Welcome to WebmasterWorld Guest from 54.211.96.99

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Bad behavior from Microsoft IP

   
10:19 pm on May 12, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month





IP: 137.116.226.239
NetRange: 137.116.0.0 - 137.116.255.255
CIDR: 137.116.0.0/16

UA: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Numerous attempts to gain entry into restricted areas:
GET www.example.com/register/
GET www.example.com/login.php
GET www.example.com/signup.php

Each attempt 2x and none of these files exist. I do not use a forum or other type of cookie-cutter members area. My restricted areas are all custom written and illicit attempts like these always blocked.
7:17 pm on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I have the range 137.116.0.0/15 blocked.

Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.

Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"

I do not have anything from this range in my current logs (from 1st May to date).

Anyone else have information on this?
8:20 pm on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



fresh from ARIN

NTINET-NASH
HandleNET-137-116-0-0-1
OrganizationMicrosoft Corp (MSFT-Z)
9:52 pm on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



:: detour to raw logs ::

Bingo. Nothing at 137.116. but found one at 137.117. from the index.php botnet. (My personal name for them. I have no pages-- whether URL or physical file-- named index.php.) Identifiable by pattern, not by IP:

some random page with auto-referer
/fonts/ with auto-referer
/fonts/index.php with www.example.com/index.php as referer
/ with again www.example.com/index.php as referer

That means humans with compromised machines, right?
10:15 pm on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




I just noticed I have this M$ range blocked for the same reason:

131.107.0.0 - 131.107.255.255
131.107.0.0/16
6:46 pm on May 15, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



lucy - not sure if it's compromised machines - I seldom pay attention to referers. Could be just an idiot with a bot, even on a DSL range.

keyplr - yes, blocked.
8:02 pm on May 15, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I seldom pay attention to referers.

In this case I have to because it's part of the pattern-- the stuff profilers look at. Unfortunately I can only spot it after the fact. And one of those after-the-facts was from the IP range under discussion. It's a bit worrying when a range belonging to a major software company is still vulnerable to botnet infestation.

I remember the 131.107. range. I have it in notes as "other people's robot" ;)
6:50 pm on May 16, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Don't get me wrong: I have referer traps, I just do not find them the most common reason for trapping.

If it really is a DSL range then it is no different from any other ISP's IPs being compromised. There are millions of compromised computers at any given time. For a few to be on a high-profile company's broadband system is no surprise. Although, in this case, ironic (if it really is compromised computers) in that MS almost certainly make the OS that accepted compromise.
8:55 pm on May 16, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I have referer traps, I just do not find them the most common reason for trapping.

In my test site's logs I find ###loads of blocked requests with .ru and similar referers. But the referer blocks are only in place on my main site; on the test site these requests are getting blocked further along the line by IP. Belt and suspenders. If I disable mod_authz,* the referer test will get them.


* This is why people have test sites. I put in an "Allow from all" line to check something, and forgot to remove it until two days later. Ugh. Fortunately there are not many robots who modify their behavior dynamically based on response.
7:44 pm on Jun 6, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Found (via bad hit) a new MS range. Initial checks suggest it's a broadband range but if anyone knows different...

137.135.0.0 - 137.135.255.255
137.135.0.0/16
4:06 pm on Jun 24, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Another MS range today, DNS first registered two years ago, updated a couple of months ago...

138.91.0.0 - 138.91.255.255
138.91.0.0/16

It looks to be a DSL range from a very limited number oif IP tests.