Botnet - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Botnet

Steven29

4:42 pm on Jul 7, 2018 (gmt 0)

Bad Bots that are all under control from 1 person.

23.228.251.0/24
45.35.132.**
psychz.net

104.148.19.**
globalfrag.com

208.98.5.***
sharktech.net

nexeontech.com

216.93.242.**
216.93.249.4**
twdx.net

162.209.202.*
ceranetworks.com

23.239.142.0/23
rootleveltech.com

50.115.160.***
wowrack.com

209.177.157.**
vr.org

74.221.209.0/24
www.dmehosting.com

webcs.com

23.92.53.0/23
www.supremebytes.com

67.23.228.0/24
hostdime.com

173.233.74.***
turkeyinternet.com

64.187.239.***
quickpacket.com

67.23.166.***
imedion.com

74.80.144.***
ceilley.com

216.126.233.0/24
216.126.229.0/24
servercrate.com

192.184.80.0/24
www.ramnode.com

107.181.148.0/24
syn.ltd.uk

216.15.199.**
cybercon.com

107.160.69.***
psychz.net

76.8.55.0/24
76.8.57.0/24
www.quonix.net

107.155.87.***
inceronetwork.com

209.160.74.0/23
hopone.net

162.223.11.***
vr.org

69.60.120.**
serverpronto.net

206.212.252.**
colostore.com

50.115.116.**
uk2group.com

104.219.19.0/24
.reprisehosting.com

104.251.217.***
nodisto.com

69.162.118.***
limestonenetworks.com

69.195.141.***
69.195.136.**
joesdatacenter.com

23.92.90.**
nodesdirect.com

162.212.255.***
cnservers.com

66.11.121.**
garrisonnetwork.com

67.203.0.***
colocationamerica.com

173.44.188.32/27
208.70.255.128/27
74.80.188.224/27
192.249.58.128/26

quadranet
96.44.144.0/24
96.44.147.0/23
96.44.189.114

- - -

[edited by: keyplyr at 6:12 pm (utc) on Jul 7, 2018]
[edit reason] obscured IP address, general clean-up [/edit]

keyplyr

6:16 pm on Jul 7, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Hi Steven29, thanks for posting.

These are referred to as botnets. Compromised IPs droned for a specific purpose by one actor.

They are often a mixture of compromised ISP accounts and hosting server accounts, likely unknown to the owners. We generally don't post them because they tend to be a one-time event. The compromised accounts are usually discovered quickly and repaired. The server farm ranges should already be blocked.

Please post ranges, not individual IP addresses.

Steven29

1:59 pm on Jul 8, 2018 (gmt 0)

Hi keyplyr,

You bet! Thank you for making it a new thread so others can see.

These people have been using ip address's like this to bot my website for over a year.

If it continues to happen, I will continue to post them publicly for all to see.

Note: This website is very heavy with Facebook bots (Does anybody know how to submit these ips to Facebook?).

keyplyr

6:12 pm on Jul 8, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

FB doesn't care. You need to just take care of security on your own end.

Use the info here to block UAs and Server Farm IP ranges and keep diligent watch on your logs. That's the best we can do.

Blocking Methods [webmasterworld.com]

dstiles

10:24 am on Jul 9, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Steven29 - All the IPs you listed above are listed in my own trap system as Servers, and blocked accordingly. Depending on your web site's traffic pattern, consider doing the same.

Not everyone here blocks server farms, I know, and some server ranges, especially clouds, can also carry some human traffic. Worth a bit of effort finding out, though.

Steven29

1:31 pm on Jul 10, 2018 (gmt 0)

Hi keyplyr,

I check on and have been updating my security block lists for 1 year now. My .htaccess file is over 2,000 lines.

Every single day (usually after a big block like this takes a few days), the bots come back.

They are usually hacked machines like this one: 109.184.16.0/24 (it's a specific ip in this range).

And this one 162.129.251.0/24 (It's a specific ip on this range).

I don't have specifics on all of the ip address from the past, but there is probably some very useful information there (I have blocked ips chains like this 4 or 5 times and ips here and there for months).

<snip>
You are very right, NO BODY CARES! LOL!

- - -

[edited by: keyplyr at 6:39 pm (utc) on Jul 10, 2018]
[edit reason] Please, no sharing any block list [/edit]

Steven29

2:06 pm on Jul 10, 2018 (gmt 0)

"especially clouds, can also carry some human traffic. Worth a bit of effort finding out, though.".

I have yet to see "human traffic" on the cloud, the problem with the Cloud's is their ip address's will change.

For the clouds, I have them all added to a list and restrict access using a few different ways to determine if they are a legitimate bot.

The hardest part is finding all of the ip ranges. Here is my list, just in-case anybody wants it: <snip>

P.s. This is not just happening to ME, it's to my entire niche (at least 5 others I know of and have reached out to - they are not capable of blocking this stuff but have confirmed they are trying and I attempt to give them updates every few weeks).

- - -

[edited by: keyplyr at 6:38 pm (utc) on Jul 10, 2018]
[edit reason] Please, no sharing any block list [/edit]

keyplyr

6:32 pm on Jul 10, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Yes, this is what we discuss in this forum. Do some reading.

Please use the Site Search in the upper-right corner of the page to check if this has been discussed *before* you post IP ranges or User Agent reports.

Also, we do not promote or share "Block Lists." What may be deemed malicious at one site could be beneficial at another site.

As such, we only document information here and let each webmaster decide what to do with that information.