Welcome to WebmasterWorld Guest from 23.20.6.115

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Bad behavior from Microsoft IP

     
10:19 pm on May 12, 2013 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6515
votes: 113




IP: 137.116.226.239
NetRange: 137.116.0.0 - 137.116.255.255
CIDR: 137.116.0.0/16

UA: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Numerous attempts to gain entry into restricted areas:
GET www.example.com/register/
GET www.example.com/login.php
GET www.example.com/signup.php

Each attempt 2x and none of these files exist. I do not use a forum or other type of cookie-cutter members area. My restricted areas are all custom written and illicit attempts like these always blocked.
7:17 pm on May 14, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3121
votes: 3


I have the range 137.116.0.0/15 blocked.

Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.

Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"

I do not have anything from this range in my current logs (from 1st May to date).

Anyone else have information on this?
8:20 pm on May 14, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5459
votes: 3


fresh from ARIN

NTINET-NASH
HandleNET-137-116-0-0-1
OrganizationMicrosoft Corp (MSFT-Z)
9:52 pm on May 14, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13210
votes: 347


:: detour to raw logs ::

Bingo. Nothing at 137.116. but found one at 137.117. from the index.php botnet. (My personal name for them. I have no pages-- whether URL or physical file-- named index.php.) Identifiable by pattern, not by IP:

some random page with auto-referer
/fonts/ with auto-referer
/fonts/index.php with www.example.com/index.php as referer
/ with again www.example.com/index.php as referer

That means humans with compromised machines, right?
10:15 pm on May 14, 2013 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6515
votes: 113



I just noticed I have this M$ range blocked for the same reason:

131.107.0.0 - 131.107.255.255
131.107.0.0/16
6:46 pm on May 15, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3121
votes: 3


lucy - not sure if it's compromised machines - I seldom pay attention to referers. Could be just an idiot with a bot, even on a DSL range.

keyplr - yes, blocked.
8:02 pm on May 15, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13210
votes: 347


I seldom pay attention to referers.

In this case I have to because it's part of the pattern-- the stuff profilers look at. Unfortunately I can only spot it after the fact. And one of those after-the-facts was from the IP range under discussion. It's a bit worrying when a range belonging to a major software company is still vulnerable to botnet infestation.

I remember the 131.107. range. I have it in notes as "other people's robot" ;)
6:50 pm on May 16, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3121
votes: 3


Don't get me wrong: I have referer traps, I just do not find them the most common reason for trapping.

If it really is a DSL range then it is no different from any other ISP's IPs being compromised. There are millions of compromised computers at any given time. For a few to be on a high-profile company's broadband system is no surprise. Although, in this case, ironic (if it really is compromised computers) in that MS almost certainly make the OS that accepted compromise.
8:55 pm on May 16, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13210
votes: 347


I have referer traps, I just do not find them the most common reason for trapping.

In my test site's logs I find ###loads of blocked requests with .ru and similar referers. But the referer blocks are only in place on my main site; on the test site these requests are getting blocked further along the line by IP. Belt and suspenders. If I disable mod_authz,* the referer test will get them.


* This is why people have test sites. I put in an "Allow from all" line to check something, and forgot to remove it until two days later. Ugh. Fortunately there are not many robots who modify their behavior dynamically based on response.
7:44 pm on June 6, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3121
votes: 3


Found (via bad hit) a new MS range. Initial checks suggest it's a broadband range but if anyone knows different...

137.135.0.0 - 137.135.255.255
137.135.0.0/16
4:06 pm on June 24, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3121
votes: 3


Another MS range today, DNS first registered two years ago, updated a couple of months ago...

138.91.0.0 - 138.91.255.255
138.91.0.0/16

It looks to be a DSL range from a very limited number oif IP tests.