@Hobbs - thanks for the ranges, didn't have several :)
However, I have Edis as: 184.108.40.206 - 220.127.116.11 18.104.22.168/19
8:50 pm on Apr 6, 2014 (gmt 0)
Bill, would it be a lot of work to put up links in the other direction too? "Continued in this thread..." as the last post.
Another day, another botnet: 22.214.171.124/18 NodeServ With a name like that, further lookups are superfluous. If the IP sounds familiar it's because they are right next to Incero, reported just a few weeks ago-- but unfortunately on the other half of the /17.
The good news is... I went to look up the rest of 107.155. Free lookup says .0.0/18 is ChinaCache while .192.0/18 is Sentris. So we get the /17 at least.
All of these claim to be January registrations. I'd had this whole neighborhood down as bogons until recently.
9:49 pm on Apr 6, 2014 (gmt 0)
Nice work Sherlock :)
5:44 pm on Apr 7, 2014 (gmt 0)
The following 3 messages were cut out to new thread by incredibill. New thread at: search_engine_spiders/4661837.htm [webmasterworld.com] 8:30 am on Apr 9, 2014 (PST -8)
5:30 am on Apr 8, 2014 (gmt 0)
These bad neighbors were spotted, wondering if anyone has more info on the neighborhood, because of their proximity?
I've been getting about 100 of these requests per day for 4 days now. All have the appendage: RK=0/RS=_6M5d5Lufh_Z2NqBcUPv7sazYBY- and all for the same web page w/ the same UA... but from dozens of different IP addresses, mostly from various server farms but many from private DSL or Cable Broadband accounts. Some use HTTP/1.0 and some HTTP/1.1.
I believe these are infected/compromised machines being *tested* as drone accounts.
Coincidentally (or maybe not) the very same site of mine got hit with a bot-net (mixed server IPs, DSL & Cable Broadband) yesterday. They requested about 150 HTML files and a few scripts. I have excellent blocks in place and all hits from servers were unsuccessful, but there was/is no way to block the hits from the ISP accounts (all passed header checks.)
And BTW, thanks for the additional Portlane ranges. Didn't have two of them :)
11:31 pm on Apr 17, 2014 (gmt 0)
I have seen those RK=0 etc. text strings a few times recently, coming in from r.search.yahoo.com in 126.96.36.199 - 188.8.131.52. (YACOMNET 184.108.40.206/20) The IPs were already blocked so I didn't pay a lot of attention to it, but it was unusual.
I had those Portlane IPs blocked as PRIVACTUALLY-NET when they showed up last June in logs with this junk attached to the end of my URL: .../example-page.html+%28%27200%27++%27ok%27%29+ACCEPTED HTTP/1.0" I would need to dig through recent lists to say whether these were from one or several IPs this month and look at the UAs. Thanks for your information, some things need more than a glance and I remember that it seemed strange.
7:09 pm on Apr 18, 2014 (gmt 0)
keyplr - the only hit I actually trapped as "new" this month with that "querystring" was:
IP: 189.76.232.nn (Brazil) Headers: "normal" Proxy FWD_FOR: 86.16.135.nnn (UK NTL broadband) Proxy Name: Mikrotik HttpProxy (known bad and blocked)
UA: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36
Page blocked: /links.asp/RK=0/RS=_7f4TDSOzdjG_QsT8KxPYZM0nDE- (This would always be blocked with at least 404 because of syntax ".asp/")
I suspect this is a deliberate attempt on PHP pages.
2:48 pm on Apr 19, 2014 (gmt 0)
All I have found so far on the
string so far is speculation. Folks at ISC are wondering if it isn't a CMS.
It kind of makes sense -- maybe a special code to preview a page? Or, perhaps it is a trackback? Affiliate code of sorts? There you go, more speculation from me ... no answers yet though.
6:22 pm on Apr 19, 2014 (gmt 0)
Thanks coopster, however I'm not asking anyone what their guess is... I know exactly what it is. Not CMS, a trackback or affiliate code. These are not just some bot following malformed links from somewhere. As I've stated twice now, these are compromised machines, mostly from various server farms (OVH, Continuum, Singlehop, Portlane, Quadranet, DNSSlaves, RedeHost, EverHost, ColoCrossing and a couple others) which are already blocked at my server anyway. Those from compromised DSL and Cable Broadband IPs have also been unsuccessful since I block any appendage to file names.