Distributed Hosting Reaping Network

Forum Moderators: open

Message Too Old, No Replies

Distributed Hosting Reaping Network

Hobbs

2:16 pm on Nov 15, 2015 (gmt 0)

Each ip mostly reaping few pages & seconds apart, Same class C hosting ranges
My usual suspects are either Chinese or Iranian reapers, more Iranian lately

All same user agent:

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"

104.247.192.0/19 Alpha Geek Solutions ags.rocks 104.247.218.x 4 ips
162.245.216.0/21 HostUS 162.245.222.x, 2 ips
170.130.0.0/16 eonix.net 170.130.59.x, 3 ips
172.82.128.0/18 quickpacket.com 172.82.175.x, 7 ips
173.232.0.0/16 quickpacket.com 173.232.20.x, 4 ips
181.214.52.0/24 ags.rocks 24 ips
191.96.206.0/24 ags.rocks 26 ips
198.46.128.0/17 ColoCrossing 198.46.133.x, 7 ips
198.55.96.0/19 Quadranet.com
45.58.48.0/20 HostUS 45.58.50.x, 4 ips

aristotle

2:48 pm on Nov 18, 2015 (gmt 0)

If I understand this, it looks like someone went to a lot of expense and trouble to set this up. Or am I missing something?

lucy24

6:31 pm on Nov 18, 2015 (gmt 0)

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Do they pick these out of a hat or are there unique and special vulnerabilities attached to this exact browser? For comparison purposes I've currently got two distinct botnets using
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

keyplyr

11:02 pm on Nov 18, 2015 (gmt 0)

Typical botnet of infected servers looking for exploits.

blend27

11:14 pm on Nov 18, 2015 (gmt 0)

The cool part about some botnets of this kind is that they tend to share a cookie between IPs in order to avoid being detected. Once that cookie gets blacklisted by a blocking mechanism, all needs to be done serve 200OK with some random test on it and a link to a honeypot URL. Then All that one needs to do is nuke /24 until farther notice-inspection ;)