tracemyfile

Forum Moderators: open

Message Too Old, No Replies

tracemyfile

TorontoBoy

12:20 pm on May 16, 2018 (gmt 0)

UA: Mozilla/5.0 (compatible; tracemyfile/1.0; +bot@tracemyfile.com)
Protocol: HTTP/1.1
Robots.txt: No
host: GOOGLE-CLOUD
35.233.74.121, 35.208.0.0 - 35.247.255.255
CIDR: 35.208.0.0/12, 35.224.0.0/12, 35.240.0.0/13
IBM X-Force Search: Risk 4.3/10, yellow, for bots

A hit and run bot. It seems to be searching for WP site injections?

GET /wp-example/?p=4512&buy-ventolin-no-prescription HTTP/1.1
GET /wp-example/2012/09/12/motorcycle-traffic-riding-error/?amp;buy-ventolin-no-prescription HTTP/1.1

keyplyr

3:16 am on May 17, 2018 (gmt 0)

Another possible example that a bot's name can have nothing to do with its actual function. From you example it appears a vulnerability check.

Trace your images to see where they are being used online

source: tracemyfile.com

lucy24

4:16 am on May 17, 2018 (gmt 0)

searching for WP site injections

Which, in turn can mean anything and everything, including
-- looking for sites with existing injections because it means they'll be vulnerable to my own malign contributions as well
-- an excuse to send spam offering overpriced, ineffective cleanup services.

TorontoBoy

12:15 pm on May 17, 2018 (gmt 0)

Such reconnaissance is the foreplay of a hack, and for me an immediate ban.

If someone checks my front door lock handle, then knocks to sell me door hardware, I would be unhappy. This is not a good marketing method.

TorontoBoy

12:52 pm on May 18, 2018 (gmt 0)

104.155.59.234 [16/May/2018:16:31:51 HEAD /wp-example/wp-content/uploads/2010/06/mcD-shrek-glasses3-150x150.jpg HTTP/1.1
35.195.69.81 [17/May/2018:04:48:12 HEAD /wp-example/wp-content/uploads/2010/06/torontopolice4-600x370.jpg HTTP/1.1

IP changes:
104.155.59.234
104.154.0.0 - 104.155.255.255
CIDR: 104.154.0.0/15
NetName: GOOGLE-CLOUD

35.195.69.81
35.192.0.0 - 35.207.255.255
CIDR: 35.192.0.0/12
NetName: GOOGLE-CLOUD

keyplyr

5:15 pm on May 18, 2018 (gmt 0)

They will likely use various ranges from Google Cloud networks. That's how most cloud services work, so if blocking, best to do so using UA.

There are exceptions though. I have one long-time pest coming from AWS that uses a specific IP address; never changes.

Personally, I allow all Google Cloud ranges due to several Google tools using those ranges.

Also, this UA may be fake. This may not be the real tracemyfile.

keyplyr

4:13 am on Jul 28, 2018 (gmt 0)

Also coming from...

Host: AWS
35.156.0.0 - 35.159.255.255
35.156.0.0/14

lucy24

5:14 am on Jul 28, 2018 (gmt 0)

I once saw them from
35.187.1
in fact, looks like it was about a week before the post that opened this thread. All they requested was / root, though. Shrug.

:: detour to look up ::

Oops, I haven't been keeping up. That�s Google Cloud now, (35.184.0.0/13 and adjoining regions) but I'd still got it labeled as Merit (the company that originally owned all of 35).

Edit: While looking up the headers--not abysmal, but enough to get them 403d--I noticed something else. Shortly before this lone tracemyfile request, there was a robots.txt request from

Mozilla/5.0 (compatible; eright/1.0; +bot@eright.com)

using the identical IP. Hmmmmm.

tracemyfile

TorontoBoy

keyplyr

lucy24

TorontoBoy

TorontoBoy

keyplyr

keyplyr

lucy24

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week