Welcome to WebmasterWorld Guest from 54.147.134.218

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Bergdorf Group

     
12:59 am on Aug 2, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5809
votes: 64


Evidence of SPAM bot running in WWW.

91.224.160.** - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Scraped a 200 page site, HTML pages only, short crawl duration.

91.224.160.0 - 91.224.161.255
91.224.160.0/23
3:17 am on Aug 2, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2038
votes: 1


(WWW = here?)

I watched Bergdorf Group machines/IPs ramp-up even after 403s, ditto 200s to bot-bait. After multiple blocked URI=REF hits from five of their IPs, I finally killfiled 91.224.160.0/24 on July 3.

JULY 3
91.224.160.132
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)
91.224.160.129
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
91.224.160.90
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

JUNE 13
91.224.160.91
Opera/8.00 (Windows NT 5.1; U; en)

JUNE 11
91.224.160.90
Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

So many faked UAs, so little time... [projecthoneypot.org...]
4:44 am on Aug 2, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5809
votes: 64


(WWW = here?)

No, here would be WW. By WWW I'm referring to World Wide Web :) In other words searching for that IP range returns many account of SPAM bot activity, with various UAs (as you've attested.)
4:37 pm on Aug 2, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 16, 2007
posts:846
votes: 0


Indeed... Checked my logs, has the signature of a blog / forum spammer. Thanks for the heads-up.
9:42 pm on Aug 2, 2011 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3092
votes: 2


Blocked the /23 back on April Fools day. Seems appropriate. :)
8:11 pm on Aug 5, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 16, 2007
posts:846
votes: 0


And this is pretty timely, via the Sans Incident Handlers: a new Mac OSX Lion trojan is being distributed through the Bergdorf network. [isc.sans.edu...]

This is a DNS changer type malware that modifies the hosts file to redirect
google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.
8:47 pm on Aug 5, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2038
votes: 1


Wow. And talk about small world.

Also interesting is F-Secure's article detailing the degrees to which the Bad Guys go to fake people out. [f-secure.com...]

NOTE: The trojan is a fake FlashPlayer.pkg installer for Mac; it has zero connection to Lion per se, or Apple, etc. Lion doesn't include a Flash package.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members