Welcome to WebmasterWorld Guest from 54.160.163.163

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Softlayer

     

Ken_S

1:11 pm on Feb 19, 2013 (gmt 0)



New Visitor

Syskay Systems - syskay.xxx (Nigeria, Africia) - (Softlayer Dutch Holdings Bv - Dallas, Texas)

159.253.128.0/19 = 159.253.128.0 - 159.253.159.255 = ^159\.253\.(1[2-5][89])\.

159.253.142.194 - - [19/Feb/2013:01:36:07 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 3573 "http://example.COM/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

dstiles

8:52 pm on Feb 19, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



We see hundreds of phpadmin and similar requests each day, all trying to hack in. Unless you actually have phpadmin on your server it pays to block all accesses to that path. In my case I do not use php at all, so I can also block any script ending in .php.

As to the IP range - I have a LOT of softlayer ranges blocked - in fact, any IP range that looks anything like a server farm.

If the issue is new to you then learn how to block user-agents, scripts and IPs, then look through this forum for IP ranges and user-agents to block - there are hundreds of them! :)

And then there are the other headers...

keyplyr

5:07 am on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




159.253.128.0/19 = 159.253.128.0 - 159.253.159.255


Parts of that range doesn't check out as Softlayer. Where did you verify this?

lucy24

11:49 am on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



All's I know is, one of the worst robots I've met in my life came from that very neighborhood. 159.253.143.53 and ..145.175. They can try to hide behind /26 slivers but they sure do all look alike.

NG can't possibly be New Guinea can it?

:: shuffling papers ::

Nigeria. Figures.

wilderness

1:15 pm on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Nigeria. Figures.


I'm sure you site (s) are not advantageous to visitors from
afrinic

dstiles

8:05 pm on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Keyplr - if the record is served up bu arin you need to scroll down to the bottom of the record:

inetnum: 159.253.128.0 - 159.253.159.255
netname: NL-SOFTLAYER-EU-20110921
descr: SoftLayer Dutch Holdings BV
country: NL

NOTE: Some ranges are /26 or whatever - put in a few IPs until you get the full range as above. I found the above for 159.253.139.0

keyplyr

8:36 pm on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



dstiles, I know how to use ARIN. That's not the point.


Parts of that range doesn't check out as Softlayer.

keyplyr

10:04 pm on Feb 20, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



This is what I have for Softlayer (including the above mentioned range which I believe has many holes in it. I had it broken up into 6 smaller ranges since my information shows Softlayer does not own the entire scope of that range.)


50.22.0.0 - 50.23.255.255
50.22.0.0/15

50.97.0.0 - 50.97.255.255
50.97.0.0/16

66.228.112.0 - 66.228.127.255
66.228.112.0/20

67.228.0.0 - 67.228.255.255
67.228.0.0/16

74.86.0.0 - 74.86.255.25
74.86.0.0/16

75.126.0.0 - 75.126.255.255
75.126.0.0/16

108.168.128.0 - 108.168.255.255
108.168.128.0/17

159.253.128.0 - 159.253.159.255
159.253.128.0/19

173.192.0.0 - 173.193.255.255
173.192.0.0/15

174.140.18.0 - 174.140.18.255
174.140.18.0/24

174.140.29.0 - 174.140.29.255
174.140.29.0/24

174.140.33.0 - 174.140.33.255
174.140.33.0/24

174.140.36.0 - 174.140.36.255
174.140.36.0/24

174.140.51.0 - 174.140.51.255
174.140.51.0/24

208.43.0.0 - 208.43.255.255
208.43.0.0/16

208.101.0.0 - 208.101.63.255
208.101.0.0/18

lucy24

1:10 am on Feb 21, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



159.253.128.0/19

If you don't believe it, why is it still on the list?

Softlayer may be subletting parts of its range to other entities-- it would hardly be the first-- but the chances of an undesirable host subletting to desirable humans are pretty slim. ("Oh, sorry, didn't realize it was a crack house. I'm just renting a room.")

keyplyr

2:44 am on Feb 21, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




If you don't believe it, why is it still on the list?

You answered your own question.

As I said, I had it divided up as 6 different smaller ranges that *did* show as Softlayer. The holes were all different companies with different hosts, none of them Softlayer, however in the big picture of things, I decided to fault on the side of probability :)

wilderness

3:02 am on Feb 21, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I realize you kids are having fun in the sandbox. . . .

FWIW:

RewriteCond %{REMOTE_ADDR} ^159\.(121|134|14[789])\. [OR]
RewriteCond %{REMOTE_ADDR} ^159\.(213|224\.120|226|253)\. [OR]

dstiles

9:26 pm on Feb 21, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Keyplr - the NETNAME seems to resolve to softlayer throughout the 159.253.128.0/19 range (I tried it every /23). The description and sometimes country vary but that is simply sub-letting. Most large companies sub-let.

keyplyr

9:43 pm on Feb 21, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




Thanks dstiles. I also think that up-to-date- info may take a while to propagate around. It would be interesting to find a source where we could view when IP ranges are sold/traded/assigned/re-allocated in real time.

Quite often I see that what I had noted as one company is now being listed at a WHOIS as another owner/host.

That's one argument for using CIDR for blocking instead of mod_rewrite. It gives a much clearer picture when ranges are inside of another without checking notes (ah'em Don - LOL.)
 

Featured Threads

Hot Threads This Week

Hot Threads This Month