Saturday, June 03, 2006

RED ALERT #5 - Everyones Scraping Internet

There seems to be both legitimate and questionable activity from Everyones Internet so it's been scrutinized a bunch before deciding to issue a warning about this mess.

Basically, to see what was coming out of ev1.net there were a couple of filters installed to see what was coming from them and we got several possible legit bots, some proxy servers, and some wacky crap.

You'll note Chitika listed which is definitely using part of that block:

Everyones Internet EVRY-BLK-15 (NET-67-15-0-0-1)
67.15.0.0 - 67.15.255.255
Chitika, Inc EVRY-398 (NET-67-15-219-0-1)
67.15.219.0 - 67.15.219.63
The linksmanager.com looks possibly legit based on reverse dns (linkchecker02.linksmanager.com), but I think picsearch.com (217.212.245.198) is potentially bogus.

On linksmanager website it says:
LinksManager.com runs an automated Reciprocal Link Checker and Dead Link Checker (User-agent: linksmanager and User-agent: linksmanager_bot ) for all LinksManager customer's web sites. If you are linking with a website that is powered by LinksManager.com, you might see LinksManager.com/linkchecker.html listed in your server log reports.
However, in the log file I see this:
67.15.16.30 Mozilla/5.0 (compatible; LinksManager.com_bot +http://linksmanager.com/linkchecker.html)
So is linksmanager being spoofed, guilty of sloppy outdated documentation or all of the above?

Here's a sample of what I'm seeing:
67.15.0.24
67.15.0.89 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
67.15.119.25 User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
67.15.126.25 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
67.15.136.199 psbot/0.1 (+http://www.picsearch.com/bot.html)
67.15.138.14 PyQuery / 0.1
67.15.14.5
67.15.143.22 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
67.15.16.30 Mozilla/5.0 (compatible; LinksManager.com_bot +http://linksmanager.com/linkchecker.html)
67.15.182.4 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
67.15.184.3 HTTP/1.0
67.15.184.41 HTTP/1.0
67.15.189.16
67.15.191.19
67.15.2.67 WordPress/1.5.2 PHP/4.4.1
67.15.219.10 Chitika ContentHit 1.0
67.15.219.11 Chitika ContentHit 1.0
67.15.219.12 Chitika ContentHit 1.0
67.15.219.14 Chitika ContentHit 1.0
67.15.219.15 Chitika ContentHit 1.0
67.15.219.16 Chitika ContentHit 1.0
67.15.219.17 Chitika ContentHit 1.0
67.15.219.18 Chitika ContentHit 1.0
67.15.219.3 Chitika ContentHit 1.0
67.15.219.9 Chitika ContentHit 1.0
67.15.221.2 ia_archiver
67.15.221.26 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
67.15.232.3 User-Agent: Mozilla/5.0 (; U;; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
67.15.35.26 HTTP/1.0
67.15.38.27 Mozilla/4.0 (compatible ; MSIE 6.0; Windows NT 5.1)
67.15.56.4 Mozilla/5.0 (compatible; LinksManager.com_bot +http://linksmanager.com/linkchecker.html)
67.15.6.64 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
67.15.76.148 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.6.2 (KHTML, like Gecko) Safari/412.2.2
67.15.77.119 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.6.2 (KHTML, like Gecko) Safari/412.2.2
67.15.77.223 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.6.2 (KHTML, like Gecko) Safari/412.2.2
67.15.78.93
67.15.8.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Did you note the various Netscape/7.1's in the list?

That was yours truly using an outdated Netscape browser very few use to spot proxy servers when I'm testing lists of proxies. Some of the smarter ones mask the browser which makes it's a little more difficult, but then I just check a special page that has never been indexed that only I know about so there is NO hiding from my prying eye.

OK, now you know a new trick, are you happy yet?

Anyway, we cranked this small list thru the reverse DNS meat grinder and here's the results:
24.0.15.67.in-addr.arpa name = hu-tethys.com.
89.0.15.67.in-addr.arpa name = cpanel.masgrafx.com.
25.119.15.67.in-addr.arpa name = ev1s-67-15-119-25.ev1servers.net.
25.126.15.67.in-addr.arpa name = ev1s-67-15-126-25.ev1servers.net.
199.136.15.67.in-addr.arpa name = ev1s-67-15-136-199.ev1servers.net.
14.138.15.67.in-addr.arpa name = ev1s-67-15-138-14.ev1servers.net.
5.14.15.67.in-addr.arpa name = ev1s-67-15-14-5.ev1servers.net.
22.143.15.67.in-addr.arpa name = ev1s-67-15-143-22.ev1servers.net.
30.16.15.67.in-addr.arpa name = linkchecker01.linksmanager.com.
4.182.15.67.in-addr.arpa name = ev1s-67-15-182-4.ev1servers.net.
3.184.15.67.in-addr.arpa canonical name = 3.184.15.67.in-addr.ev1.opticaljungle.com.
3.184.15.67.in-addr.ev1.opticaljungle.com name = lhb-us-b-1.mailhostingserver.com.
41.184.15.67.in-addr.arpa canonical name = 41.184.15.67.in-addr.ev1.opticaljungle.com.
41.184.15.67.in-addr.ev1.opticaljungle.com name = lhb-us-b-2.mailhostingserver.com.
16.189.15.67.in-addr.arpa name = jnchost.net.
19.191.15.67.in-addr.arpa name = ev1s-67-15-191-19.ev1servers.net.
67.2.15.67.in-addr.arpa name = ev1s-67-15-2-67.ev1servers.net.
10.219.15.67.in-addr.arpa name = ev1s-67-15-219-10.ev1servers.net.
11.219.15.67.in-addr.arpa name = ev1s-67-15-219-11.ev1servers.net.
12.219.15.67.in-addr.arpa name = ev1s-67-15-219-12.ev1servers.net.
14.219.15.67.in-addr.arpa name = ev1s-67-15-219-14.ev1servers.net.
15.219.15.67.in-addr.arpa name = ev1s-67-15-219-15.ev1servers.net.
16.219.15.67.in-addr.arpa name = ev1s-67-15-219-16.ev1servers.net.
17.219.15.67.in-addr.arpa name = ev1s-67-15-219-17.ev1servers.net.
18.219.15.67.in-addr.arpa name = ev1s-67-15-219-18.ev1servers.net.
3.219.15.67.in-addr.arpa name = ev1s-67-15-219-3.ev1servers.net.
9.219.15.67.in-addr.arpa name = ev1s-67-15-219-9.ev1servers.net.
2.221.15.67.in-addr.arpa name = arcadehub.com.
26.221.15.67.in-addr.arpa name = ev1s-67-15-221-26.ev1servers.net.
3.232.15.67.in-addr.arpa name = assista.com.
26.35.15.67.in-addr.arpa canonical name = 26.35.15.67.in-addr.ev1.opticaljungle.com.
26.35.15.67.in-addr.ev1.opticaljungle.com name = 67-15-35-26.opticaljungle.com.
27.38.15.67.in-addr.arpa name = web.ir.cx.
4.56.15.67.in-addr.arpa name = linkchecker02.linksmanager.com.
64.6.15.67.in-addr.arpa name = ev1s-67-15-6-64.ev1servers.net.
148.76.15.67.in-addr.arpa name = 67.15.76.148.
119.77.15.67.in-addr.arpa name = 67.15.77.119.
223.77.15.67.in-addr.arpa name = 67.15.77.223.
93.78.15.67.in-addr.arpa name = mail.aucoffre.com.
2.8.15.67.in-addr.arpa name = mail.caromhosting.com.
Since it's a mixed bag and I haven't really decided what to do with this mess yet I'm just blocking anything that responds to reverse DNS as ".ev1servers.net" and taking all the other accesses in this range on a case by case basis.

What a freak'n mess, oh my freak'n head...


4 comments:

Anonymous said...

Thought about shooting the info through to EV1?
I know, I know, they probably won't care - but its possible you'd get someone who does?
Although, it is *EV1* :(

Anonymous said...

Why the hell don't you just block all of the EV1 ip addy range.

While you are at it thePlanet has a few as well.

Anonymous said...

I've seen so many hits from 67.15. that I've blocked the entire range.

Ian

Anonymous said...

Just talked with a friend that worked at picsearch, they never scraped through ev1, it's some other person that's impersonating their robot.