Thanks blend27

Good find although I always hate blocking Linode. I don't get many bad agents from their ranges, but I block a great number of company employees.

keyplr - I understand what you're saying. However, "carriers" is not the same as IP usage and the few /23 ranges I have for them are not extensive enough to accommodate all of those ISPs. If they identified their IP range usage I would be more likely to let certain services in, but until they do colo trumps broadband. :(

blend27 - io is a new TLD to me. Turns out it's "IO Top Level Domain Registry Cable and Wireless". Thanks for the IP range.

LT-HOSTEX
31.193.196.0 - 31.193.196.255
31.193.192.0/21

referrer and comment spamming from 31.193.196.98

I also have:
hostex.lt
92.61.32.0/20
92.61.32.0 - 92.61.47.255

I found 2 more out there, in total:

92.61.32.0 - 92.61.47.255 LT-HOSTEX-20071212 92.61.32.0/20
31.193.192.0 - 31.193.199.255 LT-HOSTEX-20110428 31.193.192.0/21
195.12.186.0 - 195.12.186.255 Hostex 195.12.186.0/24
185.3.228.0 - 185.3.231.255 LT-HOSTEX-20120924 185.3.228.0/22

centrilogic.com/dacentec.com (reseller to a dozen small hosting companies)
23.92.208.0/21
23.92.208.0 - 23.92.215.255

************

vshosting.cz
78.24.8.0/24
78.24.8.0 - 78.24.8.255

HostEurope (hosteurope.de) has been sending me some interesting callers lately. This is what I have for them:

5.35.224.0/19
5.35.248.0 - 5.35.255.255

46.163.72.0/21
46.163.72.0 - 46.163.79.255

88.80.192.0/19
88.80.192.0 - 88.80.255.255

92.51.128.0/18
92.51.144.0 - 92.51.151.255

176.28.0.0/18
176.28.0.0 - 176.28.63.255

178.77.64.0/18
178.77.64.0 - 178.77.127.255

Any more?

active24.cz
81.95.96.0/20
81.95.96.0 - 81.95.99.255

master.cz
81.31.32.0/20
81.31.32.0 - 81.31.47.255

****************************

mediawebline.de
31.47.240.0/20
31.47.240.0 - 31.47.255.255
91.203.108.0/22
91.203.108.0 - 91.203.111.255

any more?

plenty: bgp.he.net search for "Host Europe"

My current hosteurope list is...

5.35.224.0 - 5.35.255.255
46.163.64.0 - 46.163.127.255
80.237.128.0 - 80.237.255.255
80.246.48.0 - 80.246.63.255
83.169.0.0 - 83.169.63.255
85.119.151.0 - 85.119.159.255
87.230.0.0 - 87.230.127.255
88.80.192.0 - 88.80.223.255
91.250.64.0 - 91.250.127.255
92.51.128.0 - 92.51.191.255
94.199.240.0 - 94.199.247.255
176.28.0.0 - 176.28.63.255
178.77.64.0 - 178.77.127.255
217.115.128.0 - 217.115.159.255
217.199.160.0 - 217.199.191.255

@ dstiles - thanks

Seems to be a problem with this range: 85.119.151.0 - 85.119.159.255. Looks to me you've thrown in some Russians (85.119.151.0/24) at no extra charge.

So the actual Host Europe range (according to my sources):
85.119.152.0/21
85.119.152.0 - 85.119.159.255

myserver.ro
89.38.128.0/21
89.38.128.0 - 89.38.135.255

24shells.net
67.220.176.0 - 67.220.191.255
67.220.176.0/20

23.227.128.0 - 23.227.159.255
23.227.128.0/19

209.205.192.0 - 209.205.223.255
209.205.192.0/19

198.147.24.0 - 198.147.31.255
198.147.24.0/21

192.119.8.0 - 192.119.15.255
192.119.8.0/21

108.175.160.0 - 108.175.175.255
108.175.160.0/20

107.151.0.0 - 107.151.63.255
107.151.0.0/18

aventice.com
45.59.16.0 - 45.59.31.255
45.59.16.0/24

216.158.192.0 - 216.158.223.255
19 216.158.192.0/24

Thanks for the ranges blend27. A couple corrections:

45.59.16.0 - 45.59.31.255 is 45.59.16.0/20 (not 45.59.16.0/24)

216.158.192.0 - 216.158.223.255 is 216.158.192.0/19 (not 19 216.158.192.0/24)

keyplr:
> Seems to be a problem with this range: 85.119.151.0 - 85.119.159.255.

Correct. Sorry about that.

blend27 - thanks for the shells. Only had one of those.

athlonit.com (hosting)
166.63.0.0/17
166.63.0.0 - 166.63.127.255

***

got.net (mixed services: DSL & hosting)
207.111.192.0/18
207.111.192.0 - 207.111.255.255

***

6dg.co.uk (hosting)
217.10.128.0/19
217.10.128.0 - 217.10.159.255

However, this UK ISP has this range:
air-band.net
217.10.136.0/24
217.10.136.0 - 217.10.136.255

keyplyr, thanks for the corrections!


Well here is NFOrce Entertainment B.V. ranges that I could find.

85.159.232.0 - 85.159.239.255
85.159.232.0/21
46.166.128.0 - 46.166.159.255
46.166.128.0/21
37.143.32.0 - 37.143.39.255
37.143.35.0/24
185.7.76.0 - 185.7.79.255
185.7.76.0/22
185.11.144.0 - 185.11.147.255
185.11.144.0/22
109.201.128.0 - 109.201.159.255
109.201.128.0/19

Just a heads-up!

link.net Datacenters & Hosting:
197.160.0.0/13
197.160.0.0 - 197.167.255.255

now has an ADSL (humans) range right smack in the middle:
197.163.0.0/17
197.163.0.0 - 197.163.127.255

***

For anyone interested, this is how I broke it up, allowing that ADSL range:

197.160.0.0/15 #link.net 197.160.0.0 - 197.162.255.255
197.162.0.0/16 #link.net 197.160.0.0 - 197.162.255.255
...not blocking 197.163.0.0/17 #link.net ADSL 197.163.0.0 - 197.163.127.255
197.163.128.0/17 #link.net 197.163.128.0 - 197.167.255.255
197.164.0.0/14 #link.net 197.163.128.0 - 197.167.255.255

What a PITA!
Had a similar request yesterday from a SingleHop IP

192.249.115.82 - - [22/Jun/2015:01:40:10 -0600] "GET /index.php?gf_page=upload HTTP/1.1" 404 410 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)"
192.249.115.82 - - [22/Jun/2015:01:40:10 -0600] "GET /wp-admin/admin-ajax.php?action=revslider_ajax_action HTTP/1.1" 404 410 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)"

InMotion Hosting
IMH-WEST 104.152.108.0 - 104.152.111.255 104.152.108.0/22
IMH-LAX 104.244.120.0 - 104.244.127.255 104.244.120.0/21
IMH-IAD 104.193.140.0 - 104.193.143.255 104.193.140.0/22
IMH-EAST 172.81.116.0 - 172.81.119.255 172.81.116.0/22
IMH-IAD 173.205.124.0 - 173.205.125.255 173.205.126.0/24
WHH-IAD 173.205.127.0 - 173.205.127.255 173.205.127.0/24
IMH-IAD 173.205.126.0 - 173.205.126.255 173.205.126.0/24
WHH-LAX 192.145.238.0 - 192.145.238.255 192.145.238.0/24
IMH-LAX 192.145.232.0 - 192.145.239.255
WHH-LAX 192.145.238.0 - 192.145.238.255
IMH-LAX 192.249.112.0 - 192.249.127.255 192.249.112.0/20
IMH-LAX 192.249.112.0 - 192.249.127.255
IMH-198-46-80 198.46.80.0 - 198.46.95.255 198.46.80.0/20
IMH-LAX 198.46.92.0 - 198.46.95.255
IMH-LAX 205.134.249.0 - 205.134.249.255 205.134.249.0/24
IMH-IAD-1 216.194.170.0 - 216.194.171.255 216.194.170.0/23
IMH-216-194-160 216.194.160.0 - 216.194.175.255 216.194.160.0/20
NETBLK-HR-OHFC-INMOT-216-54-31-80 216.54.31.80 - 216.54.31.87 216.54.31.80/29
IMH-23-235-192 23.235.192.0 - 23.235.223.255 23.235.192.0/19
IMH-LAX 66.117.4.0 - 66.117.4.255 66.117.4.0/24
IMH-IAD 67.199.146.0 - 67.199.146.255 67.199.146.0/24
IMH-IAD 69.174.52.0 - 69.174.53.255 69.174.52.0/23
IMH-IAD 69.174.48.0 - 69.174.48.255 69.174.48.0/24
IMH-IAD 69.174.114.0 - 69.174.115.255 69.174.114.0/23
IMH-IAD 70.39.144.0 - 70.39.151.255 70.39.144.0/21
IMH-IAD 70.39.232.0 - 70.39.233.255 70.39.232.0/23
IMH-IAD 70.39.234.0 - 70.39.235.255 70.39.234.0/23
IMH-IAD 70.39.248.0 - 70.39.249.255 70.39.248.0/23
IMH-IAD 70.39.250.0 - 70.39.251.255 70.39.250.0/23
IMH6-1 2605:F400:: - 2605:F400:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Thanks Don, didn't have several of those. Others are inside larger ranges & some of course can be combined. Too bad these tools don't do that for us :)

As far as "similar request" are concerned, I see those and other WP vulnerability probes easily 50x each and every day. I'm pretty sure there are a lot of WP installs at my host, possibly attracting the attention.

I added the following rather that continuing IP's for this same pest (saem UA from aforementioned SingleHop).

RewriteCond %{HTTP_USER_AGENT} MSIE\ 9\.0; Windows\ NT\ 6\.0;\ Trident/5\.0\)$
RewriteRule .* - [F]

I got these from several domains today - in traps
104.236.0.0 - 104.236.255.255
104.236.0.0/16
DIGITALOCEAN-10 Simple Cloud Hosting

Registered about 6 months ago, but I did not have them on record.

In my experience WP vulnerability probes come from many UAs, not just the one you blocked. These UAs are all spoofed since it is a script (bot) that is actually probing your server for a open window, not a browser.

ods.vn mobile & servers
112.78.0.0/20
112.78.0.0 - 112.78.15.255

centralserver.com.br
186.233.144.0/21
186.233.144.0 - 186.233.151.255

masterweb.com
49.50.8.0/22
49.50.8.0 - 49.50.11.255

Verio (ntt.com)
198.170.0.0/15, 198.172.0.0/15
198.170.0.0 - 198.173.255.255

Allowable time to edit post has past.

Of course it is... :)

More Verio (ntt.com)
199.237.192.0/18
199.237.192.0 - 199.237.255.255

Updated list for VolumeDrive

74.118.192.0 - 74.118.195.255 VOLUMEDRIVE 74.118.192.0/22
204.124.180.0 - 204.124.183.255 VOLUMEDRIVE 204.124.180.0/22
199.19.104.0 - 199.19.111.255 VOLUMEDRIVE 199.19.104.0/21
199.180.112.0 - 199.180.119.255 VOLUMEDRIVE 199.180.112.0/21
199.168.136.0 - 199.168.143.255 VOLUMEDRIVE 199.168.136.0/21
199.115.228.0 - 199.115.231.255 VOLUMEDRIVE 199.115.228.0/22
192.69.88.0 - 192.69.95.255 VOLUM-ARIN 192.69.88.0/21
173.242.112.0 - 173.242.127.255 VOLUMEDRIVE 173.242.112.0/20
173.242.112.0 - 173.242.127.255 VOLUMEDRIVE 173.242.112.0/20
162.248.72.0 - 162.248.79.255 VOLUMEDRIVE 162.248.72.0/21
162.213.24.0 - 162.213.31.255 VOLUM-2 162.213.24.0/21
142.0.32.0 - 142.0.47.255 VOLUMEDRIVE 142.0.32.0/20
104.255.64.0 - 104.255.71.255 VOLUM-ARIN 104.255.64.0/21
104.245.96.0 - 104.245.103.255 VOLUM-ARIN 104.245.96.0/21
104.193.8.0 - 104.193.11.255 VOLUM-ARIN 104.193.8.0/22

seems like i was missing a few...