Welcome to WebmasterWorld Guest from 23.20.103.97

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Server Farms - April 2014

Tracking and Reporting Data Center IP Ranges

     
6:51 pm on Apr 4, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


Continuation of the Server Farm threads.

This is where we report data center IP ranges as they are discovered or change in the rapidly evolving assigned IP landscape.

Past server farm threads:

8:43 am on Apr 5, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


ColoStore
68.65.192.0 - 68.65.255.255
68.65.192.0/18

Registered May of 1999 but first time I've seen hits from this range (in the form of connection tests.) More ColoStore?
12:20 pm on Apr 5, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1889
votes: 56


---More ColoStore?----
keyplyr, your htaccess file weighs more than several of your web pages :)
[webmasterworld.com...] msg:4503335
6:45 pm on Apr 5, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


@ blend27 - Yup, pretty soon I expect to see it in my GWT Sitelinks :)
6:57 am on Apr 6, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member hobbs is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 19, 2004
posts: 3056
votes: 5


Two in one B2 Net & Digital Landscape 23.250.0.0/16

B2 Net Solutions
23.250.0.0 - 23.250.127.255
23.250.0.0/17

Digital Landscape
23.250.128.0 - 23.250.255.255
23.250.128.0/17


KVCHOSTING
209.54.32.0 - 209.54.47.255
209.54.32.0/20

RamNode
23.226.224.0 - 23.226.239.255
23.226.224.0/20

DurableDNS
199.68.216.0 - 199.68.219.255
199.68.216.0/22

PleskLogin
208.67.16.0 - 208.67.23.255
208.67.16.0/21

WEBSITEWELCOME
192.185.0.0 - 192.185.255.255
192.185.0.0/16

Xirra GmbH
91.232.96.0 - 91.232.97.255
91.232.96.0/23

EDIS GmbH
151.236.15.0 - 151.236.15.255
151.236.15.0/24

Crystone
192.36.194.0 - 192.36.194.255
192.36.194.0/24

Alentus Corp
64.40.144.0 - 64.40.159.255
64.40.144.0/20

NetSumo UK
5.63.144.0/21

INTERGENIA
62.75.128.0/17

myLoc DE
193.111.136.0/21
81.30.144.0/20

CJSC THE FIRST RU
62.109.0.0/21

Bezeq IL
81.218.32.0/19

UK Webhosting Ltd
188.65.112.0/22
7:20 am on Apr 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


@Hobbs - thanks for the ranges, didn't have several :)

However, I have Edis as:
151.236.0.0 - 151.236.31.255
151.236.0.0/19
8:50 pm on Apr 6, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13899
votes: 491


Bill, would it be a lot of work to put up links in the other direction too? "Continued in this thread..." as the last post.

Another day, another botnet:
107.155.128.0/18 NodeServ
With a name like that, further lookups are superfluous. If the IP sounds familiar it's because they are right next to Incero, reported just a few weeks ago-- but unfortunately on the other half of the /17.

The good news is...
I went to look up the rest of 107.155. Free lookup says .0.0/18 is ChinaCache while .192.0/18 is Sentris. So we get the /17 at least.

All of these claim to be January registrations. I'd had this whole neighborhood down as bogons until recently.
9:49 pm on Apr 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


Nice work Sherlock :)

System

5:44 pm on Apr 7, 2014 (gmt 0)

redhat

 
 


The following 3 messages were cut out to new thread by incredibill. New thread at: search_engine_spiders/4661837.htm [webmasterworld.com]
8:30 am on Apr 9, 2014 (PST -8)
5:30 am on Apr 8, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3391
votes: 169


These bad neighbors were spotted, wondering if anyone has more info on the neighborhood, because of their proximity?

BIGTIP 192.126.128.0 - 192.126.255.255
192.126.128.0/17

NEXTECLOUD 192.126.112.0 - 192.126.127.255
192.126.112.0/20
6:58 am on Apr 8, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13899
votes: 491


If you can handle some abstruse technical terminology:

192 is just weird. That's all there is to it :(
7:11 am on Apr 8, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439



Contina
107.181.64.0 - 107.181.79.255
107.181.64.0/20
7:05 pm on Apr 11, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Aug 1, 2013
posts:1338
votes: 22


Colo.com (MAINS-15)
70.42.254.0/24

Not perfectly sure this is new but got hit this AM so thought I'd mention it in case anyone can expand on this one.
7:20 pm on Apr 11, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3152
votes: 4


Part of internap range 70.42.0.0/16. Blocked.
8:03 pm on Apr 11, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Aug 1, 2013
posts:1338
votes: 22


thanks dstiles. Figured that had to be a bigger iceberg but wasn't certain about what I was looking at when I expanded it.
1:07 am on Apr 15, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1889
votes: 56


slaskdatacenter

inetnum: 91.188.117.0 - 91.188.117.255
route: 91.188.117.0/24

for some reason Ring rings the sbell
5:09 am on Apr 15, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439




Here's another SlaskDataCenter:


185.24.218.0 - 185.24.219.255
185.24.218.0/24
7:04 am on Apr 15, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


A new one for me:
Nexcess
69.160.48.0 - 69.160.63.255
69.160.48.0/20

And a couple Ukraine offerings:
VDS Inside
46.149.96.0 - 46.149.111.255
46.149.96.0/20

Infium
193.106.28.0 - 193.106.31.255
193.106.28.0/22

And one in Chili:
gtdinternet
190.215.0.0 - 190.215.127.255
190.215.0.0/17
8:39 am on Apr 15, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439




Another new one (for me):
Micfo
192.240.192.0 - 192.240.255.255
192.240.192.0/18
6:50 pm on Apr 15, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3152
votes: 4


Update to Microsoft ranges. I had part of this one back in December but I only noticed the second half yesterday...

191.232.0.0 - 191.239.255.255
Brazil
Microsoft Informatica Ltda

I blocked the range on the assumption it's cloud, though I have no evidence for that. Second reason for blocking is Brazil - I get lots of nasties from there.
12:29 am on Apr 17, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439




oversun.ru
188.127.224.0/20
6:05 pm on Apr 17, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439



Some infected machines at:

Portlane
46.246.0.0 - 46.246.127.255
46.246.0.0/17
6:17 pm on Apr 17, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3152
votes: 4


Not necessarily infected, except by vermin. My Portlane set, all blocked:

46.246.0.0 - 46.246.127.255
80.67.0.0 - 80.67.31.255
91.236.116.0 - 91.236.116.255
178.73.192.0 - 178.73.255.255
188.126.64.0 - 188.126.127.255
193.105.134.0 - 193.105.134.255
6:40 pm on Apr 17, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


Yes, the hits I'm getting from that range are definitely from infected machines:

[IP ADDRESS] - - [DATE] "GET /EXAMPLE.html/RK=0/RS=_6M5d5Lufh_Z2NqBcUPv7sazYBY- HTTP/1.1" 403 913 "http://www.example.COM/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36"

I've been getting about 100 of these requests per day for 4 days now. All have the appendage: RK=0/RS=_6M5d5Lufh_Z2NqBcUPv7sazYBY- and all for the same web page w/ the same UA... but from dozens of different IP addresses, mostly from various server farms but many from private DSL or Cable Broadband accounts. Some use HTTP/1.0 and some HTTP/1.1.

I believe these are infected/compromised machines being *tested* as drone accounts.

Coincidentally (or maybe not) the very same site of mine got hit with a bot-net (mixed server IPs, DSL & Cable Broadband) yesterday. They requested about 150 HTML files and a few scripts. I have excellent blocks in place and all hits from servers were unsuccessful, but there was/is no way to block the hits from the ISP accounts (all passed header checks.)

And BTW, thanks for the additional Portlane ranges. Didn't have two of them :)
11:31 pm on Apr 17, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3391
votes: 169


I have seen those RK=0 etc. text strings a few times recently, coming in from r.search.yahoo.com in 89.128.0.0 - 89.129.255.255. (YACOMNET 89.129.16.0/20) The IPs were already blocked so I didn't pay a lot of attention to it, but it was unusual.

I had those Portlane IPs blocked as PRIVACTUALLY-NET when they showed up last June in logs with this junk attached to the end of my URL: .../example-page.html+%28%27200%27++%27ok%27%29+ACCEPTED HTTP/1.0" I would need to dig through recent lists to say whether these were from one or several IPs this month and look at the UAs. Thanks for your information, some things need more than a glance and I remember that it seemed strange.
7:09 pm on Apr 18, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3152
votes: 4


keyplr - the only hit I actually trapped as "new" this month with that "querystring" was:

IP: 189.76.232.nn (Brazil)
Headers: "normal"
Proxy FWD_FOR: 86.16.135.nnn (UK NTL broadband)
Proxy Name: Mikrotik HttpProxy (known bad and blocked)

UA: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36

Page blocked: /links.asp/RK=0/RS=_7f4TDSOzdjG_QsT8KxPYZM0nDE-
(This would always be blocked with at least 404 because of syntax ".asp/")

I suspect this is a deliberate attempt on PHP pages.
2:48 pm on Apr 19, 2014 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12548
votes: 2


All I have found so far on the
RK=0/RS=
string so far is speculation. Folks at ISC are wondering if it isn't a CMS.

[isc.sans.edu...]

It kind of makes sense -- maybe a special code to preview a page?
Or, perhaps it is a trackback? Affiliate code of sorts?
There you go, more speculation from me ... no answers yet though.
6:22 pm on Apr 19, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439


Thanks coopster, however I'm not asking anyone what their guess is... I know exactly what it is. Not CMS, a trackback or affiliate code. These are not just some bot following malformed links from somewhere. As I've stated twice now, these are compromised machines, mostly from various server farms (OVH, Continuum, Singlehop, Portlane, Quadranet, DNSSlaves, RedeHost, EverHost, ColoCrossing and a couple others) which are already blocked at my server anyway. Those from compromised DSL and Cable Broadband IPs have also been unsuccessful since I block any appendage to file names.
7:26 pm on Apr 19, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439



RedeHost, Brazil
187.84.224.0/20
9:39 pm on Apr 19, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9219
votes: 439





MediaTemple
64.207.128.0 - 64.207.191.255
64.207.128.0/18
This 193 message thread spans 7 pages: 193