| 10:38 am on Apr 27, 2014 (gmt 0)|
Many thanks easy.
| 3:04 pm on Apr 27, 2014 (gmt 0)|
Yes, thanks everyone for identifying and organizing that mess.
| 6:26 pm on Apr 27, 2014 (gmt 0)|
184.108.40.206 - 220.127.116.11
| 7:36 am on May 5, 2014 (gmt 0)|
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
| 8:02 am on May 9, 2014 (gmt 0)|
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
| 8:29 pm on May 13, 2014 (gmt 0)|
###, clicked Close instead of Post.
new QuadraNet range: free lookup says 19 March (it used to be someone else), and they've already been recruited into a botnet.*
* Interior page giving front page as referer (this is an automatic 403), followed by Contact page giving first page as referer.
| 12:59 am on May 14, 2014 (gmt 0)|
I've had them blocked for a while... I assumed this range was listed here at WW at some point.
184.108.40.206 - 220.127.116.11
| 4:16 am on May 14, 2014 (gmt 0)|
I thought so too, but looked and didn't find it. There are long QuadraNet lists in both the current thread and the previous one.
| 2:10 pm on May 15, 2014 (gmt 0)|
New Google Cloud, announced today by a couple of dozen hits on 13 IPs from something called nerdybot. I'm sure the internet is doomed. :(
18.104.22.168 - 22.214.171.124
| 5:29 pm on May 15, 2014 (gmt 0)|
Yes, AmazonII. I saw that offer for cheap secure cloud hosting and thought the same thing :(
|Build And Host Your Website On Google App Engine |
| 9:47 pm on May 15, 2014 (gmt 0)|
Previously in this thread:
126.96.36.199/20 Corporate Colo
(I missed this one until I met a botnet from China at 188.8.131.52)
Previously in this thread:
184.108.40.206/19 Carpathia Hosting
(either they've got Rules or I've just been lucky, because I have never met these)
At this point the obvious response is to look up
This turns out to belong to Adobe (in Arcadia, not to be confused with Arcata). So if you don't have the kind of site where people might legitimately browse on their lunch breaks,* you could easily collapse the whole thing to
* Someone on these forums once suggested that every time a site demands an email address, you should create one specific to that entity. As a result, I now receive a fair amount of spam addressed to "email@example.com". Quick detour tells me that memory was faulty and Adobe does not make Fontographer, which would have been the only justification for poking a hole.
| 10:53 pm on May 15, 2014 (gmt 0)|
| 8:22 pm on May 16, 2014 (gmt 0)|
And another google cloud range - nerdybot again. Are they hoovering up short IP ranges from elsewhere?
220.127.116.11 - 18.104.22.168
| 8:53 pm on May 16, 2014 (gmt 0)|
The nerdybot/GoogleCloud list is building here too: [webmasterworld.com...]
| 9:56 pm on May 16, 2014 (gmt 0)|
|And another google cloud range - nerdybot again. Are they hoovering up short IP ranges from elsewhere? |
22.214.171.124 - 126.96.36.199
For that one I have:
188.8.131.52 - 184.108.40.206
Whoops... I see now they are the same :)
| 6:55 pm on May 17, 2014 (gmt 0)|
223 and 232 always confuse me, too. :)
| 9:40 pm on May 18, 2014 (gmt 0)|
Didn't find this in site search:
Some tangle of Russian (LoyaltyServers) and Lithuanian (BalticServers) sublets that I don't feel like dealing with. Just met a robot from 220.127.116.11.
Everyone's got their own map. On mine, Russia is on the "one strike you're out" side of the line, while Lithuania is on the "let's at least look them up" side. I happened to have this one listed as Lithuania.
Requests for the front page generally get a free ride unless there are aggravating factors-- in this case a wholly gratuitous auto-referer.
| 11:49 pm on May 22, 2014 (gmt 0)|
Zayo (formerly Abovenet)
Here's the deal... These ranges definitely house servers, I block bot traffic from Zayo ranges all the time but the company also provides a huge amount of connectivity for client employees which is also a significant part of my traffic. There lies the enigma; to continue to block, or open it up and block/filter the best I can by UA?
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
| 12:51 am on May 23, 2014 (gmt 0)|
UA seems the way to go if there are a lot of desirable humans around. Is it one of those companies where everyone's UA is identical down to the last .NET CLR ... or the opposite kind, where no two computers are alike because they're all hand-me-downs from some more affluent branch of the business?
You can also look at robotic behaviors like questionable referers.
| 1:53 am on May 23, 2014 (gmt 0)|
Lots of different bots with different UAs from the hundreds of different companies that have web sites on the Zayo servers across those ranges.
| 4:29 am on May 23, 2014 (gmt 0)|
I've a lot going on and not exactly firing on all eight.
You should be able to use a multiple condition mod_rewrite focusing on the header that bots fail to use and those multiple IP's.
| 9:28 am on May 23, 2014 (gmt 0)|
I already am blocking these (and all) bots using a filter of header fields, UA and IP, as well as blocking the usual suspect behavior typical with bots (admin, wp-, login, etc.) I use a php script for the header check.
However, many do *not* fail the header check and do a good job of spoofing a human. That's the grey area I'm concerned with.
I'm tempted to just block the ranges and accept the collateral damage, but there must be 10s of thousands of employees at all the companies using fiber from Zayo.
I'll write a bit of code to compile the server history from these ranges and watch for a while.
| 11:35 pm on May 26, 2014 (gmt 0)|
This was somehow missing from the latest DataShack list [webmasterworld.com] (first post on page) so I'm repeating it here:
| 1:51 am on May 27, 2014 (gmt 0)|
Had that one but thanks for the reminder to give it another look.
| 5:51 pm on May 29, 2014 (gmt 0)|
Found this while looking up a new botnet (characterized by "PUT /nyet.gif"* if anyone cares).
Free lookup says "Internetia". Meaningless to me.
Free lookup says "Selena FM". Meaningless to me.
Free lookup says 11 websites use this address (that is, the exact IP I was looking up: 126.96.36.199)
Now you're speaking my language.
Same lookup led to
which also appears to be servers, at least as far as the specific offender at 188.8.131.52.
Robot at 184.108.40.206 may be related. But 176.223 is Poland so I just blocked 'em without further investigation.
If you are Polish or Ukrainian, it must feel awful to read WebmasterWorld ;)
* My server responded with 405, which is a perfectly acceptable translation of "nyet".
[edited by: phranque at 6:03 am (utc) on Jun 4, 2014]
[edit reason] typofix [/edit]
| 7:41 pm on May 29, 2014 (gmt 0)|
I have Netia (Poland) as below, mostly set to DSL rather than servers, although I have one sub-range and one IP blocked. There was a flurry of bad accesses a couple of years ago but mostly clean since then.
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206 (blocked)
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199 (blocked)
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
I have namesco listed as DSL and servers - they do both. I may be wrong about the DSL one but no bad hits shown since I listed it in 2012. Your example IP could be just a botnet-infected machine.
22.214.171.124 - 126.96.36.199 (blocked)
188.8.131.52 - 184.108.40.206 (blocked)
220.127.116.11 - 18.104.22.168 (dsl)
I have 22.214.171.124 - 126.96.36.199 as DSL (Romania) with only a couple of bad hits last year.
I've had no activity at all on 188.8.131.52/16 since my list began in 2010.
| 8:28 pm on May 29, 2014 (gmt 0)|
That last was a typo (look at your keyboard); just missed the time cutoff so I'll have to find a moderator.
|could be just a botnet-infected machine |
Free lookup says 13 www sites use the exact IP. I'd call that a server, though of course it might not cover the whole /18.
| 10:19 pm on May 29, 2014 (gmt 0)|
Lucy, I've had 184.108.40.206/18 (Namesco 220.127.116.11 - 18.104.22.168) blocked for a while now.
| 3:13 am on Jun 4, 2014 (gmt 0)|
in this case:
NetRange: 22.214.171.124 - 126.96.36.199
some Anastasie's from there bypassing my filters following same UA(Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36) from DigitalFyre Internet Solutions, LLC.
3 times so far
re: quadranet: I have some ranges from the past associated with MZIMA, we all remember what that was, right?
| 4:37 am on Jun 4, 2014 (gmt 0)|
I have had Quadranet with nearly the same UA since around March this year, had not seen the 188.8.131.52/22 visits, but the same UA was on 184.108.40.206/16 which I believe is Peer-1 hosting.
Incidentally, the UA was coming in with self referrals that included the//RK=0 gibberish that was being discussed back then as in:
"http://www.example.com//RK=0/RS=WQY_ZDkoVpseFK_rRoMpi6KXeBQ-" where example.com is my site. There were additional requests on that site with the //RK=0 etc attached to the requests. Same UA:
"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"
Note - The UA is not quite identical, you're seeing NT 6.1 and the one I keep seeing is NT 6.2
| 10:01 am on Jun 4, 2014 (gmt 0)|
Yup, I've had 220.127.116.11/19 and all other Quadranet ranges blocked for a while now.
RE: DigitalFyre 18.104.22.168/22 is inside ColoCrossing:
22.214.171.124 - 126.96.36.199
| This 193 message thread spans 7 pages: < < 193 ( 1 2  4 5 6 7 ) > > |