Does anyone know who or what Interactive 3D (Netherlands) is? Met a botnet at 31.204.153.abc, and the only other place hereabouts I find the range 22.214.171.124/19 is in incrediBill's thread about WP comment spam [webmasterworld.com].
My notes say I've looked up the range belonging to Interactive 3D at least twice, probably because of wp- and other probes. AFAIK my assumption was that the hits were coming from a compromised machine, or account on their servers, and that the company per se was not malicious.
I had to dig around because I knew I had seen the name before, it is mishmash of servers that seem interrelated as they all share contact info for i3d.net inetnum: 126.96.36.199 - 188.8.131.52 netname: INTERACTIVE3D remarks: Retail descr: Interactive 3D B.V. IP space
Notes I had filed away from various lookups: i3D.net - Game servers - Voice servers - Dedicated Servers - Webhosting - i3D. net is a managed-hosting provider since 2004. We currently operate more than 8,000 servers in 16 data centers worldwide and provide 24/7 support (SLA).
gimme60bot/1.0 requesting robots.txt from a Verizon IP, then switching UAs to "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0" (same 184.108.40.206 IP) The UA is simple enough to block with either UA, just curious, given that Verizon range 220.127.116.11 - 18.104.22.168 is labelled 'Direct Allocation' that these are assumed to be ISP IPs and they haven't taken up hosting?
As long as I'm on UAs, a cute one came by from an Amazon IP: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
these are assumed to be ISP IPs and they haven't taken up hosting?
If someone knows the full inside scoop on Verizon's IP ranges I would really, really like to hear about it. Possibly in a dedicated thread. (btw, is there a thread about the gimme60bot? I meet it periodically and it hasn't done anything to offend, but I do prefer to know what things are for.)
Thing I did not like about the gimme60bot visit is that it requested robots.txt with one UA, then immediately changed UA with no mention of the bot in its UA - makes it kind of hard to decide whether it is respecting the file or not other than via IP. That and visiting from someone's home machine (or appearing to) since it claims to have a domain: "Mozilla/5.0 (compatible; gimme60bot/1.0 ; +http://gimme60.com)".
22.214.171.124/19 Slovakia: Swan A.s. I'm assuming, not that it's important, that this means about the same as "A/S" in German and Scandinavian names. Free lookup says 9 websites use this IP, which is enough for me.
Met while looking up the latest "nyet.gif" botnet activity. (Behavior: "PUT nyet.gif" followed by GET for same file, and then optionally other stuff.) Nobody actually got through, but I like to check botnets in case the IP itself is block-worthy.
Hmmm... swan.sk says they're an ISP offering the usual services. No mention of hosting, data centers, clouds or colos. You probably were just hit by a compromised DSL account. In cases like this, I'll usually block just that one IP address for a month or two, then if no further activity, delete it from my block list.
I just looked up 126.96.36.199 - for unwanted activity and had peculiar info from RIPE, they gave me: 188.8.131.52 - 184.108.40.206 220.127.116.11/21
If I enter the range into an online CIDR converter I get: 18.104.22.168/23 which looks more accurate (?)
I have a very old list with that first CIDR (but no range) and it is only listed with others under "Eastern Blocs" and the whois I got from RIPE identifies this as 3NT Hosting Network in London. I am confused.
General question: Are there any humans within the range 22.214.171.124/15 ? The two names I meet are AlfaTelecom-- which sounds humanoid-- and Serverel-- which doesn't. All specimens I've personally met are from server farms, but they're always in /23 or /24 slivers and I can't pin down the umbrella.
For the last IP I checked-- 126.96.36.199 --free lookup comes up with three different countries, never a good sign. Four if you look at the name of one of the contact people, but then again one of the countries is the US.
I dispute that US should be considered exempt from such a suspicion.
Heh. What I meant was that in a nation of immigrants, it's perfectly normal to see someone whose name indicates a non-British place of origin. It doesn't have to mean they've got a secret Ukrainian backer.
RE: woodynet alias Packet Clearing House or pch.net. Well I didn't say they were a server farm, just that they were a culprit. By that I mean they conduct biz that does not directly benefit my web interests, at least not through their aforementioned IP range. I guess I think of them as expendable collateral damage. I should have clarified since this is a Server Farm thread.