Thursday, July 16, 2009

More PHP Hacker Traffic

We're seeing some hacker traffic from this network attempting to access this url:


CustName: Alwatan Newspaper
Address: Unknown
City: Muscat
StateProv: Oman
Country: OM
RegDate: 2008-07-10
Updated: 2008-07-10

NetRange: -
NetName: D393-ENG01-216-7-173-16-28
NetHandle: NET-216-7-173-16-1
Parent: NET-216-7-160-0-1
NetType: Reassigned
RegDate: 2008-07-10
Updated: 2008-07-10

OrgAbuseHandle: DAM96-ARIN
OrgAbuseName: Data393 Abuse Manager
OrgAbusePhone: +1-303-268-1500

OrgNOCName: Data393 Network Operations Center
OrgNOCPhone: +1-303-268-1500

OrgTechHandle: IPADM77-ARIN
OrgTechName: IP Administration
OrgTechPhone: +1-303-268-1500


Getting hit with CFNetwork user agent from this IP:

Address: LEVEL A
StateProv: GA
PostalCode: 30309
Country: US

NetRange: -

Seems to be a lot of odd traffic coming out of Atlanta networks lately.

Wednesday, July 15, 2009

Followsite on softlayer - misbehaving

Followsite bot hit our server over 70 times and appears to not be following robots.txt

Came from this IP:

SoftLayer Technologies Inc. SOFTLAYER-4-4 (NET-74-86-0-0-1) -
ASX Networks ApS NET-74-86-223-40 (NET-74-86-223-40-1) -

Wowrack - unidentified traffic

Web servers in this network appear to be trying to hit our server: 208-115-111-240-SLASH28 (NET-208-115-111-240-1) - WOW-ARIN-NET2 (NET-208-115-96-0-1) -

Internode - Excessive traffic

We're getting excessive traffic from this IP range:

inetnum: -
descr: Internode
descr: Internet Service Provider
descr: Adelaide, South Australia,
descr: Australia
country: AU

hacker - phpadmin

A hacker attempting to access phpadmin hit our server using perl from multiple networks.

URL contained:


User agent: libwww-perl/5.811

IP #1:


OrgName: Global Net Access, LLC
Address: 1100 White St SW
City: Atlanta
StateProv: GA
PostalCode: 30310
Country: US

ReferralServer: rwhois://

NetRange: -
OriginAS: AS3595, AS16626
NetHandle: NET-207-210-64-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
NameServer: NS1.GNAX.NET
NameServer: NS2.GNAX.NET
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at port 4321
Comment: ********************************************
RegDate: 2005-04-12
Updated: 2007-06-01

RAbuseHandle: ABUSE745-ARIN
RAbusePhone: +1-404-230-9150

RNOCPhone: +1-404-230-9150

RTechHandle: ENGIN7-ARIN
RTechPhone: +1-404-230-9150

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: GNAX ABUSE
OrgAbusePhone: +1-404-230-9150

OrgNOCPhone: +1-404-230-9150

OrgTechHandle: ENGIN7-ARIN
OrgTechPhone: +1-404-230-9150

IP #2:

inetnum: -
netname: JF-NETWORK
descr: JFNetwork
descr: 97346 Iphofen
country: DE
admin-c: JF113-RIPE
tech-c: GT-RIPE
status: ASSIGNED PA "status:" definitions
source: RIPE # Filtered

person: Jochen Freier
address: Ritterstr. 11-17
address: 97318 Kitzingen
address: DE
phone: +49 9321 9297990
nic-hdl: JF113-RIPE
source: RIPE # Filtered

person: Thorsten Grosse
address: IP Exchange GmbH
address: Am Tower 5
address: 90475 Nuernberg
address: DE
phone: +49 911 30950 000
nic-hdl: GT-RIPE
source: RIPE # Filtered

% Information related to ''

descr: IP Exchange GmbH
origin: AS15598
source: RIPE # Filtered

Sunday, July 12, 2009

123people dot com is stealing content

The 123people dot com site is stealing and reposting personal information from social networks like Myspace,,, Amazon (people's wish lists) and zoominfo.

In addition to scraping sites and posting photos, links and personal data that is not publicly available on these social networking sites, 123people is posting completely bogus data about people including false addresses and fake information.

Facebook has been kind enough to get scraped content and photos from their web site removed from this site. Other social networks like MySpace, Linkedin, Google, Amazon and ZoomInfo have been contacted to do the same by users.

This company 123People has been contacted to remove various profiles but is apparently not doing this so far.

Saturday, July 11, 2009

.Net Framework hitting sites is hitting our site with .NET Framework/2.0

OrgName: University of Houston
Address: Information Technology
Address: Computing & Telecommunication Services
Address: 4213 Elgin Blvd
City: Houston
StateProv: TX
PostalCode: 77204-1010
Country: US

NetRange: -


Hit with a bot called lwp-trivial/1.41 from this IP: - a university in California:

OrgName: University of California, Santa Cruz
Address: University of California, Santa Cruz
Address: UCSC Information Technology Services
Address: Communications Building
Address: 1156 High Street
City: Santa Cruz
StateProv: CA
PostalCode: 95064
Country: US

NetRange: -

Dragonfly User Agent

Some kind of dragonfly user agent hit our site which appears to be possibly related to some type of open source content management system.

The hit appears to be coming from:

Enmax Envision Inc. ENMAXENV-BLOCK2 (NET-72-29-224-0-1) -
PlayStarMusic Corporation ENV-PM-72-29-233-160 (NET-72-29-233-160-1) -

Friday, July 10, 2009

Amazon Cloud Traffic

Once again someone on the Amazon cloud network is trying to access our sites in programmatic ways:

OrgName:, Inc.
Address: Amazon Web Services, Elastic Compute Cloud, EC2
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US

NetRange: -

A2 hosting - PHP Client

Someone or something at A2 hosting attempted to access our sites using some sort of PHP client:

Internet 123, Inc. INTERNET-BLK-I123-3 (NET-69-39-64-0-1) -
A2 Hosting, Inc. I123-069039089000-032004 (NET-69-39-89-0-1) -

Hopefully Internet 123, Inc. and/or A2 Hosting, Inc. will take a look at this and do something about it.

The offending IP: tried to access our sites with two different versions of PHP.

MCI / Proxy IT - bad traffic

Someone in this proxy IP range attempted to hit our sites with Python. at 7/5/2009 10:46:19 PM

MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1) -
Proxy IT UU-65-200-199-D6 (NET-65-200-199-0-1) -

MCI shoudl really do something about this because clearly someone is using this proxy to attempt to do their dirty work.

Bot out of University of Toronto

BlogScope bot hit our sites from University of Toronto

OrgName: University of Toronto
Address: Computing and Networking Services
StateProv: ON
PostalCode: M5S-1C1
Country: CA

NetRange: -

University Santa Cruz - WGet hackers

Someone at the University of Santa Cruz is attempting to access our sites using WGET from this IP at 7/7/2009 7:53:48 PM

OrgName: University of California, Santa Cruz
Address: University of California, Santa Cruz
Address: UCSC Information Technology Services
Address: Communications Building
Address: 1156 High Street
City: Santa Cruz
StateProv: CA
PostalCode: 95064
Country: US

NetRange: -

Colin-Miller - hitting our sites with Java

Someone at Colin Miller in San Francisco, California is attempting to access our sites with some type of Java client.

Comcast Business Communications, Inc. CBC-SFBA-13 (NET-173-11-64-0-1) -
Comcast Business Communications, Inc. CBC-CM-4 (NET-173-8-0-0-1) -
Colin Miller-San Francisco-CA-18 COLIN-MILLER-SAN-FRANCISCO-CA-18 (NET-173-11-77-96-1) -

Programmatic traffic from eNet / XLHost

Getting clearly programmatic traffic from this network:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1) - Inc XLHOST-OOFFER3-4941 (NET-173-45-84-80-1) -

Managed Solutions Group - Malware

Someone attempted to get at our web server using a Java software client of some kind from this IP:

This Ip belongs to "Managed Solutions Group" in California:

OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

ReferralServer: rwhois://

NetRange: -

Twiceler - still doesn't obey robots.txt

Getting tons of hits from twiceler bot - still not obeying Robots.txt file. The hits are quite excessive.

Some of the IPs:

Tuesday, July 07, 2009

Problem with MS Terminal Services / VPN

There is a problem with Terminal Services from Microsoft and/or Cisco's VPN product. When using the Cisco client and VPN with Terminal Services and my connection gets disrupted in some way when I am connected to my server, first of all I cannot reconnect to the VPN. Somehow the VPN/firewall thinks I am still connected perhaps or maybe the services on my machine get corrupted in some way and causes this problem.

The second problem is that after a reboot (potentially restarting some services would also resolve this) and I reconnect to my VPN, Microsoft Terminal Services on the computer to which I was connected says all the Terminal Service sessions are in use and I cannot get back into my box. This is a potential security problem if someone else was able to connect to that particular session. It doesn't make any sense that I would show as still being connected because one particular account is supposed to terminate on disconnect or log out and so I should be able to get back in on that account after the network disruption.

On the flip side, I've had a problem where a particular account using Terminal Services is NOT supposed to shut down on disconnect, and when I get booted off the VPN via a network disruption, that account would shut down even when in theory it should not. It seems like maybe that problem was fixed but a new problem has arisen as a result of whatever changed.

Friday, July 03, 2009

Service Provider Corporation

If you've seen Service Provider Corporation IP addresses in your logs and then tried to find information about the company you'll end up here:

OrgName: Service Provider Corporation
OrgID: SPC-10
Address: 442 Route 202-206 North
Address: # 485
City: Bedminster
StateProv: NJ
PostalCode: 07921-0523
Country: US

NetRange: -
NetHandle: NET-166-128-0-0-1

This is an organization that allocates IP addresses to various wireless providers. Presumably some odd traffic on our server is from AT&T since the user agent appears to be IPhones. However the IPhones are acting a little strange and using a lot of different IP addresses for what appears to be the same web request. I could be wrong. We'll have to dig into this a bit more...

The other problem with this organization is that it actually hides the true source of the traffic in some cases. Someone on this network actually hacked into my web mail provider one time and apparently was reading my email. This organization states on their web site on a page that is not search engine friendly:

The WDSPCo NIC administers and maintains the IP address blocks that are leased from ARIN. The NIC assigns IP address blocks to WDSPCo members on request in accordance to the WDSPCo IP Management rules and the ARIN IP rules.

The NIC is also responsible for the WDSPCo DNS server. The NIC maintains the server. They also update with member server information for the reverse DNS lookup table for the leased IP blocks. When requesting a new block of IP addresses, members can supply their DNS server names so that the NIC can assign those server names to the IP block on the DNS server at the time of allocation. IP blocks can be leased without DNS server assignments.

The problem here is that some of the traffic coming from this IP range appears to be under the cover of this organization's name and you cannot truly report the source of the bad traffic to the company from whence it came if the IPs have been leased to someone else and not appropriately identified. In my opinion this organization should be forced by law to list both their name AND the name of the wireless company that is sending traffic to your sites.

Thursday, July 02, 2009

123People - illegal scraping and reposting of content is illegally scraping and reposting content from other web sites.

This particular site has posted information on their web site posted privately on social networks.

When you contact a web site that has posted information about you and you want it taken down, the professional thing to do would be to remove it.

Here is the information from the 123People web site - again don't pay they to take down things you didn't authorize them to post.

I would be concerned that contacting reputation services would only exacerbate the problems.

These companies should be held accountable for their actions.

There needs to be a better solution to this situation:

How do I delete the search results on the 123people?

123people refers to information originating from the other publicly available websites on the Internet. All we do is provide the viewing of the real time search results available on the Internet in a clear and well-arranged way.

If you want to edit or to delete information, there are two possibilities:

1. Contact the original source
If you want to delete the contents, please contact directly the original source of the information. You can find the source by clicking on the small icon to the left of all displayed results. Your support team will take care of your request voluntarily and free of charge.

2. Professional Services
There are services that take care of their customers online. We have selected a few of those services that you can use. Please contact one of the services of your choice directly for further information.

Indication: 123people accesses data that have been found on other websites by classical search engines such as Yahoo. Search engines save the found information for certain period of time. These search engines do not explore all websites at the same time – that depends on how often the content on the website is updated, amongst other things – so it might take some time, (sometimes even months), until certain content has disappeared from the search results of big search engines. The information may appear on the site of 123people even if the source of the information has already been deleted.

The web site as well as are independent companies who offer their services for free and do not stand in any form of cooperation with 123people.