Saturday, May 20, 2006

RED ALERT - Distributed IP Scraper Hosted on Vericenter

Here's a real sneaky scraper using distributed IPs that is using a bot that almost appears designed to fly under my bot blockers radar. No single IP address accessed enough pages or did anything obnoxious enough to set off any triggers but the collective accesses set off a proximity alarm and they got nailed anyway.

The scraper is pretending to be Firefox for Linux:

http://www.Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1/
The range of IP's noticed in this scrape attack are as follows:
65.38.102.138 ip-65-38-102-138.hou.vericenter.com
65.38.102.139 ip-65-38-102-139.hou.vericenter.com
65.38.102.141 ip-65-38-102-141.hou.vericenter.com
65.38.102.143 ip-65-38-102-143.hou.vericenter.com
65.38.102.145 ip-65-38-102-145.hou.vericenter.com
65.38.102.146 ip-65-38-102-146.hou.vericenter.com
65.38.102.147 ip-65-38-102-147.hou.vericenter.com
65.38.102.148 ip-65-38-102-148.hou.vericenter.com
65.38.102.150 ip-65-38-102-150.hou.vericenter.com
65.38.102.153 ip-65-38-102-153.hou.vericenter.com
65.38.102.155 ip-65-38-102-155.hou.vericenter.com
65.38.102.157 ip-65-38-102-157.hou.vericenter.com
The host information is as follows:
OrgName: VeriCenter, Inc.
OrgID: VRCT
Address: 757 N Eldridge Parkway
City: Houston
StateProv: TX
PostalCode: 77079
Country: US
NetRange: 65.38.96.0 - 65.38.111.255
Athough the attack seems to be centered on the 65.38.102.0/24 block at the Houston datacenter of Vericenter, I think I'm going to completely block Vericenter as it doesn't appear to have any ISP facilities [ie. NO HUMANS] and see if anything else bounces off the bot blocker from their facilities.

4 comments:

Anonymous said...

That raises an interesting point Bill. If you blocked all the data centers, like rackspace, and so on, you might clean up a lot of stuff right there.

IncrediBILL said...

That's what I'm thinking too as I weed out dial-up, DSL and cable networks from my proximity alarms. There will obviously be one-off dial-ups in the backwoods here and there but the hosting farms are starting to be much easier to spot as I work through this.

Anonymous said...

Hi Bill,

I was reading your post about Vericenter. For several months I have been seeing vericenter ip's everyday several times a day, what I was worried about was someone stealing my designs, whoever this is at times stays for over 2 hours at a time, so I wrote to vericenter and no reply, I had traced the IP to spamcop which gave me a company Eleven2.com and they told me the IP's belonged to vericenter. I tried various scripts to stop these ip's coming to my site but nothings working. My store is at Cafepress www.cafepress.com/sangritadesigns
Can you tell me of a way to block them please?

Anonymous said...

Wished I had read your article earlier. This scraper bot just popped up few minutes ago grabbing my feed for the first time. It looked suspicious to me because of both its hostname and its outdated firefox user agent spoof. But now the entire 65.38.102.0/24 CIDR has landed an eternal honour rank on my shitlist ;-)

Olliver