homepage Welcome to WebmasterWorld Guest from 54.166.105.24
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 193 message thread spans 7 pages: < < 193 ( 1 2 3 4 5 [6] 7 > >     
Server Farms - April 2014
Tracking and Reporting Data Center IP Ranges
incrediBILL




msg:4660480
 6:51 pm on Apr 4, 2014 (gmt 0)

Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:


 

wilderness




msg:4687210
 4:46 pm on Jul 12, 2014 (gmt 0)

uses three Hurricane ranges, however came in one of their exclusives.

HEAD //FCKeditor/editor

EDGEWEBHOSTING 173.213.224.0 - 173.213.239.255 173.213.224.0/20
HURRICANE-DC0405-D133A2A0 209.51.162.160 - 209.51.162.191
HURRICANE-DC0405-D133BF80 209.51.191.128 - 209.51.191.159
HURRICANE-DC0405-D8421B00 216.66.27.0 - 216.66.27.63
EDGEWEBHOSTING 69.63.128.0 - 69.63.159.255 69.63.128.0/19

keyplyr




msg:4687221
 5:55 pm on Jul 12, 2014 (gmt 0)

Those Hurricane ranges of:
209.51.162.160 - 209.51.162.191
209.51.191.128 - 209.51.191.159
are actually:
209.51.160.0 - 209.51.191.255
209.51.160.0/19

That Hurricane range of:
216.66.27.0 - 216.66.27.63
is actually:
216.66.0.0 - 216.66.95.255
216.66.0.0/18
216.66.64.0/19

Thanks for the Edge

Note: I've mostly seen requests for FCKeditor/editor from China ranges.

wilderness




msg:4687233
 8:00 pm on Jul 12, 2014 (gmt 0)

Those Hurricane ranges of:

are actually:


Many thanks keyplr. I was aware of the larger Hurricane ranges, however those smaller ranges are designated as EDGEWEBHOSTING (AFAIK) they lease from the backbone.

lucy24




msg:4687245
 9:37 pm on Jul 12, 2014 (gmt 0)

I've mostly seen requests for FCKeditor/editor from China ranges.

<topic drift>
Is this name used by some major CMS? I remember seeing this in a real page's URL-- well, ahem, it is memorable-- and thinking they really should have got a native English speaker to look at their directory names.
</td>

keyplyr




msg:4687264
 11:53 pm on Jul 12, 2014 (gmt 0)

I just assume it is what it says it is, an editor... likely with security vulnerabilities since I see almost as many hack attempts for this as I do Wordpress files.

wilderness




msg:4687284
 3:11 am on Jul 13, 2014 (gmt 0)

Hosted Data Solutions, LLC (HDSL-5)
HOSTEDSOLUTIONS-1 173.209.192.0 - 173.209.223.255 173.209.192.0/19

lucy24




msg:4687423
 10:46 pm on Jul 13, 2014 (gmt 0)

Has someone got a comprehensive list of Iliad Entreprises? (sic spelling, they're French) I met two different ranges under the same botnet within the last couple of days:

195.154
212.129.0.0/18
(the latter is broken into smaller pieces but it seems to be all Iliad: I did some spot-checking)

Another new one on me:
162.248.96.0/21 Query Foundry
Can't figure out if that's a server, a proxy or what. Just happened to meet a robot.

:: wandering off to investigate Web-Sniffer ::

keyplyr




msg:4687425
 11:05 pm on Jul 13, 2014 (gmt 0)

Well hardly comprehensive, but this is what I have for Iliad on my home machine. I may have more at the office (which I cannot connect to thanks to the new cable BB LAN restrictions!)

62.210.0.0/16
62.210.0.0 - 62.210.255.255

195.154.0.0/16
195.154.0.0 - 195.154.255.255

212.83.160.0/19
212.83.160.0 - 212.83.191.255

212.129.0.0/18
212.129.0.0 - 212.129.21.255

And I've had Query Foundry (QF)blocked for a while now:

162.248.96.0/21
162.248.96.0 - 162.248.103.255

Since the abuse contact is cloudshards.com, I assumed QF was at least complicit in crime :)

lucy24




msg:4688529
 6:40 pm on Jul 17, 2014 (gmt 0)

185.53.88.0/22
EstroWeb / Host Palace
Netherlands

New one on me, but the combination of 185 and /22 means there will be a lot more of them in years to come. So far they're only up to the '50's.

keyplyr




msg:4688653
 1:59 am on Jul 18, 2014 (gmt 0)

185.53.88.0/22 seems to be part of Leaseweb but I'll need to get to my other machine for the bigger range. Anyone?

jmccormac




msg:4688709
 8:56 am on Jul 18, 2014 (gmt 0)

There seems to be 2 entries for Estroweb:
| ESTROWEB-03 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.88.255 |
| EU-ESTROWEB-20140408 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.91.255 |

Others:
| EU-ESTROWEB-20120126 | Estro Web Services Private Limited | 37.49.224.0 | 37.49.231.255 |

It is subnetted into a group of Class Cs.


Regards...jmcc

wilderness




msg:4688836
 11:42 am on Jul 18, 2014 (gmt 0)

Bill,
Time for a new update in this thread.

Many thanks.

wilderness




msg:4688904
 3:48 pm on Jul 18, 2014 (gmt 0)

Most of these are part of larger backbones. (Some from Integra and another from Frontier-Legacy):

209.147.118.209 - - [18/Jul/2014:07:52:33 -0600] "GET /index.html HTTP/1.1" 403 647 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)"


NetName: OPTICFUSION-NET
OrgName: Optic Fusion
ELI-967-2081866464 208.186.64.64 - 208.186.64.127 208.186.64.64/26
ELI-967-208187151112 208.187.151.112 - 208.187.151.119 208.187.151.112/29
OPTICFUSION-NET 209.147.112.0 - 209.147.127.255 209.147.112.0/20
ELI-967-209210137128 209.210.137.128 - 209.210.137.255 209.210.137.128/25
ELI-967-21619030 216.190.3.0 - 216.190.3.255 216.190.3.0/24
ELI-967-6573184128 FRONTIERCOMMUNICATIONSLEGACY 65.73.184.128 - 65.73.184.159 65.73.184.128/27
OPTICFUSION-NET2 66.113.96.0 - 66.113.111.255 66.113.96.0/20
OPTICFUSION-NET3 70.35.112.0 - 70.35.127.255 70.35.112.0/20
OPTICFUSION-NET6 2607:F6F8:: - 2607:F6F8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

lucy24




msg:4689293
 6:35 pm on Jul 20, 2014 (gmt 0)

Today's trawl from the "contact" botnet:

91.215.156.0/22
Infinite Technologies, Netherlands
(This area of 91 is all /22 slivers, so that's all there is)

209.164.64.0/18
Corespace, US
Never heard of 'em, but doesn't it sound like servers? Note that 209.164.0.0/18 is Xo, so people who prefer to block first and ask questions afterward might end up with a tidy /17.

jmccormac




msg:4689295
 6:52 pm on Jul 20, 2014 (gmt 0)

There's also a second net for Infinite Technologies: 192.162.136.0 | 192.162.139.255. It is relatively sparse on gTLDs and some European ccTLDs.

Corespace seems quite big. Hosts 99,890 sites across 1380 active Cs and 9 detected nets.

Regards...jmcc

keyplyr




msg:4689299
 7:25 pm on Jul 20, 2014 (gmt 0)


hostmysite.com
209.164.0.0 - 209.164.63.255
209.164.0.0/18


Here's what I have for Infinite:

91.215.156.0 - 91.215.159.255
91.215.156.0/22

192.162.136.0 - 192.162.139.255
192.162.136.0/22


Here's what I have for Corespace:

63.249.128.0 - 63.249.255.255
63.249.128.0/17

64.182.0.0 - 64.182.255.255
64.182.0.0/16

66.34.0.0 - 66.34.255.255
66.34.0.0/16

66.221.0.0 - 66.221.255.255
66.221.0.0/16

69.13.0.0 - 69.13.255.255
69.13.0.0/16

209.164.64.0 - 209.164.127.255
209.164.64.0/18

wilderness




msg:4689321
 11:05 pm on Jul 20, 2014 (gmt 0)

more Corespace:

CORESPACE-3 216.221.160.0 - 216.221.191.255 216.221.160.0/19
CORESPACE-4 216.97.0.0 - 216.97.127.255 216.97.0.0/17

Angonasec




msg:4689666
 6:46 am on Jul 22, 2014 (gmt 0)

VegasNAP: Desert Snakes

I noticed it because allthingsnow.com is busy XSSing our site, and Gbot kindly rumbled them.

Tip:
Watch for allthingsnow.com/day/unknown/shared/ in your logs.

So far, for VegasNAP I just have their 199.241.136.0/21 hosting sector.

Any more please?

wilderness




msg:4689668
 7:07 am on Jul 22, 2014 (gmt 0)

FHUB-NET-11 104.128.64.0 - 104.128.79.255 104.128.64.0/20
FHUB-NET-12 146.71.64.0 - 146.71.95.255 146.71.64.0/19
FHUB-NET-8 162.249.224.0 - 162.249.227.255 162.249.224.0/22
FHUB-NET-9 162.251.232.0 - 162.251.239.255 162.251.232.0/21
FHUB-NET-10 162.254.232.0 - 162.254.239.255 162.254.232.0/21
FHUB-NET-3 199.19.72.0 - 199.19.79.255 199.19.72.0/21
FHUB-NET-2 199.195.128.0 - 199.195.131.255 199.195.128.0/22
FHUB-NET-4 199.127.56.0 - 199.127.63.255 199.127.56.0/21
FHUB-NET-7 192.228.96.0 - 192.228.111.255 192.228.96.0/20
FHUB-NET-5 199.241.136.0 - 199.241.143.255 199.241.136.0/21
FHUB-NET-1 199.47.208.0 - 199.47.211.255 199.47.208.0/22
FHUB-NET-6 204.77.0.0 - 204.77.15.255 204.77.0.0/20
FHUB-V6-NET-1 2604:2280:: - 2604:2280:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Angonasec




msg:4689675
 8:32 am on Jul 22, 2014 (gmt 0)

Thank you for the list of nasties aka:

VegasNAP LLC - Fiberhub Colocation and Internet Services.

We have been warned :)

wilderness




msg:4689796
 5:25 pm on Jul 22, 2014 (gmt 0)

single page request. No supporting files. No robots.
Used domain root as refer.


192.111.155.118 - - [22/Jul/2014:10:26:56 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 12655 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

Centrilogic, Inc. (CENTR-60)
DACENTEC-NC 104.152.184.0 - 104.152.191.255 104.152.184.0/21
DACENTEC-CUST 162.248.240.0 - 162.248.247.255 162.248.240.0/21
CENTRILOGIC-CANADA 173.240.0.0 - 173.240.15.255 173.240.0.0/20
CUST-NET-7 192.111.144.0 - 192.111.159.255 192.111.144.0/20
CUST-NET-6 192.198.80.0 - 192.198.95.255 192.198.80.0/20
CUST-NET-8 192.254.64.0 - 192.254.79.255 192.254.64.0/20
CUST-NET-3 199.101.184.0 - 199.101.187.255 199.101.184.0/22
DACENTEC-NET-4 199.191.56.0 - 199.191.59.255 199.191.56.0/22
CUST-NET-5 199.241.184.0 - 199.241.191.255 199.241.184.0/21
CUST-NET-1 199.255.136.0 - 199.255.139.255 199.255.136.0/22
CUST-NET-2 199.255.156.0 - 199.255.159.255 199.255.156.0/22
CENTRILOGIC-ROCH-NY 209.251.48.0 - 209.251.63.255 209.251.48.0/20
CUST-NET-9 23.92.208.0 - 23.92.223.255 23.92.208.0/20
CENTRILOGIC-IPV6 2604:9000:: - 2604:9000:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
V6-NET-1 2607:5600:: - 2607:5600:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Pfui




msg:4689797
 5:41 pm on Jul 22, 2014 (gmt 0)

Wow, small world! 192.111.155.118 hit me two hours ago with the same fake domain root ref trick (that's what caught my attention; plus no grfx). Mine used a different UA:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

To quote Stop Forum Spam: "Lots of activity from this IP in the last few days." [stopforumspam.com...] Indeed. Someone's up to something.

lucy24




msg:4689805
 6:06 pm on Jul 22, 2014 (gmt 0)

<topic drift>
the same fake domain root ref trick


I have this set of lockouts (obviously site-specific, based on file structure and internal navigation):
RewriteCond %{HTTP_REFERER} example\.com/?$
RewriteCond %{REQUEST_URI} !index\.html
RewriteCond %{REQUEST_URI} !/boilerplate/
RewriteRule ^([^/.]+/)+[^/.]+(\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com/?$
RewriteRule ^$ - [F]

RewriteCond %{HTTP_REFERER} example\.com/\w+\.(html|php)$
RewriteRule (^|\.html|/)$ - [F,NS]


Unfortunately this turns into "out of sight, out of mind" since I generally don't look at lockouts. But sooner or later they try the same thing on my test site, which doesn't have a detailed htaccess, and then they get added to the IP block list.
</topic drift>

wilderness




msg:4689806
 6:13 pm on Jul 22, 2014 (gmt 0)

lucy,
Might this go before or after canonical?

Also, what does "boilerpalte" refer to in this instance?
Is it a custom 403 or something else?

Many thanks.

Don

lucy24




msg:4689815
 7:13 pm on Jul 22, 2014 (gmt 0)

Whoops, just came by to post an unrelated question: Anyone know anything about Telentia? I'd never heard of them, and neither apparently does Forums search. But one of my ongoing botnets turned up at

104.128.16.0/20
and
209.161.96.0/20

104.etcetera got a line to itself in htaccess because this is a new range that's getting assigned as we speak.


Might this go before or after canonical?

Since these are [F] rules, they go before any canonicalization redirects if that's what you meant. The index.html exemption is needed to prevent lockouts, since the redirect comes later.

Also, what does "boilerplate" refer to in this instance?
Is it a custom 403 or something else?

It's the name of the directory where I keep contact forms, legal stuff and similar. It does also happen to contain my error pages, but those get an [L] pass-- by individual page name-- at the very beginning. It's also the only directory whose inner pages are directly linked from the front page, hence the exemption.

Referer-based blocks by their nature will always be site-specific. Mine translate as
"request for any inner page giving front page as referer" (because these links don't occur except for /boilerplate/)
"request for front page giving itself as referer" (because self-referring links give me the fantods, and are in fact the main reason I even speak 2 words of php)
"request for anything, anywhere, giving a top-level named page as referer" (because these pages don't exist, period)

wilderness




msg:4689820
 7:45 pm on Jul 22, 2014 (gmt 0)

104.128.16.221 - - [29/Jun/2014:06:28:21 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 25982 "http://www.example.com/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"

Page only. No supporting files and domain root refer.
Note; this page gets a fair bit of activity (at least for widgets) and even some blogs have linked to it.

"Telentia provides wholesale managed Cloud Infrastructure as a Service (IaaS) solutions to service providers."

keyplyr




msg:4689861
 10:11 pm on Jul 22, 2014 (gmt 0)


My notes say I blocked telentia.com over a year ago so it can't be that new.

104.128.16.0 - 104.128.31.255
104.128.16.0/20

209.161.96.0 - 209.161.111.255
209.161.96.0/20

jmccormac




msg:4689874
 11:27 pm on Jul 22, 2014 (gmt 0)

On that range, the dates are fairly new.
RegDate: 2014-05-20
Updated: 2014-05-20

Regards...jmcc

keyplyr




msg:4689877
 11:55 pm on Jul 22, 2014 (gmt 0)

Well, not that it matters much but... 104.128.16-31 was leased from Reliable Telecom then new network created on 20140520. Notes were only for that range, not the 209.161.96/20.

keyplyr




msg:4690282
 7:48 am on Jul 24, 2014 (gmt 0)

DirectNic

74.117.216.0 - 74.117.223.255
74.117.216.0/21

199.7.104.0 - 199.7.111.255
199.7.104.0/21


And this company (who has at least one compromised machine) says they are hosted by DirectNic, but I can't find the larger DirectNic range:

BioDataBoard

50.117.15.0 - 50.117.15.255
50.117.15.0/24

jmccormac




msg:4690289
 10:02 am on Jul 24, 2014 (gmt 0)

The 50.117.15.0/24 range seems to be a subnet of an EGI Hosting range.

Regards...jmcc

This 193 message thread spans 7 pages: < < 193 ( 1 2 3 4 5 [6] 7 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved