Welcome to WebmasterWorld Guest from 107.21.175.43

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Bergdorf Group

     

keyplyr

12:59 am on Aug 2, 2011 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Evidence of SPAM bot running in WWW.

91.224.160.** - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Scraped a 200 page site, HTML pages only, short crawl duration.

91.224.160.0 - 91.224.161.255
91.224.160.0/23

Pfui

3:17 am on Aug 2, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



(WWW = here?)

I watched Bergdorf Group machines/IPs ramp-up even after 403s, ditto 200s to bot-bait. After multiple blocked URI=REF hits from five of their IPs, I finally killfiled 91.224.160.0/24 on July 3.

JULY 3
91.224.160.132
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)
91.224.160.129
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
91.224.160.90
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

JUNE 13
91.224.160.91
Opera/8.00 (Windows NT 5.1; U; en)

JUNE 11
91.224.160.90
Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

So many faked UAs, so little time... [projecthoneypot.org...]

keyplyr

4:44 am on Aug 2, 2011 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



(WWW = here?)

No, here would be WW. By WWW I'm referring to World Wide Web :) In other words searching for that IP range returns many account of SPAM bot activity, with various UAs (as you've attested.)

caribguy

4:37 pm on Aug 2, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Indeed... Checked my logs, has the signature of a blog / forum spammer. Thanks for the heads-up.

dstiles

9:42 pm on Aug 2, 2011 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Blocked the /23 back on April Fools day. Seems appropriate. :)

caribguy

8:11 pm on Aug 5, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



And this is pretty timely, via the Sans Incident Handlers: a new Mac OSX Lion trojan is being distributed through the Bergdorf network. [isc.sans.edu...]

This is a DNS changer type malware that modifies the hosts file to redirect
google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.

Pfui

8:47 pm on Aug 5, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Wow. And talk about small world.

Also interesting is F-Secure's article detailing the degrees to which the Bad Guys go to fake people out. [f-secure.com...]

NOTE: The trojan is a fake FlashPlayer.pkg installer for Mac; it has zero connection to Lion per se, or Apple, etc. Lion doesn't include a Flash package.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month