Welcome to WebmasterWorld Guest from 23.22.79.235

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Server Farms - April 2014

Tracking and Reporting Data Center IP Ranges

   
6:51 pm on Apr 4, 2014 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:

9:04 am on Jun 30, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month





box.com
74.112.184.0 - 74.112.187.255
74.112.184.0/22

uber.com.au
117.104.162.0 - 117.104.162.255
117.104.162.0/24

103.11.79.0 - 103.11.79.255
103.11.79.0/24
9:52 pm on Jul 1, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Does anyone know who or what Interactive 3D (Netherlands) is? Met a botnet at 31.204.153.abc, and the only other place hereabouts I find the range
31.204.128.0/19
is in incrediBill's thread about WP comment spam [webmasterworld.com].
10:53 pm on Jul 1, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



My notes say I've looked up the range belonging to Interactive 3D at least twice, probably because of wp- and other probes. AFAIK my assumption was that the hits were coming from a compromised machine, or account on their servers, and that the company per se was not malicious.
6:17 am on Jul 4, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



I had to dig around because I knew I had seen the name before, it is mishmash of servers that seem interrelated as they all share contact info for i3d.net
inetnum: 31.204.152.0 - 31.204.153.255
netname: INTERACTIVE3D
remarks: Retail
descr: Interactive 3D B.V. IP space

Notes I had filed away from various lookups:
i3D.net - Game servers - Voice servers - Dedicated Servers - Webhosting -
i3D. net is a managed-hosting provider since 2004. We currently operate more than 8,000 servers in 16 data centers worldwide and provide 24/7 support (SLA).
6:55 am on Jul 4, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Aha! My block list had them noted as i3d (not Interactive 3D) and as such have these ranges blocked:

31.204.128.0 - 31.204.159.255
31.204.128.0/19

188.122.64.0 - 188.122.94.255
188.122.64.0/19

213.163.64.0 - 213.163.95.255
213.163.64.0/19

and I think I have more on another account.
8:05 pm on Jul 4, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



For interactive3d I have...

5.200.0.0 - 5.200.31.255
31.204.128.0 - 31.204.159.255
109.200.192.0 - 109.200.207.255
188.122.64.0 - 188.122.95.255
213.163.64.0 - 213.163.95.255

All NL.
10:49 pm on Jul 5, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



gimme60bot/1.0 requesting robots.txt from a Verizon IP, then switching UAs to "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0" (same 71.189.164.218 IP)
The UA is simple enough to block with either UA, just curious, given that Verizon range 71.181.128.0 - 71.191.255.255 is labelled 'Direct Allocation' that these are assumed to be ISP IPs and they haven't taken up hosting?

As long as I'm on UAs, a cute one came by from an Amazon IP: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
2:03 am on Jul 6, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



Found a few more, new to me:
198.74.50.197 - - [02/Jul/2014:00:09:56 -0500] "GET / HTTP/1.1" 200 18616 "-" "wsr-agent/1.0"
LINODE-US
198.74.48.0 - 198.74.63.255
198.74.48.0/20

OPPOBOX
107.182.112.0 - 107.182.127.255
107.182.112.0/20
3:23 am on Jul 6, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



these are assumed to be ISP IPs and they haven't taken up hosting?

If someone knows the full inside scoop on Verizon's IP ranges I would really, really like to hear about it. Possibly in a dedicated thread. (btw, is there a thread about the gimme60bot? I meet it periodically and it hasn't done anything to offend, but I do prefer to know what things are for.)
5:49 am on Jul 6, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



Thing I did not like about the gimme60bot visit is that it requested robots.txt with one UA, then immediately changed UA with no mention of the bot in its UA - makes it kind of hard to decide whether it is respecting the file or not other than via IP. That and visiting from someone's home machine (or appearing to) since it claims to have a domain: "Mozilla/5.0 (compatible; gimme60bot/1.0 ; +http://gimme60.com)".
7:30 am on Jul 6, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




Personally, I block gimme60bot and all other unaccountable distro bots.
9:46 pm on Jul 6, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



195.12.128.0/19
Slovakia: Swan A.s. I'm assuming, not that it's important, that this means about the same as "A/S" in German and Scandinavian names. Free lookup says 9 websites use this IP, which is enough for me.

Met while looking up the latest "nyet.gif" botnet activity. (Behavior: "PUT nyet.gif" followed by GET for same file, and then optionally other stuff.) Nobody actually got through, but I like to check botnets in case the IP itself is block-worthy.
9:55 pm on Jul 6, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Hmmm... swan.sk says they're an ISP offering the usual services. No mention of hosting, data centers, clouds or colos. You probably were just hit by a compromised DSL account. In cases like this, I'll usually block just that one IP address for a month or two, then if no further activity, delete it from my block list.
6:28 am on Jul 7, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



I just looked up 130.0.238.5 - for unwanted activity and had peculiar info from RIPE, they gave me:
130.0.238.0 - 130.0.239.255
130.0.232.0/21

If I enter the range into an online CIDR converter I get:
130.0.238.0/23
which looks more accurate (?)

I have a very old list with that first CIDR (but no range) and it is only listed with others under "Eastern Blocs" and the whois I got from RIPE identifies this as 3NT Hosting Network in London. I am confused.
7:03 am on Jul 7, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month





I have that range blocked as:

130.0.232.0 - 130.0.239.255
130.0.232.0/21
6:31 pm on Jul 7, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



> 195.12.128.0/19

The first /22 is Euroweb, which seems self-explanatory.

On the other hand I have Swan SK 62.197.192.0/18 listed as DSL so who knows?
7:46 am on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month






eNom

69.64.144.0 - 69.64.159.255
69.64.144.0/20

98.124.192.0 - 98.124.255.255
98.124.192.0/18
1:58 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



New (to me) google range:

104.132.0.0 - 104.135.255.255
104.132.0.0/14

Blocked here.
2:00 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



For enom I have:

8.15.231.0 - 8.15.231.255
69.64.144.0 - 69.64.159.255
98.124.192.0 - 98.124.255.255
4:45 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



@dstiles, I have 8.15.231.0/24 as:

giglinx.com
8.15.230.0 - 8.15.231.255
8.15.230.0/23

blocked
7:47 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



General question: Are there any humans within the range
93.170.0.0/15
? The two names I meet are AlfaTelecom-- which sounds humanoid-- and Serverel-- which doesn't. All specimens I've personally met are from server farms, but they're always in /23 or /24 slivers and I can't pin down the umbrella.

For the last IP I checked-- 93.170.104.123 --free lookup comes up with three different countries, never a good sign. Four if you look at the name of one of the contact people, but then again one of the countries is the US.
8:59 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



keyplr - looks as if you're correct. :)

My listing was from 2010 and the DNS record was updated April 2013. My record now updated. Thanks! :)

Lucy - I have almost all alfa blocked that I know about...

31.42.32.0 - 31.42.47.255
31.132.72.0 - 31.132.79.255
92.38.0.0 - 92.38.127.255 (not blocked)
93.170.0.0 - 93.171.255.255
95.46.0.0 - 95.47.255.255
146.120.0.0 - 146.120.255.255
213.109.144.0 - 213.109.159.255

92.38.0.0 was last addressed December 2013 and has shown no bad activity since (and probably not before, going back to 2010).

I agree about multiple countries being suspect but I dispute that US should be considered exempt from such a suspicion. :)
10:08 pm on Jul 8, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I dispute that US should be considered exempt from such a suspicion.

Heh. What I meant was that in a nation of immigrants, it's perfectly normal to see someone whose name indicates a non-British place of origin. It doesn't have to mean they've got a secret Ukrainian backer.
7:14 pm on Jul 9, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Could mean they have a secret American backer. :)
7:35 am on Jul 11, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



ColoProvider
79.99.24.0 - 79.99.25.255
79.99.24.0/23

BlackFox
107.182.16.0 - 107.182.31.255
107.182.16.0/20


And 74.63.0.0/16 combines these culprits:

LightPoint
74.63.0.0 - 74.63.15.255
74.63.0.0/20

WoodyNet
74.63.16.0 - 74.63.31.255
74.63.16.0/20

Voxel
74.63.32.0 - 74.63.63.255
74.63.32.0/19

FDCservers
74.63.64.0 - 74.63.127.255
74.63.64.0/18

Viawest
74.63.128.0 - 74.63.191.255
74.63.128.0/18

Limestone
74.63.192.0 - 74.63.255.255
74.63.192.0/18
8:18 pm on Jul 11, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



79.99.24.0/23 is actually... 79.99.24.0 - 79.99.31.255
8:26 pm on Jul 11, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



So you're saying the range is 79.99.24.0/21 ?
9:11 pm on Jul 11, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



And 74.63.0.0/16 combines these culprits

You mean the entire /16 is made up of assorted server farms? How thoughtful of them

WoodyNet? ###. I thought they were human.
11:09 pm on Jul 11, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



WoodyNet? ###. I thought they were human.

RE: woodynet alias Packet Clearing House or pch.net. Well I didn't say they were a server farm, just that they were a culprit. By that I mean they conduct biz that does not directly benefit my web interests, at least not through their aforementioned IP range. I guess I think of them as expendable collateral damage. I should have clarified since this is a Server Farm thread.

If I've got this wrong, please say so :)
3:30 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



An iomart I didn't have:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch
scraper was trapped on 2 very different sites in the past week.

Brings my list to:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch

82.145.60.128 - 82.145.60.255
82.145.32.0/19
Iomart Hosting / BWF Hosting

88.150.168.0 - 88.150.168.255
88.150.168.0/22
Iomart Hosting / North East Computer Systems Limited

109.169.62.0 - 109.169.63.255
109.169.0.0/18
Thrust::VPS IOMART RAPIDSWITCH

212.38.176.0 - 212.38.191.255
212.38.160.0/19
Iomart Hosting / Thrust::VPS LA|TX
This 193 message thread spans 7 pages: 193