homepage Welcome to WebmasterWorld Guest from 54.234.74.85
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 193 message thread spans 7 pages: < < 193 ( 1 2 3 4 [5] 6 7 > >     
Server Farms - April 2014
Tracking and Reporting Data Center IP Ranges
incrediBILL




msg:4660480
 6:51 pm on Apr 4, 2014 (gmt 0)

Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:


 

keyplyr




msg:4683863
 9:04 am on Jun 30, 2014 (gmt 0)



box.com
74.112.184.0 - 74.112.187.255
74.112.184.0/22

uber.com.au
117.104.162.0 - 117.104.162.255
117.104.162.0/24

103.11.79.0 - 103.11.79.255
103.11.79.0/24

lucy24




msg:4684246
 9:52 pm on Jul 1, 2014 (gmt 0)

Does anyone know who or what Interactive 3D (Netherlands) is? Met a botnet at 31.204.153.abc, and the only other place hereabouts I find the range
31.204.128.0/19
is in incrediBill's thread about WP comment spam [webmasterworld.com].

keyplyr




msg:4684257
 10:53 pm on Jul 1, 2014 (gmt 0)

My notes say I've looked up the range belonging to Interactive 3D at least twice, probably because of wp- and other probes. AFAIK my assumption was that the hits were coming from a compromised machine, or account on their servers, and that the company per se was not malicious.

not2easy




msg:4685039
 6:17 am on Jul 4, 2014 (gmt 0)

I had to dig around because I knew I had seen the name before, it is mishmash of servers that seem interrelated as they all share contact info for i3d.net
inetnum: 31.204.152.0 - 31.204.153.255
netname: INTERACTIVE3D
remarks: Retail
descr: Interactive 3D B.V. IP space

Notes I had filed away from various lookups:
i3D.net - Game servers - Voice servers - Dedicated Servers - Webhosting -
i3D. net is a managed-hosting provider since 2004. We currently operate more than 8,000 servers in 16 data centers worldwide and provide 24/7 support (SLA).

keyplyr




msg:4685041
 6:55 am on Jul 4, 2014 (gmt 0)

Aha! My block list had them noted as i3d (not Interactive 3D) and as such have these ranges blocked:

31.204.128.0 - 31.204.159.255
31.204.128.0/19

188.122.64.0 - 188.122.94.255
188.122.64.0/19

213.163.64.0 - 213.163.95.255
213.163.64.0/19

and I think I have more on another account.

dstiles




msg:4685191
 8:05 pm on Jul 4, 2014 (gmt 0)

For interactive3d I have...

5.200.0.0 - 5.200.31.255
31.204.128.0 - 31.204.159.255
109.200.192.0 - 109.200.207.255
188.122.64.0 - 188.122.95.255
213.163.64.0 - 213.163.95.255

All NL.

not2easy




msg:4685354
 10:49 pm on Jul 5, 2014 (gmt 0)

gimme60bot/1.0 requesting robots.txt from a Verizon IP, then switching UAs to "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0" (same 71.189.164.218 IP)
The UA is simple enough to block with either UA, just curious, given that Verizon range 71.181.128.0 - 71.191.255.255 is labelled 'Direct Allocation' that these are assumed to be ISP IPs and they haven't taken up hosting?

As long as I'm on UAs, a cute one came by from an Amazon IP: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"

not2easy




msg:4685365
 2:03 am on Jul 6, 2014 (gmt 0)

Found a few more, new to me:
198.74.50.197 - - [02/Jul/2014:00:09:56 -0500] "GET / HTTP/1.1" 200 18616 "-" "wsr-agent/1.0"
LINODE-US
198.74.48.0 - 198.74.63.255
198.74.48.0/20

OPPOBOX
107.182.112.0 - 107.182.127.255
107.182.112.0/20

lucy24




msg:4685374
 3:23 am on Jul 6, 2014 (gmt 0)

these are assumed to be ISP IPs and they haven't taken up hosting?

If someone knows the full inside scoop on Verizon's IP ranges I would really, really like to hear about it. Possibly in a dedicated thread. (btw, is there a thread about the gimme60bot? I meet it periodically and it hasn't done anything to offend, but I do prefer to know what things are for.)

not2easy




msg:4685382
 5:49 am on Jul 6, 2014 (gmt 0)

Thing I did not like about the gimme60bot visit is that it requested robots.txt with one UA, then immediately changed UA with no mention of the bot in its UA - makes it kind of hard to decide whether it is respecting the file or not other than via IP. That and visiting from someone's home machine (or appearing to) since it claims to have a domain: "Mozilla/5.0 (compatible; gimme60bot/1.0 ; +http://gimme60.com)".

keyplyr




msg:4685386
 7:30 am on Jul 6, 2014 (gmt 0)


Personally, I block gimme60bot and all other unaccountable distro bots.

lucy24




msg:4685501
 9:46 pm on Jul 6, 2014 (gmt 0)

195.12.128.0/19
Slovakia: Swan A.s. I'm assuming, not that it's important, that this means about the same as "A/S" in German and Scandinavian names. Free lookup says 9 websites use this IP, which is enough for me.

Met while looking up the latest "nyet.gif" botnet activity. (Behavior: "PUT nyet.gif" followed by GET for same file, and then optionally other stuff.) Nobody actually got through, but I like to check botnets in case the IP itself is block-worthy.

keyplyr




msg:4685502
 9:55 pm on Jul 6, 2014 (gmt 0)

Hmmm... swan.sk says they're an ISP offering the usual services. No mention of hosting, data centers, clouds or colos. You probably were just hit by a compromised DSL account. In cases like this, I'll usually block just that one IP address for a month or two, then if no further activity, delete it from my block list.

not2easy




msg:4685567
 6:28 am on Jul 7, 2014 (gmt 0)

I just looked up 130.0.238.5 - for unwanted activity and had peculiar info from RIPE, they gave me:
130.0.238.0 - 130.0.239.255
130.0.232.0/21

If I enter the range into an online CIDR converter I get:
130.0.238.0/23
which looks more accurate (?)

I have a very old list with that first CIDR (but no range) and it is only listed with others under "Eastern Blocs" and the whois I got from RIPE identifies this as 3NT Hosting Network in London. I am confused.

keyplyr




msg:4685571
 7:03 am on Jul 7, 2014 (gmt 0)



I have that range blocked as:

130.0.232.0 - 130.0.239.255
130.0.232.0/21

dstiles




msg:4685701
 6:31 pm on Jul 7, 2014 (gmt 0)

> 195.12.128.0/19

The first /22 is Euroweb, which seems self-explanatory.

On the other hand I have Swan SK 62.197.192.0/18 listed as DSL so who knows?

keyplyr




msg:4685899
 7:46 am on Jul 8, 2014 (gmt 0)




eNom

69.64.144.0 - 69.64.159.255
69.64.144.0/20

98.124.192.0 - 98.124.255.255
98.124.192.0/18

dstiles




msg:4686007
 1:58 pm on Jul 8, 2014 (gmt 0)

New (to me) google range:

104.132.0.0 - 104.135.255.255
104.132.0.0/14

Blocked here.

dstiles




msg:4686008
 2:00 pm on Jul 8, 2014 (gmt 0)

For enom I have:

8.15.231.0 - 8.15.231.255
69.64.144.0 - 69.64.159.255
98.124.192.0 - 98.124.255.255

keyplyr




msg:4686082
 4:45 pm on Jul 8, 2014 (gmt 0)

@dstiles, I have 8.15.231.0/24 as:

giglinx.com
8.15.230.0 - 8.15.231.255
8.15.230.0/23

blocked

lucy24




msg:4686153
 7:47 pm on Jul 8, 2014 (gmt 0)

General question: Are there any humans within the range
93.170.0.0/15
? The two names I meet are AlfaTelecom-- which sounds humanoid-- and Serverel-- which doesn't. All specimens I've personally met are from server farms, but they're always in /23 or /24 slivers and I can't pin down the umbrella.

For the last IP I checked-- 93.170.104.123 --free lookup comes up with three different countries, never a good sign. Four if you look at the name of one of the contact people, but then again one of the countries is the US.

dstiles




msg:4686174
 8:59 pm on Jul 8, 2014 (gmt 0)

keyplr - looks as if you're correct. :)

My listing was from 2010 and the DNS record was updated April 2013. My record now updated. Thanks! :)

Lucy - I have almost all alfa blocked that I know about...

31.42.32.0 - 31.42.47.255
31.132.72.0 - 31.132.79.255
92.38.0.0 - 92.38.127.255 (not blocked)
93.170.0.0 - 93.171.255.255
95.46.0.0 - 95.47.255.255
146.120.0.0 - 146.120.255.255
213.109.144.0 - 213.109.159.255

92.38.0.0 was last addressed December 2013 and has shown no bad activity since (and probably not before, going back to 2010).

I agree about multiple countries being suspect but I dispute that US should be considered exempt from such a suspicion. :)

lucy24




msg:4686188
 10:08 pm on Jul 8, 2014 (gmt 0)

I dispute that US should be considered exempt from such a suspicion.

Heh. What I meant was that in a nation of immigrants, it's perfectly normal to see someone whose name indicates a non-British place of origin. It doesn't have to mean they've got a secret Ukrainian backer.

dstiles




msg:4686461
 7:14 pm on Jul 9, 2014 (gmt 0)

Could mean they have a secret American backer. :)

keyplyr




msg:4686856
 7:35 am on Jul 11, 2014 (gmt 0)

ColoProvider
79.99.24.0 - 79.99.25.255
79.99.24.0/23

BlackFox
107.182.16.0 - 107.182.31.255
107.182.16.0/20


And 74.63.0.0/16 combines these culprits:

LightPoint
74.63.0.0 - 74.63.15.255
74.63.0.0/20

WoodyNet
74.63.16.0 - 74.63.31.255
74.63.16.0/20

Voxel
74.63.32.0 - 74.63.63.255
74.63.32.0/19

FDCservers
74.63.64.0 - 74.63.127.255
74.63.64.0/18

Viawest
74.63.128.0 - 74.63.191.255
74.63.128.0/18

Limestone
74.63.192.0 - 74.63.255.255
74.63.192.0/18

dstiles




msg:4687039
 8:18 pm on Jul 11, 2014 (gmt 0)

79.99.24.0/23 is actually... 79.99.24.0 - 79.99.31.255

keyplyr




msg:4687040
 8:26 pm on Jul 11, 2014 (gmt 0)

So you're saying the range is 79.99.24.0/21 ?

lucy24




msg:4687050
 9:11 pm on Jul 11, 2014 (gmt 0)

And 74.63.0.0/16 combines these culprits

You mean the entire /16 is made up of assorted server farms? How thoughtful of them

WoodyNet? ###. I thought they were human.

keyplyr




msg:4687081
 11:09 pm on Jul 11, 2014 (gmt 0)

WoodyNet? ###. I thought they were human.

RE: woodynet alias Packet Clearing House or pch.net. Well I didn't say they were a server farm, just that they were a culprit. By that I mean they conduct biz that does not directly benefit my web interests, at least not through their aforementioned IP range. I guess I think of them as expendable collateral damage. I should have clarified since this is a Server Farm thread.

If I've got this wrong, please say so :)

not2easy




msg:4687197
 3:30 pm on Jul 12, 2014 (gmt 0)

An iomart I didn't have:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch
scraper was trapped on 2 very different sites in the past week.

Brings my list to:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch

82.145.60.128 - 82.145.60.255
82.145.32.0/19
Iomart Hosting / BWF Hosting

88.150.168.0 - 88.150.168.255
88.150.168.0/22
Iomart Hosting / North East Computer Systems Limited

109.169.62.0 - 109.169.63.255
109.169.0.0/18
Thrust::VPS IOMART RAPIDSWITCH

212.38.176.0 - 212.38.191.255
212.38.160.0/19
Iomart Hosting / Thrust::VPS LA|TX

wilderness




msg:4687210
 4:46 pm on Jul 12, 2014 (gmt 0)

uses three Hurricane ranges, however came in one of their exclusives.

HEAD //FCKeditor/editor

EDGEWEBHOSTING 173.213.224.0 - 173.213.239.255 173.213.224.0/20
HURRICANE-DC0405-D133A2A0 209.51.162.160 - 209.51.162.191
HURRICANE-DC0405-D133BF80 209.51.191.128 - 209.51.191.159
HURRICANE-DC0405-D8421B00 216.66.27.0 - 216.66.27.63
EDGEWEBHOSTING 69.63.128.0 - 69.63.159.255 69.63.128.0/19

This 193 message thread spans 7 pages: < < 193 ( 1 2 3 4 [5] 6 7 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved