Jan 29, 2008

Some type of botnet using libwww-perl/5.xxx

This all looks to be related it all showed up at the same time.
Looks to be a bot net.


74.54.29.114,BB2,[01-29-2008-16:01:24],72.1d.364a.static.theplanet.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
69.64.77.89,BB2,[01-29-2008-16:01:28],ardentexchange.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
85.233.166.54,BB2,[01-29-2008-16:01:43],vps1.unluckyforsome.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.177.9,BB2,[01-29-2008-16:01:45],s15267347.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
91.142.209.168,BB2,[01-29-2008-16:01:48],sl002.servidores-dns.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
88.84.157.36,BB2,[01-29-2008-16:01:51],v32556.1blu.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.183.154,BB2,[01-29-2008-16:01:52],s15277454.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.122.224,BB2,[01-29-2008-16:01:56],alte-wutz.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.64.202,BB2,[01-29-2008-16:01:57],psit-domains.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
86.109.163.242,BB2,[01-29-2008-16:03:45],lincl435.web3l.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
128.205.213.57,BB2,[01-29-2008-16:05:06],hyperion.eng.buffalo.edu,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
74.54.22.2,BB2,[01-29-2008-16:05:25],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:05:26],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:05:33],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.232.101.54,BB2,[01-29-2008-16:06:10],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
216.129.112.22,BB2,[01-29-2008-16:06:26],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:06:54],mail.tradehousem.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
78.110.163.108,BB2,[01-29-2008-16:07:14],server2.suspected.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:08:14],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:08:51],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
74.54.22.2,BB2,[01-29-2008-16:10:32],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:10:45],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:10:48],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
72.36.154.242,BB2,[01-29-2008-16:10:58],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
66.232.101.54,BB2,[01-29-2008-16:11:25],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
62.193.224.77,BB2,[01-29-2008-16:11:42],wpc0075.amenworld.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
216.129.112.22,BB2,[01-29-2008-16:12:57],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:13:21],mail.tradehousem.com,403 User-Agent was found on blacklist ww ,libwww-perl/5.79,-
77.79.88.105,BB2,[01-29-2008-16:13:32],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:14:45],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:15:01],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
82.192.68.176,BB2,[01-29-2008-16:16:07],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
82.192.68.176,BB2,[01-29-2008-16:16:31],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:16:36],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.25.139.97,BB2,[01-29-2008-16:16:57],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:17:04],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
80.89.224.38,BB2,[01-29-2008-16:17:10],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
80.89.224.38,BB2,[01-29-2008-16:17:35],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
72.36.154.242,BB2,[01-29-2008-16:18:30],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
77.79.88.105,BB2,[01-29-2008-16:22:54],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
85.25.139.97,BB2,[01-29-2008-16:30:40],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-

woriobot heritrix/1.10.0 +http://worio.com) bot

Mozilla/5.0 (compatible; heritrix/1.6.0 +http://www.worio.com/)
137.82.84.97 worio.com

A new bot just showed up claiming another beta test.

This bot is blocked by Bad Behaivor for using improper headers.

(edited)
Klaas said...
Could you elaborate on the problem with the headers? I'm eager to fix real an perceived problems with our crawler.


Here is the BB error

bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/5.0 (compatible; woriobot heritrix/1.10.0 +http://worio.com)
207.23.252.129 worio.com


Your just going to have to test it on a blog using Bad Behavior.

If it were a worthwhile bot I would whitelist it but since it doesn't do anything yet why bother. If your project ever gets off the ground let me know and I will erase this post.

89.253.240.112 justclickme.org

justclickme.org is running a robot from this IP. It has no agent. a search on google shows a lot of spam links being posted using that url as a redirect to another site.
The webserver at that domain has a canned preset webpage.

Agent: -NO AGENT-
89.253.240.112 justclickme.org

IP ban logs

64.208.172.177 2007-05-01 - OF ban Order Form Abuse and Spam
64.56.65.73 2007-05-03 server57.fiberroute.com AB BAN ALARM: by.ru hackers website
216.98.148.6 2007-05-05 fc51486.aspadmin.net AB BAN Fell into unlisted bot trap
66.150.224.245 2007-05-11 - OF ban Order Form Abuse and Spam
124.62.229.138 2007-05-12 - AB BAN Fell into unlisted bot trap
74.222.4.220 2007-05-12 - AB BAN ALARM: by.ru hackers website
69.64.37.97 2007-05-15 fonapp.com AB BAN Fell in bot trap
38.99.44.106 2007-05-21 - AB BAN Fell into unlisted bot trap
61.90.228.110 2007-05-21 61-90-228-110.static.asianet.co.th AB BAN Fell into unlisted bot trap
62.231.243.136 2007-05-21 - AB BAN Fell in bot trap
202.179.180.41 2007-05-22 - AB BAN Fell into unlisted bot trap
194.249.197.3 2007-05-30 e.s-sers.mb.edus.si AB BAN Fell in bot trap
217.20.163.50 2007-05-30 - MAN BAN Spammer
202.179.180.45 2007-06-26 - AB BAN Fell into unlisted bot trap
64.1.215.162 2007-07-03 64.1.215.162.ptr.us.xo.net AB BAN Fell into unlisted bot trap
69.156.172.9 2007-07-05 bas7-montrealak-1167895561.dsl.bell.ca AB BAN Fell into unlisted bot trap
82.127.65.187 2007-07-06 LSt-Amand-152-32-22-187.w82-127.abo.wanadoo.fr AB BAN ALARM: /cmd.txt Known hack script
64.208.172.177 2007-07-16 xcrawl27.alexa.com OF ban Order Form Abuse and Spam
217.93.218.107 2007-07-17 pD95DDA6B.dip.t-dialin.net AB BAN Fell in bot trap
217.93.254.83 2007-07-17 pD95DFE53.dip.t-dialin.net AB BAN Fell in bot trap
64.213.203.147 2007-07-18 gblx203-crawl147.alexa.com OF ban Order Form Abuse and Spam
217.93.254.242 2007-07-23 pD95DFEF2.dip.t-dialin.net AB BAN Fell in bot trap
68.15.173.144 2007-07-25 mail.moreaupt.com AB BAN ALARM: /cmd.txt Known hack script
80.132.190.248 2007-08-04 p5084BEF8.dip.t-dialin.net AB BAN Fell in bot trap
81.92.197.249 2007-08-09 unassigned.or.unconfigured.reverse.nfsi-telecom.net AB BAN Fell in bot trap
194.153.113.8 2007-08-20 - AB BAN Fell into unlisted bot trap
72.232.163.98 2007-09-15 98.163.232.72.static.reverse.ltdomains.com AB BAN Fell into unlisted bot trap
84.174.85.37 2007-09-24 p54AE5525.dip.t-dialin.net AB BAN Fell in bot trap
84.98.140.251 2007-09-25 251.140.98-84.rev.gaoland.net AB BAN Fell in bot trap
74.124.192.3 2007-09-30 - MAN BAN Spam collector
24.11.72.234 2007-10-01 c-24-11-72-234.hsd1.mi.comcast.net AB BAN ALARM: (Comment code)
82.99.30.63 2007-10-04 - AB BAN Fell in bot trap
213.189.25.182 2007-10-04 nothingtoseehere.eurotivity.com AB BAN Fell into unlisted bot trap
213.189.25.182 2007-10-04 nothingtoseehere.eurotivity.com AB BAN Fell in bot trap
64.208.172.177 2007-10-12 xcrawl105.alexa.com OF ban Order Form Abuse and Spam
82.246.225.236 2007-10-18 bur64-2-82-246-225-236.fbx.proxad.net AB BAN Fell in bot trap
84.147.240.92 2007-10-26 p5493F05C.dip.t-dialin.net AB BAN Fell into unlisted bot trap
208.101.44.3 2007-10-31 mybluewine.net AB BAN Fell into unlisted bot trap
82.99.30.2 2007-11-04 - AB BAN Fell into unlisted bot trap
82.99.30.13 2007-11-04 - AB BAN Fell in bot trap
64.229.101.232 2007-11-16 bas7-montrealak-1088775656.dsl.bell.ca AB BAN Fell into unlisted bot trap
195.229.242.57 2007-11-19 - AB BAN ALARM: Password Jump
134.39.27.38 2007-11-19 - AB BAN ALARM: Password Jump
222.190.118.5 2007-11-21 - AB BAN ALARM: Password Jump
200.88.114.166 2007-11-21 166.114.88.200.m.sta.codetel.net.do AB BAN ALARM: Password Jump
164.100.43.157 2007-11-24 - AB BAN ALARM: Password Jump
64.27.11.179 2007-11-25 - AB BAN Fell in bot trap
85.21.125.100 2007-11-26 - AB BAN ALARM: Password Jump
194.69.1.23 2007-11-26 - AB BAN ALARM: Password Jump
200.226.134.53 2007-11-27 53.134.226.200.in-addr.arpa.ig.com.br AB BAN ALARM: Password Jump
64.208.172.177 2007-11-29 xcrawl105.alexa.com OF ban Order Form Abuse and Spam
211.117.62.81 2007-12-03 - AB BAN ALARM: Password Jump
216.229.136.22 2007-12-03 22.OPEN.theforward.net AB BAN ALARM: Password Jump
74.86.14.10 2007-12-08 atsconnect.net AB BAN Fell into unlisted bot trap
64.5.40.122 2007-12-12 server1.coninfo.net AB BAN Fell into unlisted bot trap
64.27.5.162 2007-12-13 - AB BAN Fell in bot trap
71.168.66.176 2007-12-25 pool-71-168-66-176.cncdnh.fios.verizon.net AB BAN Fell into unlisted bot trap
75.125.194.210 2007-12-25 - AB BAN Fell into unlisted bot trap
208.36.144.8 2007-12-25 crawl-17.cuill.com AB BAN Fell into unlisted bot trap
64.208.172.177 2007-12-31 xcrawl105.alexa.com OF ban Order Form Abuse and Spam
82.99.30.56 2008-01-11 - AB BAN Fell into unlisted bot trap
82.99.30.50 2008-01-13 - AB BAN Fell into unlisted bot trap
199.238.146.69 2008-01-15 www.imobiliariafigueiredo.com.br AB BAN Fell in bot trap
208.64.67.140 2008-01-15 albertus.vemultimedios.com AB BAN Fell in bot trap
192.81.234.61 2008-01-18 surtees.limitless.co.uk AB BAN Fell in bot trap
74.86.61.35 2008-01-18 dz6.dailyrazor.com AB BAN Fell into unlisted bot trap
65.98.113.226 2008-01-19 server68.gamebot.cc AB BAN Fell into unlisted bot trap
151.48.126.122 2008-01-20 adsl-ull-122-126.48-151.net24.it AB BAN Fell into unlisted bot trap
212.83.255.82 2008-01-20 host.cognito.nl AB BAN Fell in bot trap
65.110.6.43 2008-01-21 - MAN BAN Proxy server
65.208.151.116 2008-01-24 - AB BAN Fell into unlisted bot trap
84.21.72.176 2008-01-27 176.72.xxline.net AB BAN Fell into unlisted bot trap
85.214.73.81 2008-01-29 h1291294.stratoserver.net AB BAN Fell into unlisted bot trap
88.84.141.216 2008-01-29 v29216.1blu.de AB BAN Fell in bot trap
85.255.194.79 2008-01-29 apache02.hostbasket.com AB BAN Fell into unlisted bot trap

Jan 21, 2008

New proxy server to ban

https://65.110.6.43/ also known as http://proxyweb.net

Add proxyweb.net to the domain ban file and
65.110.6.43 to the IP ban file. Please report any other IPS.

Jan 8, 2008

Shareaza.com domain hijacked

This is not related to robots but since someone took one of my domain's years ago everyone needs to spread the news. Shareaza the open source P2P program has lost its domain name to some pay service. Shareaza has moved to this URL.

The new owners of the domain are pushing some pay software labeled shareazav4.exe this is not the real shareaza which is at this time v2.3.1.0

See this story here P2P File Sharing: Shareaza site hijacked