Newbie Questions - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Newbie Questions

not understanding entries

Ken_Smith

4:36 pm on Jan 10, 2008 (gmt 0)

10+ Year Member

Gang I have been lurking around for about a month now trying to gleen from what I see you post .. I'm not a tech person but I do learn from those that have that ability . I learn mostly thru trial & error.

I have a couple of questions below but thought I would give a little history to better explain them.

I appreciate the info I find here, it is a big help to me.

Ken

Bit-of-History on below ..

Tries to force a file download, freezes browser (all are blocked now)

87.118.120.** - - [09/Dec/2007:00:28:53 -0700] "GET / HTTP/1.0" 200 6611 "http://example.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1; .NET CLR 2.0.50727)"

87.118.120.** - - [12/Dec/2007:10:19:11 -0700] "GET / HTTP/1.0" 200 6611 "http://example.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Mnenhy/0.6.0.103"

87.118.120.** - - [16/Dec/2007:03:41:43 -0700] "GET / HTTP/1.0" 403 - "http://example.com" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021016 K-Meleon 0.7"

Usual Approach: = 87.118.120.**
87.118.120.** - - [16/Dec/2007:03:41:43 -0700] "GET / HTTP/1.0" 403 - "http://example.com" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021016 K-Meleon 0.7"

Different IP = 166.114.88.***

(Q) What is: m.sta.codetel.net.do
166.114.88.**.m.sta.codetel.net.do - - [09/Jan/2008:08:52:53 -0700] "GET / HTTP/1.0" 403 - "http://example.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1"

Using my domain name:
(Q) What's being attempted (changed IP, hit a couple minutes later)
87.118.120.** - - [09/Jan/2008:08:54:57 -0700] "GET http://www.example.com/ HTTP/1.0" 403 - "http://example.com.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1"

87.118.120.** - - [09/Jan/2008:08:54:57 -0700] "GET / HTTP/1.0" 403 - "http://example.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1"

[edited by: volatilegx at 2:38 am (utc) on Jan. 17, 2008]
[edit reason] examplified [/edit]

Ken_Smith

3:37 am on Jan 15, 2008 (gmt 0)

10+ Year Member

Please disregard requests, I have found info that I was seeking.
Thanks,Ken

phranque

4:38 am on Jan 15, 2008 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

welcome, ken, after long-time lurking!
if it would be useful information, please provide details.
otherwise this post becomes irrelevant and will probably be deleted.

volatilegx

2:42 am on Jan 17, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Yeah, Ken, I wouldn't mind knowing the answer, too. I'm afraid the probable reason for a lack of answers to your questions here is that we just don't have any.

wilderness

4:24 am on Jan 17, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

(Q) What's being attempted (changed IP, hit a couple minutes later)

I get spider attemps from 87.118. daily.

Unfortuately, I cannot explain the reason because I do not focus upon RIPE ranges because the majority are denied access to my sites.

The 166. range is LACNIC, which I also have denied.

Don

blend27

7:13 pm on Jan 22, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

87.118.120.** belongs to KEYWEB dot DE: NETName: DE-KEYWEB-III and is a hosting farm. recently lots of comment spam and scrapers are comming from keyweb ranges.

searching G for m.sta.codetel.net.do returns a lot of comments spam resulls from .200, seems like it is/was a anon proxy as well.

volatilegx

1:20 am on Jan 23, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Thanks blend27 :)

blend27

7:42 pm on Jan 27, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Any time Volatilegx :)

What's interesting is the KEYWEB seems to be on the rise for this kind of Junk coming from their IP-Ranges. We maintain a long list of Hosting/Datacenter IP Ranges(946 to be exact) and actively Deny all and any traffic coming from those. KEYWEB is at #2 at the moment on the S*** list coming from EU Regions, but not by far from SCHLUND.

Just a not long ago today:

.... / 403 112 244 1468 HTTP/1.0 www.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - http://www.example.com/
... / 403 112 244 375 HTTP/1.0 www.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - http://www.example.com/
.... / 403 112 244 406 HTTP/1.0 www.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - http://www.example.com/
.... / 403 112 248 1015 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / 403 112 248 1156 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / 403 112 248 375 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... /forum/index.php - 403 112 278 390 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / 403 112 101 1218 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / 403 112 101 875 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... /phpbb/index.php - 403 112 278 593 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / 403 112 101 375 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 101 375 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... /phpbb2/index.php - 403 112 280 812 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 264 515 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 264 421 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... /forums/index.php - 403 112 280 968 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 264 812 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 264 390 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... /board/index.php - 403 112 278 640 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 101 359 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]
.... / - 403 112 101 937 HTTP/1.0 forum.example.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+en)+Opera+8.00 - [forum.example.com...]

from 87.118.116.***

The request headers also contain a valid cookie information and as shows above also send a refferer string as a domain in question bein visited. The funny part is the we don't have a forum/phpbb, nor have PHP enabled on this server.

NO Soup for KEYWEB, Sorry.

[edited by: volatilegx at 7:46 pm (utc) on Jan. 28, 2008]
[edit reason] examplified [/edit]