box.com
74.112.184.0 - 74.112.187.255
74.112.184.0/22

uber.com.au
117.104.162.0 - 117.104.162.255
117.104.162.0/24

103.11.79.0 - 103.11.79.255
103.11.79.0/24

Does anyone know who or what Interactive 3D (Netherlands) is? Met a botnet at 31.204.153.abc, and the only other place hereabouts I find the range
31.204.128.0/19
is in incrediBill's thread about WP comment spam [webmasterworld.com].

My notes say I've looked up the range belonging to Interactive 3D at least twice, probably because of wp- and other probes. AFAIK my assumption was that the hits were coming from a compromised machine, or account on their servers, and that the company per se was not malicious.

I had to dig around because I knew I had seen the name before, it is mishmash of servers that seem interrelated as they all share contact info for i3d.net
inetnum: 31.204.152.0 - 31.204.153.255
netname: INTERACTIVE3D
remarks: Retail
descr: Interactive 3D B.V. IP space

Notes I had filed away from various lookups:
i3D.net - Game servers - Voice servers - Dedicated Servers - Webhosting -
i3D. net is a managed-hosting provider since 2004. We currently operate more than 8,000 servers in 16 data centers worldwide and provide 24/7 support (SLA).

Aha! My block list had them noted as i3d (not Interactive 3D) and as such have these ranges blocked:

31.204.128.0 - 31.204.159.255
31.204.128.0/19

188.122.64.0 - 188.122.94.255
188.122.64.0/19

213.163.64.0 - 213.163.95.255
213.163.64.0/19

and I think I have more on another account.

For interactive3d I have...

5.200.0.0 - 5.200.31.255
31.204.128.0 - 31.204.159.255
109.200.192.0 - 109.200.207.255
188.122.64.0 - 188.122.95.255
213.163.64.0 - 213.163.95.255

All NL.

gimme60bot/1.0 requesting robots.txt from a Verizon IP, then switching UAs to "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0" (same 71.189.164.218 IP)
The UA is simple enough to block with either UA, just curious, given that Verizon range 71.181.128.0 - 71.191.255.255 is labelled 'Direct Allocation' that these are assumed to be ISP IPs and they haven't taken up hosting?

As long as I'm on UAs, a cute one came by from an Amazon IP: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"

Found a few more, new to me:
198.74.50.197 - - [02/Jul/2014:00:09:56 -0500] "GET / HTTP/1.1" 200 18616 "-" "wsr-agent/1.0"
LINODE-US
198.74.48.0 - 198.74.63.255
198.74.48.0/20

OPPOBOX
107.182.112.0 - 107.182.127.255
107.182.112.0/20

these are assumed to be ISP IPs and they haven't taken up hosting?

If someone knows the full inside scoop on Verizon's IP ranges I would really, really like to hear about it. Possibly in a dedicated thread. (btw, is there a thread about the gimme60bot? I meet it periodically and it hasn't done anything to offend, but I do prefer to know what things are for.)

Thing I did not like about the gimme60bot visit is that it requested robots.txt with one UA, then immediately changed UA with no mention of the bot in its UA - makes it kind of hard to decide whether it is respecting the file or not other than via IP. That and visiting from someone's home machine (or appearing to) since it claims to have a domain: "Mozilla/5.0 (compatible; gimme60bot/1.0 ; +http://gimme60.com)".

Personally, I block gimme60bot and all other unaccountable distro bots.

195.12.128.0/19
Slovakia: Swan A.s. I'm assuming, not that it's important, that this means about the same as "A/S" in German and Scandinavian names. Free lookup says 9 websites use this IP, which is enough for me.

Met while looking up the latest "nyet.gif" botnet activity. (Behavior: "PUT nyet.gif" followed by GET for same file, and then optionally other stuff.) Nobody actually got through, but I like to check botnets in case the IP itself is block-worthy.

Hmmm... swan.sk says they're an ISP offering the usual services. No mention of hosting, data centers, clouds or colos. You probably were just hit by a compromised DSL account. In cases like this, I'll usually block just that one IP address for a month or two, then if no further activity, delete it from my block list.

I just looked up 130.0.238.5 - for unwanted activity and had peculiar info from RIPE, they gave me:
130.0.238.0 - 130.0.239.255
130.0.232.0/21

If I enter the range into an online CIDR converter I get:
130.0.238.0/23
which looks more accurate (?)

I have a very old list with that first CIDR (but no range) and it is only listed with others under "Eastern Blocs" and the whois I got from RIPE identifies this as 3NT Hosting Network in London. I am confused.

I have that range blocked as:

130.0.232.0 - 130.0.239.255
130.0.232.0/21

> 195.12.128.0/19

The first /22 is Euroweb, which seems self-explanatory.

On the other hand I have Swan SK 62.197.192.0/18 listed as DSL so who knows?

eNom

69.64.144.0 - 69.64.159.255
69.64.144.0/20

98.124.192.0 - 98.124.255.255
98.124.192.0/18

New (to me) google range:

104.132.0.0 - 104.135.255.255
104.132.0.0/14

Blocked here.

For enom I have:

8.15.231.0 - 8.15.231.255
69.64.144.0 - 69.64.159.255
98.124.192.0 - 98.124.255.255

@dstiles, I have 8.15.231.0/24 as:

giglinx.com
8.15.230.0 - 8.15.231.255
8.15.230.0/23

blocked

General question: Are there any humans within the range
93.170.0.0/15
? The two names I meet are AlfaTelecom-- which sounds humanoid-- and Serverel-- which doesn't. All specimens I've personally met are from server farms, but they're always in /23 or /24 slivers and I can't pin down the umbrella.

For the last IP I checked-- 93.170.104.123 --free lookup comes up with three different countries, never a good sign. Four if you look at the name of one of the contact people, but then again one of the countries is the US.

keyplr - looks as if you're correct. :)

My listing was from 2010 and the DNS record was updated April 2013. My record now updated. Thanks! :)

Lucy - I have almost all alfa blocked that I know about...

31.42.32.0 - 31.42.47.255
31.132.72.0 - 31.132.79.255
92.38.0.0 - 92.38.127.255 (not blocked)
93.170.0.0 - 93.171.255.255
95.46.0.0 - 95.47.255.255
146.120.0.0 - 146.120.255.255
213.109.144.0 - 213.109.159.255

92.38.0.0 was last addressed December 2013 and has shown no bad activity since (and probably not before, going back to 2010).

I agree about multiple countries being suspect but I dispute that US should be considered exempt from such a suspicion. :)

I dispute that US should be considered exempt from such a suspicion.

Heh. What I meant was that in a nation of immigrants, it's perfectly normal to see someone whose name indicates a non-British place of origin. It doesn't have to mean they've got a secret Ukrainian backer.

Could mean they have a secret American backer. :)

ColoProvider
79.99.24.0 - 79.99.25.255
79.99.24.0/23

BlackFox
107.182.16.0 - 107.182.31.255
107.182.16.0/20


And 74.63.0.0/16 combines these culprits:

LightPoint
74.63.0.0 - 74.63.15.255
74.63.0.0/20

WoodyNet
74.63.16.0 - 74.63.31.255
74.63.16.0/20

Voxel
74.63.32.0 - 74.63.63.255
74.63.32.0/19

FDCservers
74.63.64.0 - 74.63.127.255
74.63.64.0/18

Viawest
74.63.128.0 - 74.63.191.255
74.63.128.0/18

Limestone
74.63.192.0 - 74.63.255.255
74.63.192.0/18

79.99.24.0/23 is actually... 79.99.24.0 - 79.99.31.255

So you're saying the range is 79.99.24.0/21 ?

And 74.63.0.0/16 combines these culprits

You mean the entire /16 is made up of assorted server farms? How thoughtful of them

WoodyNet? ###. I thought they were human.

WoodyNet? ###. I thought they were human.

RE: woodynet alias Packet Clearing House or pch.net. Well I didn't say they were a server farm, just that they were a culprit. By that I mean they conduct biz that does not directly benefit my web interests, at least not through their aforementioned IP range. I guess I think of them as expendable collateral damage. I should have clarified since this is a Server Farm thread.

If I've got this wrong, please say so :)

An iomart I didn't have:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch
scraper was trapped on 2 very different sites in the past week.

Brings my list to:
78.129.250.0 - 78.129.250.255
78.129.128.0/17
iomart Hosting / RapidSwitch

82.145.60.128 - 82.145.60.255
82.145.32.0/19
Iomart Hosting / BWF Hosting

88.150.168.0 - 88.150.168.255
88.150.168.0/22
Iomart Hosting / North East Computer Systems Limited

109.169.62.0 - 109.169.63.255
109.169.0.0/18
Thrust::VPS IOMART RAPIDSWITCH

212.38.176.0 - 212.38.191.255
212.38.160.0/19
Iomart Hosting / Thrust::VPS LA|TX