DataShack.net servers
142.54.160.0 - 142.54.191.255
142.54.160.0/19

SQL Injection 'probes, attempts' from 46.246.33.52 (anon-33-52.vpn.ipredator.se)

inetnum: 46.246.32.0 - 46.246.63.255
netname: PRIVACTUALLY-NET
route: 46.246.0.0/17

Parent DS ranges: Portlane Networks AB, Sweden: [bgp.he.net...]

We don't do orange on our servers, sorry.

Thanks blend27. I block all anonymous proxy ranges. Didn't have this one.

Another Datashack
192.151.144.0 - 192.151.159.255
192.151.144.0/20

Also a new (for me) FDCservers: 50.7/16

Which brings my list to:

50.7.0.0 - 50.7.255.255
50.7.0.0/16

66.90.64.0 - 66.90.127.255
66.90.64.0/18

67.159.0.0 - 67.159.63.255
67.159.0.0/18

76.73.0.0 - 76.73.127.255
76.73.0.0/17

198.211.103.85 - - [02/Jun/2013:03:04:40 -0600] "GET / HTTP/1.1" 403 775 "-" "-"

Digital Ocean, Inc.
DIGITALOCEAN-2 192.34.56.0 - 192.34.63.255 192.34.56.0/21
DIGITALOCEAN-3 192.81.208.0 - 192.81.223.255 192.81.208.0/20
DIGITALOCEAN-5 198.199.64.0 - 198.199.127.255 198.199.64.0/18
DIGITALOCEAN-4 198.211.96.0 - 198.211.127.255 198.211.96.0/19
DIGITALOCEAN-1 208.68.36.0 - 208.68.39.255 208.68.36.0/22
DIGITALOCEAN-V6-1 2604:A880:: - 2604:A880:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

New softlayer range, registered January...

192.155.192.0 - 192.155.255.255
192.155.192.0/18

Datashack - I have
142.54.160.0 - 142.54.191.255
192.151.144.0 - 192.151.159.255
198.204.224.0 - 198.204.255.255

FDC Servers...

50.7.0.0 - 50.7.255.255
66.90.64.0 - 66.90.127.255
67.159.0.0 - 67.159.63.255
74.63.64.0 - 74.63.127.255
76.73.0.0 - 76.73.127.255
108.179.64.0 - 108.179.127.255
204.45.0.0 - 204.45.255.255
208.53.128.0 - 208.53.191.255

Digital Ocean...
82.196.0.0 - 82.196.15.255
185.14.184.0 - 185.14.187.255
192.34.56.0 - 192.34.63.255
192.81.208.0 - 192.81.223.255
198.199.64.0 - 198.199.127.255
198.211.96.0 - 198.211.127.255
208.68.36.0 - 208.68.39.255

Fibergrid/Webexxpurts
151.237.184.0 - 151.237.185.255
151.237.184.0/23

My list of Webexxpurts...

5.34.240.0 - 5.34.247.255
37.72.184.0 - 37.72.191.255
37.203.208.0 - 37.203.215.255
46.29.248.0 - 46.29.255.255
130.185.156.0 - 130.185.159.255
151.237.176.0 - 151.237.191.255
176.61.136.0 - 176.61.143.255
178.216.48.0 - 178.216.55.255
185.3.132.0 - 185.3.135.255

Mix of Sweden, Estonia and USA.

Not sure where fibregrid comes into it?

Fibergrid is subleasing the 151.237.185.0/24 of Webexxpurts and caught scraping an entire site of mine. Thanks for the Webexxpurts ranges.

inetnum: 81.7.13.0 - 81.7.13.255
netname: EUSERV-SRV-NET21
descr: EUserv Internet
descr: Customer Network #21
descr: Dedicated Rootserver Network

I am sure there are other ranges.

Caught trying to access honey pot.

81.7.13.161 - /foxyfrot - 403 - Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

The full range 81.7.0.0/18 belongs to (or is tagged as) ISPpro Internet of Germany. I have the following for ISPpro...

81.7.0.0 - 81.7.63.255
81.89.96.0 - 81.89.111.255
85.31.184.0 - 85.31.191.255
91.143.80.0 - 91.143.95.255

Firefox 6 is WAY out of date and probably a bot of some kind.

@ dstiles re: ISPpro

Looks like broadband mixed in with web servers (much like Comcast.) Are you pinging for ports to tell the difference or just blocking categorically?

You could be right but there are several open-port IPs in the random tests I made. Ports I've seen include HTTP/HTTPS, POP3 and SMTP, FTP and others. Those ports say to me server.

If it's a mixed range then tough on the DSL users: they should find a better-split provider. Even if the ranges are static IPs, there is not enough separation between hard-core users who send out bots and "genuine" DSL users.

I dislike and distrust ALL comcast hits but I have to leave them open for one of my customers. In the past 2 years I've logged over 1200 comcast "idiotic hits". On the other hand my customer has received some orders from those ranges. :(

Another Rackspace range hit me today, a Cloud based at:

162.13.0.0 - 162.13.15.255

Servepath/GoGrid

There are mentions in two threads (one recent and one old):

08.113.98.149 - - [03/Jul/2013:04:14:40 -0600] "GET /robots.txt HTTP/1.1" 200 1907 "-" "FlightDeckReportsBot/2.0 (http://www.flightdeckreports.com/pages/bot)"

Cloud Hosting and Dedicated server.

SERVEPATH-BLK5 173.1.0.0 - 173.1.255.255 173.1.0.0 - 173.1.255.255
SERVEPATH-BLK6 204.51.128.0 - 204.51.255.255 204.51.128.0/17
SERVEPATH-BLK3 208.96.0.0 - 208.96.63.255 208.96.0.0/18
SERVEPATH-BLK3 208.113.64.0 - 208.113.127.255 208.113.64.0/18
SERVEPATH-BLK5 216.121.0.0 - 216.121.127.255 216.121.0.0/17
ERVEPATH 216.93.160.0 - 216.93.191.255 216.93.160.0/19
SERVEPATH-BLK4 64.151.64.0 - 64.151.127.255 64.151.64.0/18
SERVEPATH-BLK2 69.59.128.0 - 69.59.191.255 69.59.128.0/18
SERVEPATH-IPV6 2607:F680:: - 2607:F680:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

I have all of those as servepath but I have gogrid separately:

74.3.192.0 - 74.3.255.255
164.40.128.0 - 164.40.159.255 (NL)
173.204.0.0 - 173.204.255.255
173.244.64.0 - 173.244.79.255

173.1.0.0 - 173.1.255.255
173.1.0.0/16
I have as GoGrid

From their website FAQ:

"Is ServePath being acquired?

Absolutely not, ServePath and GoGrid have always been the same company; we are just changing our name."
end of quote

Thanks for the heads up guys.
Looking further, located these North American ranges that cover both names:
GOGRID-BLK3 173.204.0.0 - 173.204.255.255 173.204.0.0/16
GOGRID-BLK3 173.244.64.0 - 173.244.79.255 173.244.64.0/20
GOGRID-BLK1 74.3.192.0 - 74.3.255.255 74.3.192.0/18

So gogrid is a new name for servepath or the other way around? Either way, I'm not really concerned: they are both blocked. :)

There's multiple references to this, and even comes up in the search results advertising ;)

OrgName: Lunar Pages (ADD2NET-DOT-COM)
64.50.180.203 - - [06/Jul/2013:07:54:32 -0600] "GET /MyFolder/ HTTP/1.1" 200 7286 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"

No other requests!

ADDD2NET-DOT-COM 209.200.224.0 - 209.200.255.255 209.200.224.0/19
ADDD2NET-DOT-COM 216.227.208.0 - 216.227.223.255 216.227.208.0/20
ADD2NET-DOT-COM 216.97.224.0 - 216.97.239.255 216.97.224.0/20
ADD2NET-DOT-COM 64.50.160.0 - 64.50.191.255 64.50.160.0/19
ADD2NET-DOT-COM 66.102.128.0 - 66.102.143.255 66.102.128.0/20
ADD2NET-DOT-COM 67.210.96.0 - 67.210.127.255 67.210.96.0/19
ADDD2NET-DOT-COM 74.50.0.0 - 74.50.31.255 74.50.0.0/19
ADD2NET-DOT-COM 2606:BD00:: - 2606:BD00:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

The dreaded Mixed Service IP, hot off the presses:

27.106.43.122 - - [07/Jul/2013:10:19:12 -0700] "GET /directory/page.html HTTP/1.1" 200 19055 "http://www.webmasterworld.com/profilev4.cgi?action=view&member=lucy24" "Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0"

HARRUMPH!

Free lookup says 27.106.0.0/17 is Syscon Infoway, based in Mumbai, which professes to be-- and probably is-- an ISP.

Buyurl
217.195.202.0 - 217.195.202.127
217.195.202.0/25

ELAN, Poland
91.236.74.0 - 91.236.75.255
91.236.74.0/23

And now the good news...

For ages I'd had
91.201.64.0/22 ("bulletproof-web", Russia)
blocked on grounds of general robotitude.

Guess it wasn't as bulletproof as they thought; the range currently seems to be unassigned. RIPE being RIPE, you would expect this situation to last five or ten minutes, tops. But they may have closed up shop as long as six months ago.

DonEkoService
91.201.64.0 - 91.201.67.255
91.201.64.0/22

I've had bad hits coming from this range in the past.

Lucy - I had that range listed as MHost but yes, not currently allocated, it seems. It's possible it fell to the latest round of exploiter shut-downs - there has been a fair amount of activity in recent months, causing a flurry of new bot activity from those attempting to create more robust botnets.

Following up through ixquick and entering the starting IP brings up a result from nanog which states the range was hijacked last August from DonEkoService (which they say was dodgy anyway). Maybe it was just reclaimed by RIPE.

A new (for me anyway) DataShack just showed up July 7:
74.91.16.0 - 74.91.31.255 74.91.16.0/20
74.91.18.224 - 74.91.18.231 74.91.18.224/29

UA: -

@not2easy Thanls for the DataShack

Amernet cloud & VoIP
209.21.64.0 - 209.21.95.255
209.21.64.0/19

Another one: GO-DADDY-NETHERLANDS-BV
146.255.32.0 - 146.255.35.255
I blocked the whole 146.255.0.0/16 because this is a sub-range in NetRange: 146.255.0.0 - 146.255.255.255 and found on a non public site and they were trying very hard to do sql injections. UA: "T34m 0x68583052" another scan from this IP had UA: "-"

From WIRESIX: 98.142.208.0 - 98.142.223.255 98.142.208.0/20
UA: "Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.2) Gecko/2008092213 Ubuntu/8.04 (hardy) Firefox/3.0.2"

From TEDE-LLU: 95.112.0.0 - 95.115.255.255 95.112.0.0/13
UA: "Java/1.7.0_07"

From SOFTLAYER-4-3: 75.126.0.0 - 75.126.255.255 75.126.0.0/16
UA: "Python-urllib/1.17"

From AFOCELCA (Portugal):213.58.195.224 - 213.58.195.231 213.58.192.0/21
"GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 289 "-" "-"
No UA, the requested file is not on this server but I get a lot of requests for it, it must be popular...and vulnerable.

Another one: GO-DADDY-NETHERLANDS-BV
146.255.32.0 - 146.255.35.255
I blocked the whole 146.255.0.0/16 because this is a sub-range in NetRange: 146.255.0.0 - 146.255.255.255

Thanks for the GDaddy range. However, I would reconsider blocking the /16. There *are* public areas in there. For example:
Surebroadband
146.255.0.0 - 146.255.0.127