Strange Host Names that I Cracked

These host names try hard to evade detection of their IP addresses, in order to scrape content and sometimes break into from web sites. They have specifically scraped mine and so I hunted them down and banished them. Often times the unix host command returns nothing, so research is required. This usually works.

I process my raw access logs pretty regularly and noticed that raw IP addresses were being replaced with host names. This makes it easier to track down certain domains. I was hunting for one of these from Fujian, China, and could not find any info. Others have been complaining for a long time as well, to no avail. Fortunately one of them comment spammed me and Akismet logged its ip address. From this I was able to figure out its coding method and ban the whole family. They recently moved their operation to Guangzhou, China.

These bots are persistent and burn through a huge amount of bandwidth. You need to take care of these. They are also very smart, as it took me a long time to track them down, with a little luck and a lot of dumb persistence.

I still have a list of host names that have evaded my detection. When I find these out, and I will, I’ll post them as well.

for format, the first line is the host name, the second line is their IP address, which you need to ban. Banning their host name root did not even slow them down. –
United Colo –
Adrian Gaido – – –
ALMIX Br – has a hostname that points to but this is fake confirmed because they spammed me, so I have their IP address
Leaseweb Deutschland – is an odd one because it contains no host name. IP is the last 3 and then the first –
netname: FR-OVH


These 2 are reverse IPs, both out of the Czech Republic, but the one out of the US and the single IP (from Cz) is a straight IP, so they use both
Serverel – reverse straight reverse
it is odd that the host name has a .br extent, but IP originates from a range in Texas. They were fishing for security loopholes, resulting in 404s and 403s.
The first 3 octets are reversed, followed by the 4th
The first 3 octets are reversed, then add the last one. Here’s another example: or They also use straight IPs! – Novotelecom
The first octet is 178. Host name points to different ip address, tried to ban but did not work, then researched – HOL
The first number is the fourth octet. – KW Datacenter – KW Datacenter – OVH – KW Datacenter
These are very specific IPs and not very many.

Research: has the ip in hex was mentioned on Malwarebytes and Project Honeypot, so it is best to ban them host lookup gives you, but ths is false. Research shows host lookup gives you, but this is false. Research shows host lookup is, but this is fake. Research shows is posting a fake UA of Googlebot – TZULO WorldStream – TZULO were giving me 404s. Their pattern is 91.191 and reverse 2 octets – AZ-CONNECT host lookup is fake, host lookup, research, banned both host lookup is fake, hext to dec is a content scraper and has only 3 ips to ban – Interserver – Interserver is a content spammer. Pattern: First 2 octets are 212.92.127 followed by the number in the hostname. 212.92.124 seems to be a bunch of tor servers. They are specific in IP. spammed me hex to dec fake host I tried to ban the researched IP but it was already banned, so what!?! I also banned the hostname one. host is fake research host is fake research

This host name can be confusing, but is not Chinese at all. It is from Novotel in Russia. While the 4 octet hostname is straightforward, they also have a 3 octet host name scheme. Simply add 178 before the three octet host name. 5.130.96 created a list of 404s on my site, so I needed to hunt them down. They have unique host names for their servers but no numeric system. – is part of the fix-website Semalt botnet. hex to dec is from Pickering, On, Canada! 404 host has a fake host lookup of, which is Alibaba. Ban There is not much research on this Romanian company. Add 89.43.62 to the hostname octet. fake host name ban fake host name ban fake h r

WideOpenWeb has a funky pattern: first octet = 2, second octet = 1, third octet = 4, fourth octet = 3. They also have a straight pattern, alas without the prepended “d”.

This guy has an odd host name, but since he spammed me he left his IP address.
server-9.private spammed me. Their host lookup is: They do not have many ip ranges.
Research: has a fake host name of, but don’t be fooled. One ban range and you are good. The host name might also include the fourth octet, so append to 176.119.26. and you’ll be good. has a fake host ban fake host name ban

Pattern: 185.8 append the last two octets
Research: has a fake host name so ban In fact directs all its links to the same host name IP. spammed me, so here is the research: spammed me. They were hard to track down. It turns out their names servers were the IPs I was after. ua
University of Oxford spammed me, I believe as a tor exit server, but they are much more.
They changed their host name by a single hyphen. ip is first portion of host name in hex


Research: tor ip is hex after the “c-”

squid.ams3.digitalocean.24 works as a tor exit but has used many other ip addresses. tor

This is a very persistent spammer, but elusive. I now have an observation. host actual is a french nutrition site that really jumps around. Interestingly it seems to use many ISPs, but unique IPs. If they give you trouble try banning the individual IPs. h has a fake host name of, but actual tor address is actually has 3 tor exit servers, so do a 0/24 ban on the last octet. h tor posted to my site,so I tracked them down. There are a bunch of tor exit servers, hosted on Psychz. The other is on Hetzner. h p psychz has a narrow 4 ip range, so easy to ban. h r

For, the last octet is in its host name. The frst three octets are 107.151.155 and are prepended.
prepend 199.87

reverse-dns.chicago also prepends its host name with an ip address, but this one is more obscured. 404 prepends with 81.2, then reverse the 2 host numbers for the last 2 octets h referral spammed me with 1-99seo, but I could not track down an IP. Hmm, but I did find their dns servers:

3g.y.4g –
Digital Ocean is suspiciously short 2016-nov-03 2016-oct-09 2016-sept-22 2016-oct-18 2016-nov-04 2016-sept-30 2016-oct-15 rus6.localhost is doing wierd stuff

RADORE Sayfa Tr – vpn is the host name?!?
SAYFA Tr – vpn vpn vpn 2016-oct-20 2016-nov-01 2016-oct-19 2016-oct-20 2016-oct-09 2016-oct-18 2016-oct-21 2016-nov-16 2016-oct-29 – Bell Canada (LINX) I’m unsure who this is and why they have such a short host name DMOCK0 DMOCEW Minisink Valley High School

Very odd host name for, as if they want to hide something domain.not.configured

Leave a Reply

Your email address will not be published. Required fields are marked *