Forum Moderators: open
Just a heads up.
No images. No robots.
This procedure of requesting a page and then following with a successive request for the root, was repeated 14-times yesterday.
The page (s) content is not structured by content as related to the actual page requests.
Tracerts on both IP's, time out after reaching a Philly data center.
No idea if this an open proxy or not (Cox does have some).
Yours 72.208.190.zzz did pickup a couple of pages 1 hour ago, same UA, probably a broadband subscriber gone feral.
Different provider (proxy?)
75.129.241.zz - - [20/Apr/2008:15:51:29 -0500] "GET /MyFolder/ HTTP/1.1" 200 35018 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
75.129.241.zz - - [20/Apr/2008:15:51:29 -0500] "GET / HTTP/1.1" 301 313 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
What are the actual odds for the visitor from the same IP? What gives?
What are the actual odds for the visitor from the same IP? What gives?
blend,
Furthermore, what are the odds of three different Class A's from two different providers, ALL timming out on
tracerts ;)
Both Cox and Charter have known open proxies.
And while were here; one day last week, I stumbled across a few proxy IP page listings and almost all the leading names were from hosts which IP ranges have long appeared here in crawls.
131.107.0.72 - - [21/Apr/2008:10:42:57 +0100] "GET / HTTP/1.1" 301 230 "-" "SharedService.Crawler"
What would be the purpose of this? (total newbie here) Would he be like a genial burglar just walking through the neighborhood trying locks?
In all honesty, we may never know.
Really! Who cares?
If the bot has decided to neglect the protocol of identifying itself?
It doesn't matter if their "Dr. Frankenstein" is the next google or a harvester.
Their methods are lame and cannot be tolerated (at least by us that monitor such things).
The 131 range from MS has all sorts of toys show up and I saw the "SharedService.Crawler" the other day, which may be a prelude to combined cache for all their crawlers based on the name.
Did you catch this one from Miscrosoft?
131.107.0.96 "contact kaushik for these experiments"
I tracked down Kaushik, there's 2 of them working in the "Data Management, Exploration and Mining Group (DMX)" at Microsoft.
How's that for data mining? :)
Did you catch this one from Miscrosoft?
No but MSRBOT 131.107.151.112 has been acting like a blind bat wearing headphones on my site getting 404 for imaginary paths.
There are numerous old threads here.
If anybody breaths that hasn't seen them ;)
Ill be glad to add the links.
It's possible you're seeing a botnet crawl from Cox, happens all the time.
If that's the instance, here Cox needs to learn the manners or spidering protocol.
(BTW, you think Cox and Charter are working in unison?)
The majority of my pages are no cache.
It's not my desire to have any bot crawl unidentified, least of all a major home/business internet provider.
It's not my desire to have any bot crawl unidentified, least of all a major home/business internet provider.
Don, I didn't say BOT, I said BOTNET ;)
We're talking about infected machines being used to scrape sites controlled by hackers, often criminals. The better your defenses to block bots the more desperate certain types of people get for your content and they go to extremes to get it.
If you have a popular high traffic site with content that could be used to draw visitors to their sites, you're a target.
Most often my content was (and sometimes still is) being used to attract visitors to some sites that compel the visitor to install an infected video player. The have the site coded so you can hardly avoid installing it without closing your browser if you happened to have javascript enabled when you visit.
They're not nice people, I block 'em best I can and send the hosts of these sites emails to get them knocked offline when they happen to be hosted in the US.
We're talking about infected machines being used to scrape sites controlled by hackers, often criminals. The better your defenses to block bots the more desperate certain types of people get for your content and they go to extremes to get it.
Bill,
I realize what your saying, however, bottom line is that Cox and Charter IP's are being utilized to intrude upon our networks.
The consequences of these intrusions (that affect other Cox and Charter customers), are a violation of basic IP UAG's.
The responsibility, whether intiated by a hacker or the result of open proxy (weakness in Cox and Charter systems), is not our problem to resolve, rather the problem of Cox and Charter.
If Cox and Charter are not aware of these issues?
Than, they'd better get their heads out of their backsides, before ALL their customers are denied access.
edited by wilderness:
BTW, there was a time when I had sympathy for folks that were contracting virus/worms. Even used to assist widget folks in removing these items.
That was until I relaized that the same people catch every damn thing that comes along, over and over and over.
Today, I feel no sympathy.
You caught, you deserve it!
The responsibility, whether intiated by a hacker or the result of open proxy (weakness in Cox and Charter systems), is not our problem to resolve, rather the problem of Cox and Charter.
I don't agree here because it's not just cable systems, it's any computer on the network that's vulnerable, many servers hosted all over the place, heck, even YOUR computer could be a sleeper cell because not all botnet infected machines are active.
However, it would seem that the cable companies could block the IRC traffic the botnets use but you run into the problem of blocking legit IRCs and that's a problem.
It would be nice however if the ISPs would disable accounts for machines used to attack our servers until they were verified clean by the Geek Squad or some similar company.
You caught, you deserve it!
Not true because anyone with skills can trick the AV programs and stay one step ahead.
Only when the providers are held accountable for their responsibility (whether you agree or not, it's their network), nelther will the same providers enforce flagrant violations of their own UAG's.
You caught, you deserve it!
Not true because anyone with skills can trick the AV programs and stay one step ahead.
We'll save this for another day, it's highly off-topic and my only reason for bringing it up (as a parallel) was I'm without sympathy for internet providers.
BTW, checked my logs (hadn't done so in nearly six hours) and none of the aforemntioned IP's had returned in that time.
You think they read this thread ;)
We're not most people and most people wouldn't have a clue they had a problem.
I see lot's of problems coming from the various residential ISPs but getting them to do anything about it is the real issue as a couple of hits isn't enough to make them pay attention.
FWIW, I got 2 hits from 98.174.196.* today, no image requests, nada, but both requests were instantly CHALLENGED by my bot blocker which I thought was odd so I double checked and sure enough it hit yesterday and did enough silly things it set off the IP quarantine.
This is definitely not a human at a browser.
Last year I looked at a network used in an office. Their complaint was that it had been very slow for a few months. The network was also directly connected to an ADSL Modem/Router.
I asked what Anti-Virus software they had, and they dutifully pulled a Norton box from the top of a filing cabinet. The big clue was that it was still shrink wrapped.
It transpired that all their machines had been running very slow ever since the time they had opened some "wierd emails" a few months back.
It took several hours to remove all of the various viruses and malware, and then secure all the machines with proper firewalls etc. I think at least one machine needed a number of updates installed (perhaps even XP SP2 or something).
All this stuff that was running rampant on their network had been sending several hundred spam mailings 24 hours a day for the 6 months or more.
There's thousands of people like that out there...
.
There was a typo or two in my post. Some words to add:
All this stuff that was running rampant on their network had been sending several hundred spam mailings per minute, 24 hours a day for the last 6 months or more.
sending several hundred spam mailings per minute, 24 hours a day
Heck! Which ISP are they with? Nowadays most ISPs have a limit of about 100 emails per hour from a single IP.
You'd also think that they'd have found out about it earlier by landing on Spamhaus' blacklist or similar.
