Welcome to WebmasterWorld Guest from 54.167.46.29

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Russian Business Network -Super-stealth bots with "success" homepages?

     
7:55 am on Nov 27, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts: 3145
votes: 12


I've been going over my site's reject logs and I've noticed some really strange activity that very closely seems to mimic bots. There are some IP addresses which if you look up and visit have blank homepages that simply say, "success". In my Apache access logs they look exactly like legit browsers with a two exceptions only one of which I'll mention. The URL's they are requesting are in the typical order that bots would fetch (although from different IP addresses) so clearly it's some sort of scrapper though if it was truly a human using a browser would they have bookmarked the Brazilian Portuguese page and visit several weeks later and then with a different IP address which if you visit has the same blank "success" website that makes the same request to a different URL?

Upon further investigation apparently it's part of the "Russian Business Network". Does any one have a list of IP addresses that I can blacklist or suggestions on countering this scrapper? I've already begun manually blocking the IP addresses though I would like to take more preemptive action if possible.

- John
10:16 pm on Dec 3, 2010 (gmt 0)

New User

5+ Year Member

joined:Jan 17, 2007
posts: 3
votes: 0


I have no "list" but blocked a bot from IP 211.104.150.236 (Asia), and one from 77.88.29.247 (Netherlands?) ...I think they're up to no good.

My content (images/text snippets) is being used on BAD sites for BAD reasons. (And right next to my stuff are things from my up&up competitors who have clearly been targeted too.)

I'm now erring on the side of caution, and doing everything I can to stay alert.

Good luck!
--lindy
1:35 am on Dec 4, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 7, 2004
posts:660
votes: 0


The following are all closely connected:
# 2009-11-02 extended DROP rule to entire 95.168.160.0 netblock after more scrapes 
# 2009-09-23 added DROP rule to block internetserviceteam.com IP 95.168.178.87
# reason: high-speed scrape
# 2009-09-18 added DROP rule to block internetserviceteam.com IP 188.72.217.11
# reason: high-speed scrape
# 2009-03-20 extended DROP rule to entire 212.95.32.0 netblock after more scrapes
# 2009-02-26 added DROP rule to block internetserviceteam.com IP 212.95.54.179
# reason: continuous high-speed scrapes
# 2009-01-30 extended DROP rule to entire 78.159.96.0 netblock after more scrapes
# 2008-12-01 added DROP rule to block internetserviceteam.com IP 78.159.112.96:
# reason: continuous high-speed scrapes
# 2008-01-12 added DROP rule to block Netdirekt (internetserviceteam.com):
# reason: continuous attempted spam posts into Forums from their network
$IPT -A tcp_inbound -p TCP -s 78.159.96.0/19 -j DROP
$IPT -A tcp_inbound -p TCP -s 84.16.224.0/19 -j DROP
$IPT -A tcp_inbound -p TCP -s 89.149.192.0/18 -j DROP
$IPT -A tcp_inbound -p TCP -s 95.168.160.0/19 -j DROP
$IPT -A tcp_inbound -p TCP -s 188.72.217.11/32 -j DROP
$IPT -A tcp_inbound -p TCP -s 212.95.32.0/19 -j DROP

# 2007-10-25 added DROP rule to block Russian Business Network:
# reason: continuous attempted spam posts into Forums
$IPT -A tcp_inbound -p TCP -s 81.95.144.0/20 -j DROP
$IPT -A tcp_inbound -p TCP -s 81.95.156.0/22 -j DROP
4:42 am on Dec 4, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


The RBN is a large network that often uses "fast-flux" IP switching that changes IP addresses every few minutes. They can send malicious requests to your server from more IP addresses than you can possibly identify and ban.

If you can find common features of the malicious requests, you will be much better off banning by those characteristics in .htaccess than attempting to ban IP addresses.
11:48 am on Dec 7, 2010 (gmt 0)

Full Member

10+ Year Member

joined:Sept 16, 2002
posts:246
votes: 0


what is the purpose of this network, why are the collecting info?
11:32 pm on Dec 7, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


Difficult to improve on this description:
[en.wikipedia.org...]