Welcome to WebmasterWorld Guest from 54.145.208.64

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Server Farms - April 2014

Tracking and Reporting Data Center IP Ranges

   
6:51 pm on Apr 4, 2014 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:

4:46 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



uses three Hurricane ranges, however came in one of their exclusives.

HEAD //FCKeditor/editor

EDGEWEBHOSTING 173.213.224.0 - 173.213.239.255 173.213.224.0/20
HURRICANE-DC0405-D133A2A0 209.51.162.160 - 209.51.162.191
HURRICANE-DC0405-D133BF80 209.51.191.128 - 209.51.191.159
HURRICANE-DC0405-D8421B00 216.66.27.0 - 216.66.27.63
EDGEWEBHOSTING 69.63.128.0 - 69.63.159.255 69.63.128.0/19
5:55 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Those Hurricane ranges of:
209.51.162.160 - 209.51.162.191
209.51.191.128 - 209.51.191.159
are actually:
209.51.160.0 - 209.51.191.255
209.51.160.0/19

That Hurricane range of:
216.66.27.0 - 216.66.27.63
is actually:
216.66.0.0 - 216.66.95.255
216.66.0.0/18
216.66.64.0/19

Thanks for the Edge

Note: I've mostly seen requests for FCKeditor/editor from China ranges.
8:00 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Those Hurricane ranges of:

are actually:


Many thanks keyplr. I was aware of the larger Hurricane ranges, however those smaller ranges are designated as EDGEWEBHOSTING (AFAIK) they lease from the backbone.
9:37 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I've mostly seen requests for FCKeditor/editor from China ranges.

<topic drift>
Is this name used by some major CMS? I remember seeing this in a real page's URL-- well, ahem, it is memorable-- and thinking they really should have got a native English speaker to look at their directory names.
</td>
11:53 pm on Jul 12, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I just assume it is what it says it is, an editor... likely with security vulnerabilities since I see almost as many hack attempts for this as I do Wordpress files.
3:11 am on Jul 13, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Hosted Data Solutions, LLC (HDSL-5)
HOSTEDSOLUTIONS-1 173.209.192.0 - 173.209.223.255 173.209.192.0/19
10:46 pm on Jul 13, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Has someone got a comprehensive list of Iliad Entreprises? (sic spelling, they're French) I met two different ranges under the same botnet within the last couple of days:

195.154
212.129.0.0/18
(the latter is broken into smaller pieces but it seems to be all Iliad: I did some spot-checking)

Another new one on me:
162.248.96.0/21 Query Foundry
Can't figure out if that's a server, a proxy or what. Just happened to meet a robot.

:: wandering off to investigate Web-Sniffer ::
11:05 pm on Jul 13, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Well hardly comprehensive, but this is what I have for Iliad on my home machine. I may have more at the office (which I cannot connect to thanks to the new cable BB LAN restrictions!)

62.210.0.0/16
62.210.0.0 - 62.210.255.255

195.154.0.0/16
195.154.0.0 - 195.154.255.255

212.83.160.0/19
212.83.160.0 - 212.83.191.255

212.129.0.0/18
212.129.0.0 - 212.129.21.255

And I've had Query Foundry (QF)blocked for a while now:

162.248.96.0/21
162.248.96.0 - 162.248.103.255

Since the abuse contact is cloudshards.com, I assumed QF was at least complicit in crime :)
6:40 pm on Jul 17, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



185.53.88.0/22
EstroWeb / Host Palace
Netherlands

New one on me, but the combination of 185 and /22 means there will be a lot more of them in years to come. So far they're only up to the '50's.
1:59 am on Jul 18, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



185.53.88.0/22 seems to be part of Leaseweb but I'll need to get to my other machine for the bigger range. Anyone?
8:56 am on Jul 18, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



There seems to be 2 entries for Estroweb:
| ESTROWEB-03 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.88.255 |
| EU-ESTROWEB-20140408 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.91.255 |

Others:
| EU-ESTROWEB-20120126 | Estro Web Services Private Limited | 37.49.224.0 | 37.49.231.255 |

It is subnetted into a group of Class Cs.


Regards...jmcc
11:42 am on Jul 18, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Bill,
Time for a new update in this thread.

Many thanks.
3:48 pm on Jul 18, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Most of these are part of larger backbones. (Some from Integra and another from Frontier-Legacy):

209.147.118.209 - - [18/Jul/2014:07:52:33 -0600] "GET /index.html HTTP/1.1" 403 647 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)"


NetName: OPTICFUSION-NET
OrgName: Optic Fusion
ELI-967-2081866464 208.186.64.64 - 208.186.64.127 208.186.64.64/26
ELI-967-208187151112 208.187.151.112 - 208.187.151.119 208.187.151.112/29
OPTICFUSION-NET 209.147.112.0 - 209.147.127.255 209.147.112.0/20
ELI-967-209210137128 209.210.137.128 - 209.210.137.255 209.210.137.128/25
ELI-967-21619030 216.190.3.0 - 216.190.3.255 216.190.3.0/24
ELI-967-6573184128 FRONTIERCOMMUNICATIONSLEGACY 65.73.184.128 - 65.73.184.159 65.73.184.128/27
OPTICFUSION-NET2 66.113.96.0 - 66.113.111.255 66.113.96.0/20
OPTICFUSION-NET3 70.35.112.0 - 70.35.127.255 70.35.112.0/20
OPTICFUSION-NET6 2607:F6F8:: - 2607:F6F8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
6:35 pm on Jul 20, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Today's trawl from the "contact" botnet:

91.215.156.0/22
Infinite Technologies, Netherlands
(This area of 91 is all /22 slivers, so that's all there is)

209.164.64.0/18
Corespace, US
Never heard of 'em, but doesn't it sound like servers? Note that 209.164.0.0/18 is Xo, so people who prefer to block first and ask questions afterward might end up with a tidy /17.
6:52 pm on Jul 20, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



There's also a second net for Infinite Technologies: 192.162.136.0 | 192.162.139.255. It is relatively sparse on gTLDs and some European ccTLDs.

Corespace seems quite big. Hosts 99,890 sites across 1380 active Cs and 9 detected nets.

Regards...jmcc
7:25 pm on Jul 20, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




hostmysite.com
209.164.0.0 - 209.164.63.255
209.164.0.0/18


Here's what I have for Infinite:

91.215.156.0 - 91.215.159.255
91.215.156.0/22

192.162.136.0 - 192.162.139.255
192.162.136.0/22


Here's what I have for Corespace:

63.249.128.0 - 63.249.255.255
63.249.128.0/17

64.182.0.0 - 64.182.255.255
64.182.0.0/16

66.34.0.0 - 66.34.255.255
66.34.0.0/16

66.221.0.0 - 66.221.255.255
66.221.0.0/16

69.13.0.0 - 69.13.255.255
69.13.0.0/16

209.164.64.0 - 209.164.127.255
209.164.64.0/18
11:05 pm on Jul 20, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



more Corespace:

CORESPACE-3 216.221.160.0 - 216.221.191.255 216.221.160.0/19
CORESPACE-4 216.97.0.0 - 216.97.127.255 216.97.0.0/17
6:46 am on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



VegasNAP: Desert Snakes

I noticed it because allthingsnow.com is busy XSSing our site, and Gbot kindly rumbled them.

Tip:
Watch for allthingsnow.com/day/unknown/shared/ in your logs.

So far, for VegasNAP I just have their 199.241.136.0/21 hosting sector.

Any more please?
7:07 am on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



FHUB-NET-11 104.128.64.0 - 104.128.79.255 104.128.64.0/20
FHUB-NET-12 146.71.64.0 - 146.71.95.255 146.71.64.0/19
FHUB-NET-8 162.249.224.0 - 162.249.227.255 162.249.224.0/22
FHUB-NET-9 162.251.232.0 - 162.251.239.255 162.251.232.0/21
FHUB-NET-10 162.254.232.0 - 162.254.239.255 162.254.232.0/21
FHUB-NET-3 199.19.72.0 - 199.19.79.255 199.19.72.0/21
FHUB-NET-2 199.195.128.0 - 199.195.131.255 199.195.128.0/22
FHUB-NET-4 199.127.56.0 - 199.127.63.255 199.127.56.0/21
FHUB-NET-7 192.228.96.0 - 192.228.111.255 192.228.96.0/20
FHUB-NET-5 199.241.136.0 - 199.241.143.255 199.241.136.0/21
FHUB-NET-1 199.47.208.0 - 199.47.211.255 199.47.208.0/22
FHUB-NET-6 204.77.0.0 - 204.77.15.255 204.77.0.0/20
FHUB-V6-NET-1 2604:2280:: - 2604:2280:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
8:32 am on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank you for the list of nasties aka:

VegasNAP LLC - Fiberhub Colocation and Internet Services.

We have been warned :)
5:25 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



single page request. No supporting files. No robots.
Used domain root as refer.


192.111.155.118 - - [22/Jul/2014:10:26:56 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 12655 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

Centrilogic, Inc. (CENTR-60)
DACENTEC-NC 104.152.184.0 - 104.152.191.255 104.152.184.0/21
DACENTEC-CUST 162.248.240.0 - 162.248.247.255 162.248.240.0/21
CENTRILOGIC-CANADA 173.240.0.0 - 173.240.15.255 173.240.0.0/20
CUST-NET-7 192.111.144.0 - 192.111.159.255 192.111.144.0/20
CUST-NET-6 192.198.80.0 - 192.198.95.255 192.198.80.0/20
CUST-NET-8 192.254.64.0 - 192.254.79.255 192.254.64.0/20
CUST-NET-3 199.101.184.0 - 199.101.187.255 199.101.184.0/22
DACENTEC-NET-4 199.191.56.0 - 199.191.59.255 199.191.56.0/22
CUST-NET-5 199.241.184.0 - 199.241.191.255 199.241.184.0/21
CUST-NET-1 199.255.136.0 - 199.255.139.255 199.255.136.0/22
CUST-NET-2 199.255.156.0 - 199.255.159.255 199.255.156.0/22
CENTRILOGIC-ROCH-NY 209.251.48.0 - 209.251.63.255 209.251.48.0/20
CUST-NET-9 23.92.208.0 - 23.92.223.255 23.92.208.0/20
CENTRILOGIC-IPV6 2604:9000:: - 2604:9000:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
V6-NET-1 2607:5600:: - 2607:5600:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
5:41 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Wow, small world! 192.111.155.118 hit me two hours ago with the same fake domain root ref trick (that's what caught my attention; plus no grfx). Mine used a different UA:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

To quote Stop Forum Spam: "Lots of activity from this IP in the last few days." [stopforumspam.com...] Indeed. Someone's up to something.
6:06 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



<topic drift>
the same fake domain root ref trick


I have this set of lockouts (obviously site-specific, based on file structure and internal navigation):
RewriteCond %{HTTP_REFERER} example\.com/?$
RewriteCond %{REQUEST_URI} !index\.html
RewriteCond %{REQUEST_URI} !/boilerplate/
RewriteRule ^([^/.]+/)+[^/.]+(\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com/?$
RewriteRule ^$ - [F]

RewriteCond %{HTTP_REFERER} example\.com/\w+\.(html|php)$
RewriteRule (^|\.html|/)$ - [F,NS]


Unfortunately this turns into "out of sight, out of mind" since I generally don't look at lockouts. But sooner or later they try the same thing on my test site, which doesn't have a detailed htaccess, and then they get added to the IP block list.
</topic drift>
6:13 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



lucy,
Might this go before or after canonical?

Also, what does "boilerpalte" refer to in this instance?
Is it a custom 403 or something else?

Many thanks.

Don
7:13 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Whoops, just came by to post an unrelated question: Anyone know anything about Telentia? I'd never heard of them, and neither apparently does Forums search. But one of my ongoing botnets turned up at

104.128.16.0/20
and
209.161.96.0/20

104.etcetera got a line to itself in htaccess because this is a new range that's getting assigned as we speak.


Might this go before or after canonical?

Since these are [F] rules, they go before any canonicalization redirects if that's what you meant. The index.html exemption is needed to prevent lockouts, since the redirect comes later.

Also, what does "boilerplate" refer to in this instance?
Is it a custom 403 or something else?

It's the name of the directory where I keep contact forms, legal stuff and similar. It does also happen to contain my error pages, but those get an [L] pass-- by individual page name-- at the very beginning. It's also the only directory whose inner pages are directly linked from the front page, hence the exemption.

Referer-based blocks by their nature will always be site-specific. Mine translate as
"request for any inner page giving front page as referer" (because these links don't occur except for /boilerplate/)
"request for front page giving itself as referer" (because self-referring links give me the fantods, and are in fact the main reason I even speak 2 words of php)
"request for anything, anywhere, giving a top-level named page as referer" (because these pages don't exist, period)
7:45 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



104.128.16.221 - - [29/Jun/2014:06:28:21 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 25982 "http://www.example.com/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"

Page only. No supporting files and domain root refer.
Note; this page gets a fair bit of activity (at least for widgets) and even some blogs have linked to it.

"Telentia provides wholesale managed Cloud Infrastructure as a Service (IaaS) solutions to service providers."
10:11 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




My notes say I blocked telentia.com over a year ago so it can't be that new.

104.128.16.0 - 104.128.31.255
104.128.16.0/20

209.161.96.0 - 209.161.111.255
209.161.96.0/20
11:27 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



On that range, the dates are fairly new.
RegDate: 2014-05-20
Updated: 2014-05-20

Regards...jmcc
11:55 pm on Jul 22, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Well, not that it matters much but... 104.128.16-31 was leased from Reliable Telecom then new network created on 20140520. Notes were only for that range, not the 209.161.96/20.
7:48 am on Jul 24, 2014 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



DirectNic

74.117.216.0 - 74.117.223.255
74.117.216.0/21

199.7.104.0 - 199.7.111.255
199.7.104.0/21


And this company (who has at least one compromised machine) says they are hosted by DirectNic, but I can't find the larger DirectNic range:

BioDataBoard

50.117.15.0 - 50.117.15.255
50.117.15.0/24
This 193 message thread spans 7 pages: 193