I have the range 137.116.0.0/15 blocked.

Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.

Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"

I do not have anything from this range in my current logs (from 1st May to date).

Anyone else have information on this?

fresh from ARIN

NTINET-NASH
HandleNET-137-116-0-0-1
OrganizationMicrosoft Corp (MSFT-Z)

:: detour to raw logs ::

Bingo. Nothing at 137.116. but found one at 137.117. from the index.php botnet. (My personal name for them. I have no pages-- whether URL or physical file-- named index.php.) Identifiable by pattern, not by IP:

some random page with auto-referer
/fonts/ with auto-referer
/fonts/index.php with www.example.com/index.php as referer
/ with again www.example.com/index.php as referer

That means humans with compromised machines, right?

I just noticed I have this M$ range blocked for the same reason:

131.107.0.0 - 131.107.255.255
131.107.0.0/16

lucy - not sure if it's compromised machines - I seldom pay attention to referers. Could be just an idiot with a bot, even on a DSL range.

keyplr - yes, blocked.

I seldom pay attention to referers.

In this case I have to because it's part of the pattern-- the stuff profilers look at. Unfortunately I can only spot it after the fact. And one of those after-the-facts was from the IP range under discussion. It's a bit worrying when a range belonging to a major software company is still vulnerable to botnet infestation.

I remember the 131.107. range. I have it in notes as "other people's robot" ;)

Don't get me wrong: I have referer traps, I just do not find them the most common reason for trapping.

If it really is a DSL range then it is no different from any other ISP's IPs being compromised. There are millions of compromised computers at any given time. For a few to be on a high-profile company's broadband system is no surprise. Although, in this case, ironic (if it really is compromised computers) in that MS almost certainly make the OS that accepted compromise.

I have referer traps, I just do not find them the most common reason for trapping.

In my test site's logs I find ###loads of blocked requests with .ru and similar referers. But the referer blocks are only in place on my main site; on the test site these requests are getting blocked further along the line by IP. Belt and suspenders. If I disable mod_authz,* the referer test will get them.


* This is why people have test sites. I put in an "Allow from all" line to check something, and forgot to remove it until two days later. Ugh. Fortunately there are not many robots who modify their behavior dynamically based on response.

Found (via bad hit) a new MS range. Initial checks suggest it's a broadband range but if anyone knows different...

137.135.0.0 - 137.135.255.255
137.135.0.0/16

Another MS range today, DNS first registered two years ago, updated a couple of months ago...

138.91.0.0 - 138.91.255.255
138.91.0.0/16

It looks to be a DSL range from a very limited number oif IP tests.