Welcome to WebmasterWorld Guest from 54.145.80.57

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Server Farms - April 2014

Tracking and Reporting Data Center IP Ranges

     
6:51 pm on Apr 4, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:

4:46 pm on July 12, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


uses three Hurricane ranges, however came in one of their exclusives.

HEAD //FCKeditor/editor

EDGEWEBHOSTING 173.213.224.0 - 173.213.239.255 173.213.224.0/20
HURRICANE-DC0405-D133A2A0 209.51.162.160 - 209.51.162.191
HURRICANE-DC0405-D133BF80 209.51.191.128 - 209.51.191.159
HURRICANE-DC0405-D8421B00 216.66.27.0 - 216.66.27.63
EDGEWEBHOSTING 69.63.128.0 - 69.63.159.255 69.63.128.0/19
5:55 pm on July 12, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


Those Hurricane ranges of:
209.51.162.160 - 209.51.162.191
209.51.191.128 - 209.51.191.159
are actually:
209.51.160.0 - 209.51.191.255
209.51.160.0/19

That Hurricane range of:
216.66.27.0 - 216.66.27.63
is actually:
216.66.0.0 - 216.66.95.255
216.66.0.0/18
216.66.64.0/19

Thanks for the Edge

Note: I've mostly seen requests for FCKeditor/editor from China ranges.
8:00 pm on July 12, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


Those Hurricane ranges of:

are actually:


Many thanks keyplr. I was aware of the larger Hurricane ranges, however those smaller ranges are designated as EDGEWEBHOSTING (AFAIK) they lease from the backbone.
9:37 pm on July 12, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


I've mostly seen requests for FCKeditor/editor from China ranges.

<topic drift>
Is this name used by some major CMS? I remember seeing this in a real page's URL-- well, ahem, it is memorable-- and thinking they really should have got a native English speaker to look at their directory names.
</td>
11:53 pm on July 12, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


I just assume it is what it says it is, an editor... likely with security vulnerabilities since I see almost as many hack attempts for this as I do Wordpress files.
3:11 am on July 13, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


Hosted Data Solutions, LLC (HDSL-5)
HOSTEDSOLUTIONS-1 173.209.192.0 - 173.209.223.255 173.209.192.0/19
10:46 pm on July 13, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


Has someone got a comprehensive list of Iliad Entreprises? (sic spelling, they're French) I met two different ranges under the same botnet within the last couple of days:

195.154
212.129.0.0/18
(the latter is broken into smaller pieces but it seems to be all Iliad: I did some spot-checking)

Another new one on me:
162.248.96.0/21 Query Foundry
Can't figure out if that's a server, a proxy or what. Just happened to meet a robot.

:: wandering off to investigate Web-Sniffer ::
11:05 pm on July 13, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


Well hardly comprehensive, but this is what I have for Iliad on my home machine. I may have more at the office (which I cannot connect to thanks to the new cable BB LAN restrictions!)

62.210.0.0/16
62.210.0.0 - 62.210.255.255

195.154.0.0/16
195.154.0.0 - 195.154.255.255

212.83.160.0/19
212.83.160.0 - 212.83.191.255

212.129.0.0/18
212.129.0.0 - 212.129.21.255

And I've had Query Foundry (QF)blocked for a while now:

162.248.96.0/21
162.248.96.0 - 162.248.103.255

Since the abuse contact is cloudshards.com, I assumed QF was at least complicit in crime :)
6:40 pm on July 17, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


185.53.88.0/22
EstroWeb / Host Palace
Netherlands

New one on me, but the combination of 185 and /22 means there will be a lot more of them in years to come. So far they're only up to the '50's.
1:59 am on July 18, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


185.53.88.0/22 seems to be part of Leaseweb but I'll need to get to my other machine for the bigger range. Anyone?
8:56 am on July 18, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2498
votes: 38


There seems to be 2 entries for Estroweb:
| ESTROWEB-03 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.88.255 |
| EU-ESTROWEB-20140408 | Estro Web Services Private Limited | 185.53.88.0 | 185.53.91.255 |

Others:
| EU-ESTROWEB-20120126 | Estro Web Services Private Limited | 37.49.224.0 | 37.49.231.255 |

It is subnetted into a group of Class Cs.


Regards...jmcc
11:42 am on July 18, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


Bill,
Time for a new update in this thread.

Many thanks.
3:48 pm on July 18, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


Most of these are part of larger backbones. (Some from Integra and another from Frontier-Legacy):

209.147.118.209 - - [18/Jul/2014:07:52:33 -0600] "GET /index.html HTTP/1.1" 403 647 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)"


NetName: OPTICFUSION-NET
OrgName: Optic Fusion
ELI-967-2081866464 208.186.64.64 - 208.186.64.127 208.186.64.64/26
ELI-967-208187151112 208.187.151.112 - 208.187.151.119 208.187.151.112/29
OPTICFUSION-NET 209.147.112.0 - 209.147.127.255 209.147.112.0/20
ELI-967-209210137128 209.210.137.128 - 209.210.137.255 209.210.137.128/25
ELI-967-21619030 216.190.3.0 - 216.190.3.255 216.190.3.0/24
ELI-967-6573184128 FRONTIERCOMMUNICATIONSLEGACY 65.73.184.128 - 65.73.184.159 65.73.184.128/27
OPTICFUSION-NET2 66.113.96.0 - 66.113.111.255 66.113.96.0/20
OPTICFUSION-NET3 70.35.112.0 - 70.35.127.255 70.35.112.0/20
OPTICFUSION-NET6 2607:F6F8:: - 2607:F6F8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
6:35 pm on July 20, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


Today's trawl from the "contact" botnet:

91.215.156.0/22
Infinite Technologies, Netherlands
(This area of 91 is all /22 slivers, so that's all there is)

209.164.64.0/18
Corespace, US
Never heard of 'em, but doesn't it sound like servers? Note that 209.164.0.0/18 is Xo, so people who prefer to block first and ask questions afterward might end up with a tidy /17.
6:52 pm on July 20, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2498
votes: 38


There's also a second net for Infinite Technologies: 192.162.136.0 | 192.162.139.255. It is relatively sparse on gTLDs and some European ccTLDs.

Corespace seems quite big. Hosts 99,890 sites across 1380 active Cs and 9 detected nets.

Regards...jmcc
7:25 pm on July 20, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100



hostmysite.com
209.164.0.0 - 209.164.63.255
209.164.0.0/18


Here's what I have for Infinite:

91.215.156.0 - 91.215.159.255
91.215.156.0/22

192.162.136.0 - 192.162.139.255
192.162.136.0/22


Here's what I have for Corespace:

63.249.128.0 - 63.249.255.255
63.249.128.0/17

64.182.0.0 - 64.182.255.255
64.182.0.0/16

66.34.0.0 - 66.34.255.255
66.34.0.0/16

66.221.0.0 - 66.221.255.255
66.221.0.0/16

69.13.0.0 - 69.13.255.255
69.13.0.0/16

209.164.64.0 - 209.164.127.255
209.164.64.0/18
11:05 pm on July 20, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


more Corespace:

CORESPACE-3 216.221.160.0 - 216.221.191.255 216.221.160.0/19
CORESPACE-4 216.97.0.0 - 216.97.127.255 216.97.0.0/17
6:46 am on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 13, 2003
posts:697
votes: 0


VegasNAP: Desert Snakes

I noticed it because allthingsnow.com is busy XSSing our site, and Gbot kindly rumbled them.

Tip:
Watch for allthingsnow.com/day/unknown/shared/ in your logs.

So far, for VegasNAP I just have their 199.241.136.0/21 hosting sector.

Any more please?
7:07 am on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


FHUB-NET-11 104.128.64.0 - 104.128.79.255 104.128.64.0/20
FHUB-NET-12 146.71.64.0 - 146.71.95.255 146.71.64.0/19
FHUB-NET-8 162.249.224.0 - 162.249.227.255 162.249.224.0/22
FHUB-NET-9 162.251.232.0 - 162.251.239.255 162.251.232.0/21
FHUB-NET-10 162.254.232.0 - 162.254.239.255 162.254.232.0/21
FHUB-NET-3 199.19.72.0 - 199.19.79.255 199.19.72.0/21
FHUB-NET-2 199.195.128.0 - 199.195.131.255 199.195.128.0/22
FHUB-NET-4 199.127.56.0 - 199.127.63.255 199.127.56.0/21
FHUB-NET-7 192.228.96.0 - 192.228.111.255 192.228.96.0/20
FHUB-NET-5 199.241.136.0 - 199.241.143.255 199.241.136.0/21
FHUB-NET-1 199.47.208.0 - 199.47.211.255 199.47.208.0/22
FHUB-NET-6 204.77.0.0 - 204.77.15.255 204.77.0.0/20
FHUB-V6-NET-1 2604:2280:: - 2604:2280:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
8:32 am on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 13, 2003
posts:697
votes: 0


Thank you for the list of nasties aka:

VegasNAP LLC - Fiberhub Colocation and Internet Services.

We have been warned :)
5:25 pm on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


single page request. No supporting files. No robots.
Used domain root as refer.


192.111.155.118 - - [22/Jul/2014:10:26:56 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 12655 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

Centrilogic, Inc. (CENTR-60)
DACENTEC-NC 104.152.184.0 - 104.152.191.255 104.152.184.0/21
DACENTEC-CUST 162.248.240.0 - 162.248.247.255 162.248.240.0/21
CENTRILOGIC-CANADA 173.240.0.0 - 173.240.15.255 173.240.0.0/20
CUST-NET-7 192.111.144.0 - 192.111.159.255 192.111.144.0/20
CUST-NET-6 192.198.80.0 - 192.198.95.255 192.198.80.0/20
CUST-NET-8 192.254.64.0 - 192.254.79.255 192.254.64.0/20
CUST-NET-3 199.101.184.0 - 199.101.187.255 199.101.184.0/22
DACENTEC-NET-4 199.191.56.0 - 199.191.59.255 199.191.56.0/22
CUST-NET-5 199.241.184.0 - 199.241.191.255 199.241.184.0/21
CUST-NET-1 199.255.136.0 - 199.255.139.255 199.255.136.0/22
CUST-NET-2 199.255.156.0 - 199.255.159.255 199.255.156.0/22
CENTRILOGIC-ROCH-NY 209.251.48.0 - 209.251.63.255 209.251.48.0/20
CUST-NET-9 23.92.208.0 - 23.92.223.255 23.92.208.0/20
CENTRILOGIC-IPV6 2604:9000:: - 2604:9000:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
V6-NET-1 2607:5600:: - 2607:5600:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
5:41 pm on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2038
votes: 1


Wow, small world! 192.111.155.118 hit me two hours ago with the same fake domain root ref trick (that's what caught my attention; plus no grfx). Mine used a different UA:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

To quote Stop Forum Spam: "Lots of activity from this IP in the last few days." [stopforumspam.com...] Indeed. Someone's up to something.
6:06 pm on July 22, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


<topic drift>
the same fake domain root ref trick


I have this set of lockouts (obviously site-specific, based on file structure and internal navigation):
RewriteCond %{HTTP_REFERER} example\.com/?$
RewriteCond %{REQUEST_URI} !index\.html
RewriteCond %{REQUEST_URI} !/boilerplate/
RewriteRule ^([^/.]+/)+[^/.]+(\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com/?$
RewriteRule ^$ - [F]

RewriteCond %{HTTP_REFERER} example\.com/\w+\.(html|php)$
RewriteRule (^|\.html|/)$ - [F,NS]


Unfortunately this turns into "out of sight, out of mind" since I generally don't look at lockouts. But sooner or later they try the same thing on my test site, which doesn't have a detailed htaccess, and then they get added to the IP block list.
</topic drift>
6:13 pm on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


lucy,
Might this go before or after canonical?

Also, what does "boilerpalte" refer to in this instance?
Is it a custom 403 or something else?

Many thanks.

Don
7:13 pm on July 22, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13204
votes: 346


Whoops, just came by to post an unrelated question: Anyone know anything about Telentia? I'd never heard of them, and neither apparently does Forums search. But one of my ongoing botnets turned up at

104.128.16.0/20
and
209.161.96.0/20

104.etcetera got a line to itself in htaccess because this is a new range that's getting assigned as we speak.


Might this go before or after canonical?

Since these are [F] rules, they go before any canonicalization redirects if that's what you meant. The index.html exemption is needed to prevent lockouts, since the redirect comes later.

Also, what does "boilerplate" refer to in this instance?
Is it a custom 403 or something else?

It's the name of the directory where I keep contact forms, legal stuff and similar. It does also happen to contain my error pages, but those get an [L] pass-- by individual page name-- at the very beginning. It's also the only directory whose inner pages are directly linked from the front page, hence the exemption.

Referer-based blocks by their nature will always be site-specific. Mine translate as
"request for any inner page giving front page as referer" (because these links don't occur except for /boilerplate/)
"request for front page giving itself as referer" (because self-referring links give me the fantods, and are in fact the main reason I even speak 2 words of php)
"request for anything, anywhere, giving a top-level named page as referer" (because these pages don't exist, period)
7:45 pm on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5456
votes: 3


104.128.16.221 - - [29/Jun/2014:06:28:21 -0600] "GET /MyFolder/MySub/MyPage.html HTTP/1.1" 200 25982 "http://www.example.com/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"

Page only. No supporting files and domain root refer.
Note; this page gets a fair bit of activity (at least for widgets) and even some blogs have linked to it.

"Telentia provides wholesale managed Cloud Infrastructure as a Service (IaaS) solutions to service providers."
10:11 pm on July 22, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100



My notes say I blocked telentia.com over a year ago so it can't be that new.

104.128.16.0 - 104.128.31.255
104.128.16.0/20

209.161.96.0 - 209.161.111.255
209.161.96.0/20
11:27 pm on July 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2498
votes: 38


On that range, the dates are fairly new.
RegDate: 2014-05-20
Updated: 2014-05-20

Regards...jmcc
11:55 pm on July 22, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


Well, not that it matters much but... 104.128.16-31 was leased from Reliable Telecom then new network created on 20140520. Notes were only for that range, not the 209.161.96/20.
7:48 am on July 24, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:6407
votes: 100


DirectNic

74.117.216.0 - 74.117.223.255
74.117.216.0/21

199.7.104.0 - 199.7.111.255
199.7.104.0/21


And this company (who has at least one compromised machine) says they are hosted by DirectNic, but I can't find the larger DirectNic range:

BioDataBoard

50.117.15.0 - 50.117.15.255
50.117.15.0/24
This 193 message thread spans 7 pages: 193