New Click Adsense

Forum Moderators: open

Message Too Old, No Replies

New Click Adsense

Russian scam bot

keyplyr

9:02 am on May 9, 2015 (gmt 0)

**.**.**.** - - [08/May/2015:21:35:59 -0700] "GET /example.html HTTP/1.1" 403 1513 "New Click Adsense" "(Adsense Bot Banned) - To stop clicks write on email: invesem@yandex.com"

Been getting about 30 to 50 of these the last couple days. Half are coming from well known server farms I already had blocked by IP. The others were either (new to me) server farms or compromised machines at (presumably) innocent company servers.

I'm assuming this is from some Russian scammer seeking payment to stop these hits, which are (presumably) intended to frighten Adsense publishers for fear of click-fraud, but they are not clicking on Adsense ads, just hitting the page.

Easily blocked by the usual methods - plus I discovered a bunch of server farms I wasn't previously aware of :)

keyplyr

8:34 am on May 10, 2015 (gmt 0)

...and they keep coming, day 3

Pfui

4:39 pm on May 11, 2015 (gmt 0)

Havwe yet to see, but apparently there are variations: [inmotionhosting.com...]

Sigh. More words for the Banned REFs list. I'm overwhelmed enough with the "fckeditor" exploits.

blend27

5:16 pm on May 11, 2015 (gmt 0)

Totally love the response by InMotionHosting Tech

Pfui

8:23 pm on May 11, 2015 (gmt 0)

To their credit, they refer people on from their basic robots.txt info page to more advanced -- and effective (smiles) -- alternatives. [inmotionhosting.com...]

keyplyr

9:37 pm on May 11, 2015 (gmt 0)

These hits are coming from many hosts, not just inmotionhosdting. Same host IPs each day so it appears the botrunner just purchased a couple dozen compromised IPs from one of those hacker stores in E. Europe.

Still coming. I did give a couple of the (non-server farm) companies a heads-up.

lucy24

10:35 pm on May 11, 2015 (gmt 0)

Totally love the response by InMotionHosting Tech

You mean the part where you get two seconds to read any given page before it's obliterated with a login screen?

keyplyr

12:10 am on May 12, 2015 (gmt 0)

You mean the part where you get two seconds to read any given page before it's obliterated with a login screen?

Don't you have that stuff turned off?

Pfui

1:15 am on May 12, 2015 (gmt 0)

These hits are coming from many hosts, not just inmotionhosdting

Never said any did. I included the link to show a variation of the same UA that someone kindly posted to their site.

So back to the troublesome UA scheme, eh? Here's the variation, courtesy of inmotionhosting's poster, circa May 5th:

Click Adsense (Adsense Bot Banned) - To stop clicks send 25 Litecoin (litecoin.org) wallet: LeuLZKCKLEgKqJM7vdEY8HNXqtt9GQ9DZQ and direct transfer details and website address to mail (left out for posting) **@yahoo.com

keyplyr

1:21 am on May 12, 2015 (gmt 0)

Never said any did... So back to the troublesome UA scheme, eh?

LOL

keyplyr

8:10 am on May 18, 2015 (gmt 0)

Looks like this joker was shut down. Haven't seen anything for 4 days.

keyplyr

9:10 am on May 19, 2015 (gmt 0)

Spoke too soon, it's back mostly using various European TOR servers and IP Transits:

188.138.1.229 - - [18/May/2015:03:24:02 -0700] "GET /example.html HTTP/1.1" 403 1511 "(Adsense Bot Banned) - To stop clicks write on email: invesem@yandex.com" "(Adsense Bot Banned) - To stop clicks write on email: invesem@yandex.com"

dstiles

8:34 pm on May 19, 2015 (gmt 0)

188.138.0.0/17 - plusserver aka intergenia aka bsb-service, formerly serverloft, germany. Banned, of course. :)

You could probably get the email address inconveniently blocked by writing to yandex. :)

PlusServer IPs I have...

62.75.128.0 - 62.75.255.255
80.86.80.0 - 80.86.95.255
85.25.0.0 - 85.25.255.255
188.138.0.0 - 188.138.127.255
217.118.16.0 - 217.118.31.255
217.172.160.0 - 217.172.191.255

keyplyr

9:02 pm on May 19, 2015 (gmt 0)

Thanks - so far this idiot has hit my files (on 6 web sites) from 114 different IP ranges: server farms, infected ISPs, company networks,VPN, TOR & IP Transits. IMO he's just buying these compromised ranges off some hacked-range broker like the rest of these bozos.

Hit me 160 times yesterday, all blocked.

lucy24

2:24 am on May 20, 2015 (gmt 0)

You gotta admit that including the word "Banned" in your UA string sure makes it easy :)

keyplyr

3:21 am on May 20, 2015 (gmt 0)

This has actually been very helpful. So far I've been conveniently given about 60 blockable server ranges I did not know about. At this rate, in about 3000 years, I'll wrap-up all the baddies out there!

lucy24

5:49 pm on May 20, 2015 (gmt 0)

So far I've been conveniently given about 60 blockable server ranges I did not know about.

At any given time, I've got from two to four ongoing botnets that are easy to identify after-the-fact from behavior alone. (There are actually more, but some only do their thing from already-blocked ranges.) This is handy because it lets me look up previously unsuspected IPs and either block them outright or flag them with an environmental variable for infection-prone neighborhoods.*

* Robots are Ukrainian. Infected human browsers are Russian. File under: Life's Little Mysteries.

keyplyr

8:28 pm on May 20, 2015 (gmt 0)

I used to get botnets every week (still do occasionally) then I discovered a precursor. Browser hits would come for 3 pages, the same 3 pages with no other file requests. A couple days after that the botnet would hit. I started blocking these 3 pages IF a few other rules were true. Botnets mostly stopped.

This (and other factors) supports my theory that most of this stuff is being packaged & sold by hacker-tool vendors where it's one-stop shopping for infected IP ranges & vulnerability scripts. The buyers then just fill in the text fields for their needs.

lucy24

10:35 pm on May 20, 2015 (gmt 0)

Browser hits would come for 3 pages, the same 3 pages with no other file requests.

Once a year, when I take a closer look at robots, one pattern I see is three consecutive requests for some inner page. The reason I don't normally notice them is that they tend to come from unconditionally blocked IPs. Which, in turn, leads to the suspicion that some server farms are inherently dirtier than others, even if there's nothing in their publicly displayed documentation to say so.

keyplyr

11:09 pm on May 20, 2015 (gmt 0)

some server farms are inherently dirtier than others, even if there's nothing in their publicly displayed documentation to say so

Like... "We Host Nefarious Bots?"

That would indeed make things easier.

carfac

7:47 pm on May 25, 2015 (gmt 0)

I have been looking- have not seen this one....

lucy24

11:50 pm on May 25, 2015 (gmt 0)

Like... "We Host Nefarious Bots?"

Haha. Seriously, I'd expect lines like "we respect our clients' privacy" or "we encourage enterprise" or similar buzzword du jour.

keyplyr

2:52 am on May 26, 2015 (gmt 0)

I've been reporting this abuser to the respective hosts he's using to send these scams. The level of defensive denial on the part of these hosts is astounding. I've been academic and non-accusing in my reports, yet instead of thanking me for the time I've spent in assembling the data solely for their benefit in identifying the abuser, almost every single abuse & noc person contacted so far denies there is any problem on their end or just returns a generic response. I even received one reply defending the universal rights of all users access to their TOR exit nodes.