic (if it really is compromised computers) in that MS almost certainly make the OS that accepted compromise.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4573351 posted 8:55 pm on May 16, 2013 (gmt 0)

I have referer traps, I just do not find them the most common reason for trapping.

In my test site's logs I find ###loads of blocked requests with .ru and similar referers. But the referer blocks are only in place on my main site; on the test site these requests are getting blocked further along the line by IP. Belt and suspenders. If I disable mod_authz,* the referer test will get them.


* This is why people have test sites. I put in an "Allow from all" line to check something, and forgot to remove it until two days later. Ugh. Fortunately there are not many robots who modify their behavior dynamically based on response.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4573351 posted 7:44 pm on Jun 6, 2013 (gmt 0)

Found (via bad hit) a new MS range. Initial checks suggest it's a broadband range but if anyone knows different...

137.135.0.0 - 137.135.255.255
137.135.0.0/16

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4573351 posted 4:06 pm on Jun 24, 2013 (gmt 0)

Another MS range today, DNS first registered two years ago, updated a couple of months ago...

138.91.0.0 - 138.91.255.255
138.91.0.0/16

It looks to be a DSL range from a very limited number oif IP tests.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved