Part of a huge 22/23/24 Paella
191.96.249.0 - 191.96.249.255
191.96.249.0/24

[edited by: keyplyr at 9:34 pm (utc) on May 2, 2016]
[edit reason] removed session link [/edit]

dmzhost.co is a VPN service & as such I assume there are many small ranges.

(The Hurricane link does not work for those without the session cookie)

(The Hurricane link does not work for those without the session cookie)

They actually give you one, look in your Temp Folder :)

Not my point. When you post a link from a Hurricane search, the WW members following that link go to the Hurricane home page because they don't have the session cookie from that search, so all we're doing is giving them traffic. Let's try to avoid that.

Just a note, one of the many products Hurricane Electric is known for is that of a server farm. Nothing wrong with that business model, but the purpose of this thread is to report trouble coming from server farms & Hurricane has certainly had its due share of complaints here. In fact, before cloud hosting came into existence, Hurricane was probably the most reported server farm at WW. I still see the occasional bad actor coming from their ranges, but in general they seem to have cleaned-up their act in regards to leasing IPs to bad guys IMO.

Awesome Sauce then. Here are troubles coming from servers at Makonix SIA(Latvia)/Virtual Server hosting

Known Ranges - from the site with the cookie.

91.224.12.0 - 91.224.13.255
91.224.12.0/23

91.237.98.0 - 91.237.99.255
91.237.98.0/23

94.140.96.0 - 94.140.127.255
94.140.96.0/19

95.215.44.0 - 95.215.47.255
95.215.44.0/22

185.61.148.0 - 185.61.151.255
185.61.148.0/22

185.82.124.0 - 185.82.127.255
185.82.124.0/22

185.86.148.0 - 185.86.151.255(combined for below)
185.86.148.0/23,185.86.150.0/23

Some schmuck just tried to plow true a site from several ranges above using the following user agents:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0r
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1r
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36r

17 hits all in total.

That filled a few holes, thanks blend27.

However, for 185.86.148.0 - 185.86.151.255 I get 185.86.148.0/22

Secure Internet
172.111.128.0 - 172.111.255.255
172.111.128.0/17

managed by:gaditek.com

Managed Cloud Hosting, Virtual Private Network, Security Services, SSL, Data Encryption

PACKETFLIP - Packet Flip's proxy services provides the ability to anonymously perform business intelligence, web harvesting, fraud investigations, competitive analysis, and various other internet research related activities.

66.11.123.0 - 66.11.123.255
66.11.123.0/24

74.91.32.0 - 74.91.47.255
74.91.32.0/20

89.35.164.0 - 89.35.167.255
89.35.164.0/22

89.36.232.0 - 89.36.235.255
89.36.232.0/22

89.38.106.0 - 89.38.107.255
89.38.106.0/23

89.40.108.0 - 89.40.109.255
89.40.108.0/23

89.42.48.0 - 89.42.49.255
89.42.48.0/23

89.46.132.0 - 89.46.135.255
89.46.132.0/22

93.115.102.0 - 93.115.103.255
93.115.102.0/23

93.118.40.0 - 93.118.43.255
93.118.40.0/22

188.210.94.0 - 188.210.95.255
188.210.94.0/23

--------------------------------------------------------------------------------------------------------------
UA: Dispatch/0.11.3 - from 89.42.49.168, just after 170.75.155.126 with same UA.

Dispatch ID'd December 2015: [webmasterworld.com...]

ENTER.IT
185.48.32.0 - 185.48.35.255
185.48.32.0/23

I am looking at POST&GET to /xmlrpc.php from several IP ranges from ENTER.IT on 7 sites now. NONE of the sites ever had WP installed on them.

I love .PHP extention, makes it so easy to *i*ch slap them around!

21Vianet provides hosting and related services, managed network services, cloud services, content delivery network services...

This is billed as MICROSOFT.

Microsoft (China) Co., Ltd.
42.159.0.0 - 42.159.255.255
42.159.0.0/16

RE: 21vianet.com
It's Azure... Microsoft's version of AWS leasing part of Chinanet:

Parent: ChinaNet
42.156.0.0 - 42.159.255.255
42.156.0.0/14
Host: M$ Azure China
42.159.0.0 - 42.159.255.255
42.159.0.0/16

21vianet.com also at:
Parent: China Arbitcool
59.151.0.0 - 59.151.127.255
59.151.0.0/18

Brussels Servers
194.187.251.0 - 194.187.251.255
194.187.251.0/24

vooservers.com
185.43.108.0 - 185.43.111.255
185.43.108.0/22

CYBERTECHNOLOGY(BE - AS8455)
95.142.101.0 - 95.142.101.255
95.142.101.0/24

I am going to start including "Origin AS" in my posts from now on, as well as a "country" the range is assigned to.

I don't actively look for ranges anymore since they are actively looking for me, first come - last served ;)

@blend27
cybertechnology.net is a bit larger:
95.142.100.0 - 95.142.101.255
95.142.100.0/23


nephoscale.com (previously known as SiliconValleyServers)
69.50.224.0 - 69.50.255.255
69.50.224.0/19

inulogic.com
185.81.156.0 - 185.81.159.255
185.81.156.0/22

Nepho

SVWH-ALLOCATION-7 142.0.240.0 - 142.0.255.255 142.0.240.0/20
SVWH-ALLOCATION-8 198.100.160.0 - 198.100.191.255 198.100.160.0/19
SVWH-ALLOCATION-7 198.89.96.0 - 198.89.127.255 198.89.96.0/19
SVWH-ALLOCATION-3 199.188.116.0 - 199.188.119.255 199.188.116.0/22
SVWH-ALLOCATION-1 208.166.48.0 - 208.166.63.255 208.166.48.0/20
NEPHO-208-166-60-22 208.166.60.0 - 208.166.63.255
SVWH-ALLOCATION-1 208.166.48.0 - 208.166.63.255 208.166.48.0/20
SVWH-ALLOCATION-5 208.69.176.0 - 208.69.183.255 208.69.176.0/21
SVWH-ALLOCATION-6 208.78.240.0 - 208.78.247.255 208.78.240.0/21
SVWH-ALLOCATION-9 23.252.240.0 - 23.252.255.255 23.252.240.0/20
SVWH-ALLOCATION-1 67.207.192.0 - 67.207.207.255 67.207.192.0/20
NET-69-50-254-0-1 69.50.254.0 - 69.50.254.255 69.50.254.0/24
SVWH-NETBLOCK-4 69.50.224.0 - 69.50.255.255 69.50.224.0/19
SVWH-ALLOC-IPV6-2 2607:E000:: - 2607:E000:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
SVWH-ALLOC-IPV6-1 2607:F258:: - 2607:F258:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

[edited by: keyplyr at 4:27 am (utc) on May 16, 2016]
[edit reason] relocated post [/edit]

FranTech Solutions (didn't have any luck at Google the server name; Ponynet).

3rd IP of three successive request for a page that many rogue bots hit.

PONYNET-13 104.194.128.0 - 104.194.159.255
PONYNET-14 104.244.72.0 - 104.244.79.255
PONYNET-11 107.189.0.0 - 107.189.31.255
PONYNET-12 144.172.64.0 - 144.172.127.255
PONYNET-8 162.244.92.0 - 162.244.95.255
PONYNET-9 162.245.0.0 - 162.245.7.255
PONYNET-10 167.88.160.0 - 167.88.175.255
PONYNET-16 172.86.64.0 - 172.86.127.255
173-245-86-16 173.245.86.16 - 173.245.86.23
PONYNET-07 198.251.80.0 - 198.251.95.255
PONYNET-06 198.98.48.0 - 198.98.63.255
PONYNET-01 199.19.224.0 - 199.19.227.255
PONYNET-05 199.195.248.0 - 199.195.255.255
PONYNET-03 205.185.112.0 - 205.185.127.255
PONYNET-04 209.141.32.0 - 209.141.63.255
PONYNET-15 45.61.128.0 - 45.61.191.255
PONYNET-02 2605:6400:: - 2605:6400:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
NET-2607-F358-1-48 2607:F358:1:: - 2607:F358:1:FFFF:FFFF:FFFF:FFFF:FFFF

Integra Telecom.
Today's visit was a Wordpress login hacker:
Appears to offer a wide variety of services so difficult to discern what to block.

63.135.192.0/19
64.42.0.0/17
64.122.0.0/16
66.224.0.0/16
67.50.0.0/15
67.136.0.0/14
68.178.0.0/17
69.164.160.0/20
70.102.0.0/15
72.11.64.0/18
76.164.0.0/18
104.233.36.0/23
162.211.20.0/22
204.11.200.0/21
204.130.255.0/24
208.186.0.0/15
209.210.0.0/16
216.104.64.0/20
216.173.192.0/19
216.174.192.0/18
216.185.160.0/19
216.187.128.0/18
216.190.0.0/16

cloudhosting.co.th(TH - AS23884)
103.13.228.0 - 103.13.229.255
103.13.228.0/23

Don, FranTech Solutions seems to be buyvm.net and gang...

INULOGIC SARL(France - AS198375)
91.234.104.0 - 91.234.107.255
91.234.104.0/22
185.81.156.0 - 185.81.159.255
185.81.156.0/22

Integra Telecom.
Today's visit was a Wordpress login hacker:
Appears to offer a wide variety of services so difficult to discern what to block.

Yup, a business data center masquerading as a telecom. IMO most all of the wordpress hack attempts come from infected accounts; a script that gets passed around through unsafe sites/downloads/emails. Rather than block the unsuspecting account alone, I use a combo of header field, request behavior, UA & IP address.

ran.es
212.34.128.0 - 212.34.159.255
212.34.128.0/19

neohost.com.ua
79.133.98.0 - 79.133.99.255
79.133.98.0/23

losangelesdedicated.net (ladedicated.com)
162.251.164.0 - 162.251.167.255
162.251.164.0/22


relianceglobalcom.com (globalcloudxchange.com)
66.54.128.0 - 66.54.255.255
66.54.128.0/17

snel.com
89.207.128.0 - 89.207.135.255
89.207.128.0/21

ps.kz
89.219.32.0 - 89.219.32.127
89.219.32.0/24

paramounttechnology.net hosting
216.81.71.0 - 216.81.71.255
216.81.71.0/24

Bad actor using UA: =Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16

keyplr,
The parent host of paramounttechnology is Vortech, which was recently acquired by Frontline Data Services.

FWIW, their ranges in the 64-A are subleased from Hudson Valley Data.
I'm inclined to believe that Hudson Valley Data is affiliated with the recent Hudson Valley Host (ColoCrossing) that has been bombarding everybody.