Does anyone know who or what Interactive 3D (Netherlands) is? Met a botnet at 31.204.153.abc, and the only other place hereabouts I find the range 22.214.171.124/19 is in incrediBill's thread about WP comment spam [webmasterworld.com].
10:53 pm on Jul 1, 2014 (gmt 0)
My notes say I've looked up the range belonging to Interactive 3D at least twice, probably because of wp- and other probes. AFAIK my assumption was that the hits were coming from a compromised machine, or account on their servers, and that the company per se was not malicious.
6:17 am on Jul 4, 2014 (gmt 0)
I had to dig around because I knew I had seen the name before, it is mishmash of servers that seem interrelated as they all share contact info for i3d.net inetnum: 126.96.36.199 - 188.8.131.52 netname: INTERACTIVE3D remarks: Retail descr: Interactive 3D B.V. IP space
Notes I had filed away from various lookups: i3D.net - Game servers - Voice servers - Dedicated Servers - Webhosting - i3D. net is a managed-hosting provider since 2004. We currently operate more than 8,000 servers in 16 data centers worldwide and provide 24/7 support (SLA).
6:55 am on Jul 4, 2014 (gmt 0)
Aha! My block list had them noted as i3d (not Interactive 3D) and as such have these ranges blocked:
gimme60bot/1.0 requesting robots.txt from a Verizon IP, then switching UAs to "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0" (same 184.108.40.206 IP) The UA is simple enough to block with either UA, just curious, given that Verizon range 220.127.116.11 - 18.104.22.168 is labelled 'Direct Allocation' that these are assumed to be ISP IPs and they haven't taken up hosting?
As long as I'm on UAs, a cute one came by from an Amazon IP: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
2:03 am on Jul 6, 2014 (gmt 0)
Found a few more, new to me: 22.214.171.124 - - [02/Jul/2014:00:09:56 -0500] "GET / HTTP/1.1" 200 18616 "-" "wsr-agent/1.0" LINODE-US 126.96.36.199 - 188.8.131.52 184.108.40.206/20
these are assumed to be ISP IPs and they haven't taken up hosting?
If someone knows the full inside scoop on Verizon's IP ranges I would really, really like to hear about it. Possibly in a dedicated thread. (btw, is there a thread about the gimme60bot? I meet it periodically and it hasn't done anything to offend, but I do prefer to know what things are for.)
5:49 am on Jul 6, 2014 (gmt 0)
Thing I did not like about the gimme60bot visit is that it requested robots.txt with one UA, then immediately changed UA with no mention of the bot in its UA - makes it kind of hard to decide whether it is respecting the file or not other than via IP. That and visiting from someone's home machine (or appearing to) since it claims to have a domain: "Mozilla/5.0 (compatible; gimme60bot/1.0 ; +http://gimme60.com)".
7:30 am on Jul 6, 2014 (gmt 0)
Personally, I block gimme60bot and all other unaccountable distro bots.
9:46 pm on Jul 6, 2014 (gmt 0)
220.127.116.11/19 Slovakia: Swan A.s. I'm assuming, not that it's important, that this means about the same as "A/S" in German and Scandinavian names. Free lookup says 9 websites use this IP, which is enough for me.
Met while looking up the latest "nyet.gif" botnet activity. (Behavior: "PUT nyet.gif" followed by GET for same file, and then optionally other stuff.) Nobody actually got through, but I like to check botnets in case the IP itself is block-worthy.
9:55 pm on Jul 6, 2014 (gmt 0)
Hmmm... swan.sk says they're an ISP offering the usual services. No mention of hosting, data centers, clouds or colos. You probably were just hit by a compromised DSL account. In cases like this, I'll usually block just that one IP address for a month or two, then if no further activity, delete it from my block list.
6:28 am on Jul 7, 2014 (gmt 0)
I just looked up 18.104.22.168 - for unwanted activity and had peculiar info from RIPE, they gave me: 22.214.171.124 - 126.96.36.199 188.8.131.52/21
If I enter the range into an online CIDR converter I get: 184.108.40.206/23 which looks more accurate (?)
I have a very old list with that first CIDR (but no range) and it is only listed with others under "Eastern Blocs" and the whois I got from RIPE identifies this as 3NT Hosting Network in London. I am confused.
7:03 am on Jul 7, 2014 (gmt 0)
I have that range blocked as:
220.127.116.11 - 18.104.22.168 22.214.171.124/21
6:31 pm on Jul 7, 2014 (gmt 0)
The first /22 is Euroweb, which seems self-explanatory.
On the other hand I have Swan SK 126.96.36.199/18 listed as DSL so who knows?
General question: Are there any humans within the range 188.8.131.52/15 ? The two names I meet are AlfaTelecom-- which sounds humanoid-- and Serverel-- which doesn't. All specimens I've personally met are from server farms, but they're always in /23 or /24 slivers and I can't pin down the umbrella.
For the last IP I checked-- 184.108.40.206 --free lookup comes up with three different countries, never a good sign. Four if you look at the name of one of the contact people, but then again one of the countries is the US.
8:59 pm on Jul 8, 2014 (gmt 0)
keyplr - looks as if you're correct. :)
My listing was from 2010 and the DNS record was updated April 2013. My record now updated. Thanks! :)
Lucy - I have almost all alfa blocked that I know about...
220.127.116.11 was last addressed December 2013 and has shown no bad activity since (and probably not before, going back to 2010).
I agree about multiple countries being suspect but I dispute that US should be considered exempt from such a suspicion. :)
10:08 pm on Jul 8, 2014 (gmt 0)
I dispute that US should be considered exempt from such a suspicion.
Heh. What I meant was that in a nation of immigrants, it's perfectly normal to see someone whose name indicates a non-British place of origin. It doesn't have to mean they've got a secret Ukrainian backer.
18.104.22.168/23 is actually... 22.214.171.124 - 126.96.36.199
8:26 pm on Jul 11, 2014 (gmt 0)
So you're saying the range is 188.8.131.52/21 ?
9:11 pm on Jul 11, 2014 (gmt 0)
And 184.108.40.206/16 combines these culprits
You mean the entire /16 is made up of assorted server farms? How thoughtful of them
WoodyNet? ###. I thought they were human.
11:09 pm on Jul 11, 2014 (gmt 0)
WoodyNet? ###. I thought they were human.
RE: woodynet alias Packet Clearing House or pch.net. Well I didn't say they were a server farm, just that they were a culprit. By that I mean they conduct biz that does not directly benefit my web interests, at least not through their aforementioned IP range. I guess I think of them as expendable collateral damage. I should have clarified since this is a Server Farm thread.
If I've got this wrong, please say so :)
3:30 pm on Jul 12, 2014 (gmt 0)
An iomart I didn't have: 220.127.116.11 - 18.104.22.168 22.214.171.124/17 iomart Hosting / RapidSwitch scraper was trapped on 2 very different sites in the past week.
Brings my list to: 126.96.36.199 - 188.8.131.52 184.108.40.206/17 iomart Hosting / RapidSwitch