uses three Hurricane ranges, however came in one of their exclusives.

HEAD //FCKeditor/editor

EDGEWEBHOSTING 173.213.224.0 - 173.213.239.255 173.213.224.0/20
HURRICANE-DC0405-D133A2A0 209.51.162.160 - 209.51.162.191
HURRICANE-DC0405-D133BF80 209.51.191.128 - 209.51.191.159
HURRICANE-DC0405-D8421B00 216.66.27.0 - 216.66.27.63
EDGEWEBHOSTING 69.63.128.0 - 69.63.159.255 69.63.128.0/19

Those Hurricane ranges of:
209.51.162.160 - 209.51.162.191
209.51.191.128 - 209.51.191.159
are actually:
209.51.160.0 - 209.51.191.255
209.51.160.0/19

That Hurricane range of:
216.66.27.0 - 216.66.27.63
is actually:
216.66.0.0 - 216.66.95.255
216.66.0.0/18
216.66.64.0/19

Thanks for the Edge

Note: I've mostly seen requests for FCKeditor/editor from China ranges.

Those Hurricane ranges of:

are actually:

Many thanks keyplr. I was aware of the larger Hurricane ranges, however those smaller ranges are designated as EDGEWEBHOSTING (AFAIK) they lease from the backbone.

I've mostly seen requests for FCKeditor/editor from China ranges.

<topic drift>
Is this name used by some major CMS? I remember seeing this in a real page's URL-- well, ahem, it is memorable-- and thinking they really should have got a native English speaker to look at their directory names.
</td>

I just assume it is what it says it is, an editor... likely with security vulnerabilities since I see almost as many hack attempts for this as I do Wordpress files.

Hosted Data Solutions, LLC (HDSL-5)
HOSTEDSOLUTIONS-1 173.209.192.0 - 173.209.223.255 173.209.192.0/19

Has someone got a comprehensive list of Iliad Entreprises? (sic spelling, they're French) I met two different ranges under the same botnet within the last couple of days:

195.154
212.129.0.0/18
(the latter is broken into smaller pieces but it seems to be all Iliad: I did some spot-checking)

Another new one on me:
162.248.96.0/21 Query Foundry
Can't figure out if that's a server, a proxy or what. Just happened to meet a robot.

:: wandering off to investigate Web-Sniffer ::

Well hardly comprehensive, but this is what I have for Iliad on my home machine. I may have more at the office (which I cannot connect to thanks to the new cable BB LAN restrictions!)

62.210.0.0/16
62.210.0.0 - 62.210.255.255

195.154.0.0/16
195.154.0.0 - 195.154.255.255

212.83.160.0/19
212.83.160.0 - 212.83.191.255

212.129.0.0/18
212.129.0.0 - 212.129.21.255

And I've had Query Foundry (QF)blocked for a while now:

162.248.96.0/21
162.248.96.0 - 162.248.103.255

Since the abuse contact is cloudshards.com, I assumed QF was at least complicit in crime :)

185.53.88.0/22
EstroWeb / Host Palace
Netherlands

New one on me, but the combination of 185 and /22 means there will be a lot more of them in years to come. So far they're only up to the '50's.

185.53.88.0/22 seems to be part of Leaseweb but I'll need to get to my other machine for the bigger range. Anyone?

There seems to be 2 entries for Estroweb:
| ESTROWEB-03 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.88.255 |
| EU-ESTROWEB-20140408 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.91.255 |

Others:
| EU-ESTROWEB-20120126 | Estro Web Services Private Limited | 37.49.224.0 | 37.49.231.255 |

It is subnetted into a group of Class Cs.


Regards...jmcc

Bill,
Time for a new update in this thread.

Many thanks.

Most of these are part of larger backbones. (Some from Integra and another from Frontier-Legacy):

209.147.118.209 - - [18/Jul/2014:07:52:33 -0600] "GET /index.html HTTP/1.1" 403 647 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)"


NetName: OPTICFUSION-NET
OrgName: Optic Fusion
ELI-967-2081866464 208.186.64.64 - 208.186.64.127 208.186.64.64/26
ELI-967-208187151112 208.187.151.112 - 208.187.151.119 208.187.151.112/29
OPTICFUSION-NET 209.147.112.0 - 209.147.127.255 209.147.112.0/20
ELI-967-209210137128 209.210.137.128 - 209.210.137.255 209.210.137.128/25
ELI-967-21619030 216.190.3.0 - 216.190.3.255 216.190.3.0/24
ELI-967-6573184128 FRONTIERCOMMUNICATIONSLEGACY 65.73.184.128 - 65.73.184.159 65.73.184.128/27
OPTICFUSION-NET2 66.113.96.0 - 66.113.111.255 66.113.96.0/20
OPTICFUSION-NET3 70.35.112.0 - 70.35.127.255 70.35.112.0/20
OPTICFUSION-NET6 2607:F6F8:: - 2607:F6F8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Today's trawl from the "contact" botnet:

91.215.156.0/22
Infinite Technologies, Netherlands
(This area of 91 is all /22 slivers, so that's all there is)

209.164.64.0/18
Corespace, US
Never heard of 'em, but doesn't it sound like servers? Note that 209.164.0.0/18 is Xo, so people who prefer to block first and ask questions afterward might end up with a tidy /17.

There's also a second net for Infinite Technologies: 192.162.136.0 | 192.162.139.255. It is relatively sparse on gTLDs and some European ccTLDs.

Corespace seems quite big. Hosts 99,890 sites across 1380 active Cs and 9 detected nets.

Regards...jmcc

hostmysite.com
209.164.0.0 - 209.164.63.255
209.164.0.0/18


Here's what I have for Infinite:

91.215.156.0 - 91.215.159.255
91.215.156.0/22

192.162.136.0 - 192.162.139.255
192.162.136.0/22


Here's what I have for Corespace:

63.249.128.0 - 63.249.255.255
63.249.128.0/17

64.182.0.0 - 64.182.255.255
64.182.0.0/16

66.34.0.0 - 66.34.255.255
66.34.0.0/16

66.221.0.0 - 66.221.255.255
66.221.0.0/16

69.13.0.0 - 69.13.255.255
69.13.0.0/16

209.164.64.0 - 209.164.127.255
209.164.64.0/18

more Corespace:

CORESPACE-3 216.221.160.0 - 216.221.191.255 216.221.160.0/19
CORESPACE-4 216.97.0.0 - 216.97.127.255 216.97.0.0/17

VegasNAP: Desert Snakes

I noticed it because allthingsnow.com is busy XSSing our site, and Gbot kindly rumbled them.

Tip:
Watch for allthingsnow.com/day/unknown/shared/ in your logs.

So far, for VegasNAP I just have their 199.241.136.0/21 hosting sector.

Any more please?

FHUB-NET-11 104.128.64.0 - 104.128.79.255 104.128.64.0/20
FHUB-NET-12 146.71.64.0 - 146.71.95.255 146.71.64.0/19
FHUB-NET-8 162.249.224.0 - 162.249.227.255 162.249.224.0/22
FHUB-NET-9 162.251.232.0 - 162.251.239.255 162.251.232.0/21
FHUB-NET-10 162.254.232.0 - 162.254.239.255 162.254.232.0/21
FHUB-NET-3 199.19.72.0 - 199.19.79.255 199.19.72.0/21
FHUB-NET-2 199.195.128.0 - 199.195.131.255 199.195.128.0/22
FHUB-NET-4 199.127.56.0 - 199.127.63.255 199.127.56.0/21
FHUB-NET-7 192.228.96.0 - 192.228.111.255 192.228.96.0/20
FHUB-NET-5 199.241.136.0 - 199.241.143.255 199.241.136.0/21
FHUB-NET-1 199.47.208.0 - 199.47.211.255 199.47.208.0/22
FHUB-NET-6 204.77.0.0 - 204.77.15.255 204.77.0.0/20
FHUB-V6-NET-1 2604:2280:: - 2604:2280:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Thank you for the list of nasties aka:

VegasNAP LLC - Fiberhub Colocation and Internet Services.

We have been warned :)

single page request. No supporting files. No robots.
Used domain root as refer.


192.111.155.118 - - [22/Jul/2014:10:26:56 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 12655 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

Centrilogic, Inc. (CENTR-60)
DACENTEC-NC 104.152.184.0 - 104.152.191.255 104.152.184.0/21
DACENTEC-CUST 162.248.240.0 - 162.248.247.255 162.248.240.0/21
CENTRILOGIC-CANADA 173.240.0.0 - 173.240.15.255 173.240.0.0/20
CUST-NET-7 192.111.144.0 - 192.111.159.255 192.111.144.0/20
CUST-NET-6 192.198.80.0 - 192.198.95.255 192.198.80.0/20
CUST-NET-8 192.254.64.0 - 192.254.79.255 192.254.64.0/20
CUST-NET-3 199.101.184.0 - 199.101.187.255 199.101.184.0/22
DACENTEC-NET-4 199.191.56.0 - 199.191.59.255 199.191.56.0/22
CUST-NET-5 199.241.184.0 - 199.241.191.255 199.241.184.0/21
CUST-NET-1 199.255.136.0 - 199.255.139.255 199.255.136.0/22
CUST-NET-2 199.255.156.0 - 199.255.159.255 199.255.156.0/22
CENTRILOGIC-ROCH-NY 209.251.48.0 - 209.251.63.255 209.251.48.0/20
CUST-NET-9 23.92.208.0 - 23.92.223.255 23.92.208.0/20
CENTRILOGIC-IPV6 2604:9000:: - 2604:9000:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
V6-NET-1 2607:5600:: - 2607:5600:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Wow, small world! 192.111.155.118 hit me two hours ago with the same fake domain root ref trick (that's what caught my attention; plus no grfx). Mine used a different UA:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

To quote Stop Forum Spam: "Lots of activity from this IP in the last few days." [stopforumspam.com...] Indeed. Someone's up to something.

<topic drift>

the same fake domain root ref trick

I have this set of lockouts (obviously site-specific, based on file structure and internal navigation):

RewriteCond %{HTTP_REFERER} example\.com/?$
RewriteCond %{REQUEST_URI} !index\.html
RewriteCond %{REQUEST_URI} !/boilerplate/
RewriteRule ^([^/.]+/)+[^/.]+(\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com/?$
RewriteRule ^$ - [F]

RewriteCond %{HTTP_REFERER} example\.com/\w+\.(html|php)$
RewriteRule (^|\.html|/)$ - [F,NS]

Unfortunately this turns into "out of sight, out of mind" since I generally don't look at lockouts. But sooner or later they try the same thing on my test site, which doesn't have a detailed htaccess, and then they get added to the IP block list.
</topic drift>

lucy,
Might this go before or after canonical?

Also, what does "boilerpalte" refer to in this instance?
Is it a custom 403 or something else?

Many thanks.

Don

Whoops, just came by to post an unrelated question: Anyone know anything about Telentia? I'd never heard of them, and neither apparently does Forums search. But one of my ongoing botnets turned up at

104.128.16.0/20
and
209.161.96.0/20

104.etcetera got a line to itself in htaccess because this is a new range that's getting assigned as we speak.

---

Might this go before or after canonical?

Since these are [F] rules, they go before any canonicalization redirects if that's what you meant. The index.html exemption is needed to prevent lockouts, since the redirect comes later.

Also, what does "boilerplate" refer to in this instance?
Is it a custom 403 or something else?

It's the name of the directory where I keep contact forms, legal stuff and similar. It does also happen to contain my error pages, but those get an [L] pass-- by individual page name-- at the very beginning. It's also the only directory whose inner pages are directly linked from the front page, hence the exemption.

Referer-based blocks by their nature will always be site-specific. Mine translate as
"request for any inner page giving front page as referer" (because these links don't occur except for /boilerplate/)
"request for front page giving itself as referer" (because self-referring links give me the fantods, and are in fact the main reason I even speak 2 words of php)
"request for anything, anywhere, giving a top-level named page as referer" (because these pages don't exist, period)

104.128.16.221 - - [29/Jun/2014:06:28:21 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 25982 "http://www.example.com/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"

Page only. No supporting files and domain root refer.
Note; this page gets a fair bit of activity (at least for widgets) and even some blogs have linked to it.

"Telentia provides wholesale managed Cloud Infrastructure as a Service (IaaS) solutions to service providers."

My notes say I blocked telentia.com over a year ago so it can't be that new.

104.128.16.0 - 104.128.31.255
104.128.16.0/20

209.161.96.0 - 209.161.111.255
209.161.96.0/20

On that range, the dates are fairly new.
RegDate: 2014-05-20
Updated: 2014-05-20

Regards...jmcc

Well, not that it matters much but... 104.128.16-31 was leased from Reliable Telecom then new network created on 20140520. Notes were only for that range, not the 209.161.96/20.

DirectNic

74.117.216.0 - 74.117.223.255
74.117.216.0/21

199.7.104.0 - 199.7.111.255
199.7.104.0/21


And this company (who has at least one compromised machine) says they are hosted by DirectNic, but I can't find the larger DirectNic range:

BioDataBoard

50.117.15.0 - 50.117.15.255
50.117.15.0/24