homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

Bad behavior from Microsoft IP

 10:19 pm on May 12, 2013 (gmt 0)

NetRange: -

UA: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Numerous attempts to gain entry into restricted areas:
GET www.example.com/register/
GET www.example.com/login.php
GET www.example.com/signup.php

Each attempt 2x and none of these files exist. I do not use a forum or other type of cookie-cutter members area. My restricted areas are all custom written and illicit attempts like these always blocked.



 7:17 pm on May 14, 2013 (gmt 0)

I have the range blocked.

Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.

Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"

I do not have anything from this range in my current logs (from 1st May to date).

Anyone else have information on this?


 8:20 pm on May 14, 2013 (gmt 0)

fresh from ARIN

OrganizationMicrosoft Corp (MSFT-Z)


 9:52 pm on May 14, 2013 (gmt 0)

:: detour to raw logs ::

Bingo. Nothing at 137.116. but found one at 137.117. from the index.php botnet. (My personal name for them. I have no pages-- whether URL or physical file-- named index.php.) Identifiable by pattern, not by IP:

some random page with auto-referer
/fonts/ with auto-referer
/fonts/index.php with www.example.com/index.php as referer
/ with again www.example.com/index.php as referer

That means humans with compromised machines, right?


 10:15 pm on May 14, 2013 (gmt 0)

I just noticed I have this M$ range blocked for the same reason: -


 6:46 pm on May 15, 2013 (gmt 0)

lucy - not sure if it's compromised machines - I seldom pay attention to referers. Could be just an idiot with a bot, even on a DSL range.

keyplr - yes, blocked.


 8:02 pm on May 15, 2013 (gmt 0)

I seldom pay attention to referers.

In this case I have to because it's part of the pattern-- the stuff profilers look at. Unfortunately I can only spot it after the fact. And one of those after-the-facts was from the IP range under discussion. It's a bit worrying when a range belonging to a major software company is still vulnerable to botnet infestation.

I remember the 131.107. range. I have it in notes as "other people's robot" ;)


 6:50 pm on May 16, 2013 (gmt 0)

Don't get me wrong: I have referer traps, I just do not find them the most common reason for trapping.

If it really is a DSL range then it is no different from any other ISP's IPs being compromised. There are millions of compromised computers at any given time. For a few to be on a high-profile company's broadband system is no surprise. Although, in this case, ironic (if it really is compromised computers) in that MS almost certainly make the OS that accepted compromise.


 8:55 pm on May 16, 2013 (gmt 0)

I have referer traps, I just do not find them the most common reason for trapping.

In my test site's logs I find ###loads of blocked requests with .ru and similar referers. But the referer blocks are only in place on my main site; on the test site these requests are getting blocked further along the line by IP. Belt and suspenders. If I disable mod_authz,* the referer test will get them.

* This is why people have test sites. I put in an "Allow from all" line to check something, and forgot to remove it until two days later. Ugh. Fortunately there are not many robots who modify their behavior dynamically based on response.


 7:44 pm on Jun 6, 2013 (gmt 0)

Found (via bad hit) a new MS range. Initial checks suggest it's a broadband range but if anyone knows different... -


 4:06 pm on Jun 24, 2013 (gmt 0)

Another MS range today, DNS first registered two years ago, updated a couple of months ago... -

It looks to be a DSL range from a very limited number oif IP tests.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved