Mozilla/5.0 (tarakas)

Forum Moderators: open

Message Too Old, No Replies

Mozilla/5.0 (tarakas)

Kaspersky bot-running from Russian Fed.

Pfui

4:25 pm on Aug 3, 2011 (gmt 0)

There's no reason why these guys -- WHOIS: Kaspersky Labs; company: Kaspersky Lab; site: kaspersky.com -- need to visit, let alone re-visit, a very small, low-traffic site with a 25-sq. mile geo-target of interest that's 5,233 miles away from Moscow:

Pre-block, one hit to / html; no auxiliary files; of course, no robots.txt:

81.176.230.39 - - [0n/Jul/2011:15:58:02 -0700] "GET / HTTP/1.1" 200 4670 "-" "Mozilla/5.0 (tarakas)"

Post-block, 30 days later:

81.176.230.40 - - [0n/Aug/2011:06:59:25 -0700] "GET / HTTP/1.1" 403 866 "-" "Mozilla/5.0 (tarakas)"

BotNyet, comrades.

keyplyr

11:25 pm on Aug 3, 2011 (gmt 0)

Isn't Kaspersky the browsing security software I've seen advertised on TV? If so, wouldn't they be pre-fetching for their clients to verify browsing safety?

IMO It's pretty risky to block these types of companies or they just label your site as unsafe and block the user from visiting your site.

Pfui

2:30 am on Aug 4, 2011 (gmt 0)

I've seen those ads, too, so I was surprised to see their bare Moscow-based IPs anywhere near this off-the beaten track site.

If it was a larger, internationally-applicable site, and Kaspersky officially came from official domains not bare IPs, and they used official agents, and they officially requested robots.txt, then maybe I'd lighten up. A bit:) But I'd need a heckuva lot of convincing first, because hardly half an hour (or less) goes by that our CIDR isn't assailed by compromised machines across the Russian Federation.

FWIW... If the TV advertiser and the IPs are one and the same company, or software scan-related, well, one of the last things I'd do is entrust scans for anything to anything hailing from the Russian Fed (sorry RF folks). That strikes me as almost tantamount to giving the keys to a cnc-noc.net- or Kornet-based company. Yiiikes.

dstiles

9:15 pm on Aug 4, 2011 (gmt 0)

Kaspersky is one of the top security services offering top anti-virus desktop software.

On the other hand, I agree about browsing: they may be actaing as proxies or they may be botting. My bet is they are looking for exploits that they can investigate or add to their stats.

I block 81.176.230/23 as well as their parent RTCOMM at 81.176/15. Doesn't seem to have done much harm.

Pfui

6:19 pm on Aug 5, 2011 (gmt 0)

And now, from a completely unrelated site, the exact same thing:

81.176.230.40 - - [0n/Aug/2011:10:48:27 -0700] "GET / HTTP/1.1" 403 1486 "-" "Mozilla/5.0 (tarakas)"

Aren't any of you guys seeing any of these guys?

lucy24

7:43 pm on Aug 5, 2011 (gmt 0)

Not in the last four months. (Unzipped raw logs on HD where they can be instantly searched.) I feel left out :(

They sound naggingly familiar though. Do they use any other name, or work with someone else, or own some other IP range?

wilderness

8:00 pm on Aug 5, 2011 (gmt 0)

Aren't any of you guys seeing any of these guys?

I recall seeing it, however didn't make a notation because I've the Class A's 80 thru 95 denied.

dstiles

9:23 pm on Aug 5, 2011 (gmt 0)

Plenty of hits with that UA but since it's from a kaspersky range it's blocked and hence ignored by me personally

Pfui

9:31 pm on Aug 5, 2011 (gmt 0)

Spasiba, all:)

Pfui

3:19 am on Oct 30, 2011 (gmt 0)

Repeat IP, another UA; html only (got botbait):

81.176.230.40
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

robots.txt? NO