Welcome to WebmasterWorld Guest from 54.144.243.34

Forum Moderators: Ocean10000 & incrediBILL

good riddance to bad robots

   
11:46 pm on Jun 15, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



For people looking to fatten their Deny lists, here's the result of some recent housecleaning. I'm currently afflicted by two botnets that I know as the "indexphp botnet" and the "hovercraft" botnet because of their site-specific behavior. No idea what the robots' underlying script is; obviously they haven't singled me out among all the world's billions of www sites :)

5.34.242.18 and ..20
>>
5.34.240.0/21 Sweden, may be some kind of proxy, assigned to "webexxpurts" (sic) belonging to one Deepak Mehta with address in Tallinn, no country specified. ("That's funny! You don't look Estonian.")

62.113.213.244 (exact but repeated)
>>
62.113.192.0/18 Germany 23media and/or NodeDeploy (Something about the name element "Node" makes me instantly suspicious.)

108.163.248.18 and ..250.75
>>
108.163.192.0/18 Singlehop (can you put "Singlehop" and "benefit of the doubt" into the same sentence?)

130.185.156.226
>>
130.185.152.0/21 assorted places involving... well, fancy that. Two different people don't know how to spell "experts", and they both have the same name (in fairness, there do exist men in English-speaking countries whose name truly is John Smith) and live at the same address in Tallinn. Guess he assumes IANA knows what country it's in.

173.213.97.249 and ..113.252
>>
173.213.64.0/18 US Eonix Corp., hosting and colo, nuff said

178.238.131.94
>>
78.238.131.88/29
Bit of a headscratcher here. Do we go with UK (BurstNet) or further east (packetlabs.ro) or still further east (address entirely in Chinese, and it's not because browser has inadvertently changed to UTF-16).
>>
Aah, the heck with it, let's just lock out the whole
178.238.128.0/20

198.2.204.73 and ..204.145
>>
198.2.192.0/18 PegTech range mentioned elsewhere. The exact area 204.72-79 seems to belong to someone in China, but not worth investigating closer.

198.27.80.111
>>
198.27.64.0/18 OVH Montreal (I cannot get the initials O,V,H to stand for "Francophone robot" but that seems to be what it means)

198.52.240.36 and ..46
>>
198.52.128.0/17 Avante Hosting, somewhere in Canada. This is a recently opened range. Don't have exact dates, but a few months ago it was on my bogons list.

198.143.143.44 and ..159.79
>>
198.143.128.0/18 Singlehop. Yawn.

199.48.164.41
>>
199.48.160.0/21 (NodesDirect, see above about name elements that can only cause suspicion) but it turns out I've met other robots from the neighborhood so let's proceed directly to
>>
199.48.128.0/18

217.76.196.234
>>
217.76.192.0/20 T.E.S.T. Where would a botnet be without a Ukrainian?

217.195.202.2, ..9, ..12, ..14, ..16
>>
very active neighborhood, unique in offering representatives of both my current botnets. Another head-scratcher, because it goes back to
217.195.192.0/20
in an apparently human Turkish range, and I do meet the occasional human from Turkey, so let's compromise with
>>
217.195.202.0/25
which looks as if it's sublet to someone in Austria.
7:16 pm on Jun 16, 2013 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Thanks, Lucy.

I had all but two of those ranges blocked; extras now added.



And thanks for starting an IP on its own line: makes it much easier and quicker to paste the IP into my database, even with the extras after it! :)
6:25 pm on Jun 17, 2013 (gmt 0)

10+ Year Member



Thanks. Checked them all and already have them all blocked... so feeling better about keeping on top of these cesspools.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month