Welcome to WebmasterWorld Guest from 54.234.114.202

Forum Moderators: Ocean10000

Message Too Old, No Replies

Cyveillance IP Ranges

What are the IP Ranges for Cyveillance

     
2:36 pm on Jun 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Mar 25, 2003
posts:33
votes: 0


I want to block Cyveillance from ever visiting my site, but I can't figure out all the ip ranges they own... Does anyone know (I searched a bit on here but got only the big ones).

Thanks!
Scott

2:47 pm on June 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Mar 25, 2003
posts:33
votes: 0


Okay, I may have answered my own question... I have the following IPs as coming from Cyveillance (from my logs)...
* 63.148.99.229
* 63.148.99.232
* 63.148.99.233
* 63.148.99.247
* 63.148.99.253

ARIN returns a net range of 63.148.99.224 - 63.148.99.255... How do I block that with .htaccess?

3:11 pm on June 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


kewlbeezer,

Don't forget the 65.118.41.192-223 range...


RewriteCond %{REMOTE_ADDR} ^63\.148\.99\.2(2[4-9]¦[34][0-9]¦5[0-5])$ [OR]
RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]¦2[01][0-9]¦22[0-3])$
RewriteRule .* - [F]

Jim
3:54 pm on June 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Mar 25, 2003
posts:33
votes: 0


thanks jdMorgan... can I just paste that in my htaccess file anywhere for it to work?

Also, do you think you could explain for us htaccess newbys, what you typed there and how it works?

Thanks Mucho!
Scott

4:34 pm on June 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5496
votes: 3


RewriteCond %{REMOTE_ADDR} ^63\.148\.99\.2(2[4-9][34][0-9]5[0-5])$ [OR]
RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]2[01][0-9]22[0-3])$
RewriteRule .* - [F]

Before going any farther it is imperative that you keep in mind the neccessity of coverting how the forum server display the straight up-down line above the back slash key as "" incorrectly.

the ip range 63\.148.99.2(2[4-9][34][0-9]5[0-5])$ [OR]
denies the following ranges:
63.148.99.224-229
63.148.99.230 & 249
63.148.99.250-255
The $ character is only used when all four classes are present.
In this instance the first 2 after 99. is used to apply to in front of all ranges enclosed in parethenses.
Multiple Bracket statements are enclosed in parethenses.
Addition ranges outside of a particular bracket are separated my the wrongly forum translated "

RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]2[01][0-9]22[0-3])$

65.118.41.192-199
65.118.41.201-219

The OR is used if there are multiple lines and is NOT used on either a solitary line or the closing line.

The last line
RewriteRule .* - [F] denies access and returns a 403

4:50 pm on June 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


kewlbeezer,

As wilderness points out, you must hand-edit the above code to replace the broken vertical pipe "" characters with the solid vertical pipe characters from your keyboard. The forum modifies them on posting, and mod_rewrite will not accept the broken pipe characters.

If you have no other mod_rewrite rules in your .htaccess file, you will need to preface the code above with these two lines:


Options +FollowSymLinks
RewriteEngine on

Also, have a look at this Introduction to mod_rewrite [webmasterworld.com] post, and follow the links to the mod_rewrite and regular expressions documentation.

Jim

6:48 pm on June 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Mar 25, 2003
posts:33
votes: 0


Thank you guys!

Scott

2:50 am on July 15, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 14, 2003
posts:376
votes: 0


FWIW: i found this, very recently, over on spamcop.net in the newsgroups and emailed it to myself... i had heard that cyv had other IPs... can anyone else confirm these?

Found this news:bd28o7$l2m$1@news.spamcop.net in spamcop:

-= BEGIN forwarded message =-

Subject: Re: Cyveillance being sneaky once again
From: "Merlyn" <Merlyn@Spamcop.net>
Newsgroups: spamcop
Reply-To: "Merlyn" <Merlyn@Spamcop.net>
Organization: The Cave

"Godwin Stewart" <gstewart.YOUR_KNICKERS@sgms-centre.com> wrote in message
news:20030621105205.5aaa02ff.gstewart.YOUR_KNICKERS@sgms-centre.com...

>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> And Thus Spake "Kev" <nobody@spamcop.net> (on Sat, 21 Jun 2003 09:22:23
>> +0100):
>>
>
>>> > Mmmmmmmm....... I just found exactly the same in my logs (it won't get
>>> > there again ;-) ) - anyone got an up to date list of Cyveillance IP's
>>> > please?
>
>>
>> Don't know if it's up to date but I block this at the firewall level:
>>
>> 63.148.99.224/27
>> 65.118.41.192/27
>>

You might also want to check these as they scan from some of them also.....

63.148.99.224-63.148.99.255
65.118.41.192-65.118.41.223
128.121.217.0-128.121.217.255 (not sure on block size)
207.87.178.0-207.87.178.255 (not sure on block size)
63.100.73.? (not sure on blocksize)
63.100.163.122 (not sure on blocksize)

pop.imaphost.com resolves to 63.100.163.122

207.87.178.68 has dubious reverse DNS of pop.imaphost.com - which is a valid
hostname, but not one that resolves to 207.87.178.68

I am also looking into imagelock.com seems as if they are tied somehow

-- Regards, Merlyn A Spamcop advocate All replies will be made specifically to the newsgroup

-= END forwarded message =-

7:30 pm on July 18, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5496
votes: 3


I have no idea if all this example wkitty provided are related.

I did have this from Telecom the other day:

209.49.118.24 - - [16/Jul/2003:21:56:50 -0700] "GET / HTTP/1.0" 403 - "-" "WebGo IS - 2612"

The denial came from a common SetEnvIf I use to condense lines.