Strange Host Names that I Cracked

      No Comments on Strange Host Names that I Cracked

These host names try hard to evade detection of their IP addresses, in order to scrape content and sometimes break into from web sites. They have specifically scraped mine and so I hunted them down and banished them. Often times the unix host command returns nothing, so research is required. This usually works.

I process my raw access logs pretty regularly and noticed that raw IP addresses were being replaced with host names. This makes it easier to track down certain domains. I was hunting for one of these from Fujian, China, and could not find any info. Others have been complaining for a long time as well, to no avail. Fortunately one of them comment spammed me and Akismet logged its ip address. From this I was able to figure out its coding method and ban the whole family. They recently moved their operation to Guangzhou, China.

These bots are persistent and burn through a huge amount of bandwidth. You need to take care of these. They are also very smart, as it took me a long time to track them down, with a little luck and a lot of dumb persistence.

I still have a list of host names that have evaded my detection. When I find these out, and I will, I’ll post them as well.

for format, the first line is the host name, the second line is their IP address, which you need to ban. Banning their host name root did not even slow them down.

mx-ll-223.207.161-102.dynamic.3bb.co.th
223.207.0.0 – 223.207.255.255
223.207.161.102

ablest.aphitarf.com
United Colo 66.111.32.0 – 66.111.63.255
66.111.57.5

static.140.208.104.190.cps.com.ar
Adrian Gaido
190.104.192.0 – 190.104.255.255
190.104.208.140

sol-fttb.172.157.118.46.sovam.net.ua
46.118.157.0 – 46.118.157.255
46.118.157.172

75-108-152-180.chstcmtk01.res.dyn.suddenlink.net
75.108.0.0 – 75.111.255.255
75.108.152.180

rev-87-21-12-212.tula.net
TULATEL 212.12.21.0 – 212.12.21.255
212.12.21.87

host75-220-dynamic.233-95-r.retail.telecomitalia.it
95.233.220.75

187-75-55-138.dsl.telesp.net.br
187.74.0.0 – 187.75.255.255
187.75.55.138

177-179-112-189.user.veloxzone.com.br
177.176.0.0 – 177.179.255.255
177.179.112.189

186.red-195-235-56.customer.static.ccgg.telefonica.net
186.56.235.195

host87.181-91-228.telecom.net.ar
181.91.228.87

176.net-94.242.43.kaluga.ru
94.242.43.176
Pattern: 1.net-31.172.193.kaluga.ru 31.172.193.1
248.net-31.172.197.kaluga.ru 31.172.197.248

86.empresarial.almix.com.br.201.87.177.in-addr.arpa
ALMIX Br 177.87.200.0 – 177.87.203.255
177.87.201.86

72.207.204.221.adsl-pool.sx.cn has a hostname that points to 184.105.178.89 but this is fake
221.204.207.72

hosted-by.leaseweb.com confirmed because they spammed me, so I have their IP address
Leaseweb Deutschland
46.165.250.0 – 46.165.251.255
46.165.251.153

182.ip-91-134-143.eu is an odd one because it contains no host name. IP is the last 3 and then the first
91.134.0.0 – 91.134.255.255
netname: FR-OVH
91.134.143.182
ip96.ip-5-196-58.eu 5.196.58.96
72.ip-5-196-19.eu 5.196.19.72
53.ip-5-196-226.eu 5.196.226.53
ns3268348.ip-37-59-11.eu 37.59.11.49
ns398717.ip-37-59-42.eu 37.59.42.55
3.ip-37-187-247.eu 37.187.247.3
165.ip-51-254-218.eu 51.254.218.165
209.ip-51-255-172.eu 51.255.172.209
ip153.ip-91-134-213.eu 91.134.213.153
ip95.ip-94-23-150.eu 94.23.150.95

141.ip-137-74-197.eu 137.74.197.141
ns3019188.ip-149-202-82.eu 149.202.82.128
97.ip-151-80-158.eu 151.80.158.97
193.ip-164-132-106.eu 164.132.106.193
197.ip-167-114-241.eu 167.114.241.197
3.ip-167-114-250.eu 167.114.250.3
ns3436678.ip-176-31-236.eu 176.31.236.208

srv98.dedicated.server-hosting.expert 89.163.135.98

mx4.pslit01.com 46.183.216.180

Observed:
tqzhj.host1dns.com 5.231.76.86
neydj.host1dns.com 94.249.172.127

Researched:
ziswa.host1dns.com 5.175.158.0
qnoto.host1dns.com 5.175.180.0
usrga.host1dns.com 5.175.183.1
uskhv.host1dns 5.175.183.126
asrlh.host1dns 5.175.183.176
foerx.host1dns.com 5.175.189.149
uvljb.host1dns.com 5.175.201.73
bfcwi.host1dns.com 5.175.203.16
rqzzy.host1dns.com 5.231.4.57
aguip.host1dns.com 5.231.9.68
ihdkz.host1dns.com 5.231.9.158
mswdq.host1dns.com 5.231.75.127
tjbrw.host1dns.com 5.231.75.207
tqzhj.host1dns.com 5.231.76.86
ojczs.host1dns.com 5.231.76.185
alvxm.host1dns.com 5.231.77.113
xamab.host1dns.com 179.61.200.175
rhofa.host1dns.com 179.61.200.60
aassn.host1dns.com 179.61.201.68
dpzue.host1dns.com 191.101.54.0
wfdss.host1dns.com 191.101.54.110
mezwl.host1dns.com 191.101.55.30
aassn.host1dns.com 191.101.55.68
ygbnz.host1dns.com 191.101.55.136
doevx.host1dns.com 191.101.55.162
juuwy.host1dns.com 191.101.55.178
csken.host1dns.com 191.101.61.0
lraum.host1dns.com 191.101.124.230
csowr.host1dns.com 191.101.124.63
moimo.host1dns.com 191.101.124.87
pfxuw.host1dns.com 94.249.128.0
neydj.host1dns.com 94.249.172.127
xxpda.host1dns.com 94.249.175.204
retrd.host1dns.com 94.249.183.66
pndna.host1dns.com 94.249.212.181
cqzws.host1dns.com 94.249.212.185
kpdwb.host1dns.com 94.249.240.146
kpdwb.host1dns.com 94.249.240.146
vubcg.host1dns.com 94.249.244.23

213.166.120.146.serverel.net
26.166.120.146.serverel.net
These 2 are reverse IPs, both out of the Czech Republic, but the one out of the US and the single IP (from Cz) is a straight IP, so they use both
31.148.246.222
Serverel 95.47.138.0 – 95.47.138.255
95.47.138.139.serverel.net
95.47.138.139
133.158.120.146.serverel.net reverse
31.132.79.44.serverel.net straight
170.166.120.146.serverel.net reverse

gj-16-036.bta.net.cn 202.106.16.36

srv50.prodns.com.br 192.185.176.199
WEBSITEWELCOME Texas 192.185.0.0 – 192.185.255.255
it is odd that the host name has a .br extent, but IP originates from a range in Texas. They were fishing for security loopholes, resulting in 404s and 403s.

169.171.206.183.static.js.chinamobile
183.206.171.169

net9.186.188-146.tmn.ertelecom.ru 188.186.9.146
The first 3 octets are reversed, followed by the 4th

203-184-105-203.north.dsl.telkomsa.net
105.184.203.203
The first 3 octets are reversed, then add the last one. Here’s another example: 105.184.140.228 or 140-184-105-228.north.dsl.telkomsa.net. They also use straight IPs!

178.49.121.0 – 178.49.121.255 Novotelecom
l49-121-113.cn.ru 178.49.121.113
l49-154-65.cn.ru 178.49.154.65
The first octet is 178.
l49-121-113.cn.ru 178.49.121.113

server18.midiaon.net 189.84.21.44

production.ap.3393bc.boostgram.com 159.203.202.54

tor-exit.bng.pw 159.203.15.136 Host name points to different ip address, tried to ban but did not work, then researched

remembertoday.co.ke 45.55.212.127

ppp005055183046.access.hol.gr 5.55.183.46
5.55.0.0 – 5.55.255.255 HOL

viborgDHCP-54.64-179-175.knology.net 64.179.175.54
viborgDHCP-54.64-179-175.knology.net 64.179.175.54
viborgDHCP-187.64-179-173.knology.net 64.179.173.187
adrianDHCP-138.216-254-253.knology.net 216.254.253.138
The first number is the fourth octet.

saturn.m3l.io 104.233.114.80 104.233.64.0 – 104.233.127.255 KW Datacenter
saturn.m3l.io 104.233.114.11
jupiter.m3l.io 104.167.117.75 104.167.96.0 – 104.167.127.255 KW Datacenter
jupiter.m3l.io 158.69.201.128 158.69.0.0 – 158.69.255.255 OVH
mars.m3l.io 158.69.201.229
phobos.m3l.io 167.88.44.52 167.88.32.0 – 167.88.47.255 KW Datacenter
These are very specific IPs and not very many.

70-173.users.icservice.net.ua 193.34.173.70
spcr-0.correiopromocional.com.br 173.208.202.154

Observed:
node-d79.pool-180-180.dynamic.totbb.net
Research:
node-1cif.pool-101-108.dynamic.totbb.net 101.108.245.151
node-fxr.pool-180-180.dynamic.totbb.net 180.180.80.175
node-io6.pool-180-180.dynamic.totbb.net 180.180.94.134
node-kyv.pool-180-180.dynamic.totbb.net 180.180.106.39
node-lxd.pool-180-180.dynamic.totbb.net 180.180.111.0
node-1135.pool-180-180.dynamic.totbb.net 180.180.187.193
sxx.pool-180-180.dynamic.totbb.net 180.180.146.133

ool-44c146bc.dyn.optonline.net 68.193.70.188
Optionline.net has the ip in hex

d.c.b.a-nia.romaninternet.com was mentioned on Malwarebytes and Project Honeypot, so it is best to ban them
D.C.B.A-nia.romaninternet.com 93.115.83.243
d.c.b.a-nia.romaninternet.com 93.115.83.244
D.C.B.A-nia.romaninternet.com 93.115.83.253
D.C.B.A-nia.romaninternet.com 93.115.84.202
D.C.B.A-nia.romaninternet.com 93.115.84.122
D.C.B.A-nia.romaninternet.com 93.115.84.124
D.C.B.A-nia.romaninternet.com 5.254.100.67
d.c.b.a-nia.romaninternet.com 198.12.15.174
187.44.114.93-nia.romaninternet.com 93.114.44.187

li929-6.members.linode.com 45.56.79.6

node6.tor-exit-node.com host lookup gives you 8.5.1.46, but ths is false. Research shows 37.48.109.107

tor-exit.bungeetaco.com host lookup gives you 104.28.13.114, but this is false. Research shows 159.203.11.12

leadersandcoaches.com host lookup is 67.227.69.245, but this is fake. Research shows 78.135.115.145

srv.pixelbender3d.com is posting a fake UA of Googlebot
68.235.60.187 68.235.32.0 – 68.235.63.255 68.235.32.0/19 TZULO
93.190.138.196 93.190.138.0/24 WorldStream
208.77.18.131 208.77.16.0 – 208.77.23.255 208.77.16.0/21 TZULO
208.77.18.144

dsl138-200-baku-az.connect.az were giving me 404s. Their pattern is 91.191 and reverse 2 octets 91.191.197.0 – 91.191.207.255 AZ-CONNECT
dsl154-206-Baku-AZ.connect.az 91.191.206.154
dsl66-206-Baku-AZ.connect.az 91.191.206.66
dsl139-207-Baku-AZ.connect.az 91.191.207.139
dsl53-109-237-122.connect.az 109.237.122.53

server.casalpopular.cat host lookup 37.187.103.7 is fake, 167.88.40.130

host-200-176.junet.se 185.16.200.176
270038.soborka.net 94.158.149.132

tor-exit-relay.anonymizing-proxy.digitalcourage.de host lookup 31.185.104.19, research 185.10.71.107, banned both

sahtuba.ru host lookup 78.24.223.139 is fake, 94.233.55.106

ip4da8bf54.direct-adsl.nl 77.169.191.84 hext to dec

mail.jasiweb2.com is a content scraper and has only 3 ips to ban
69.10.52.0 69.10.32.0 – 69.10.63.255 69.10.32.0/19 Interserver
69.10.52.178
69.10.52.181
216.158.233.0 216.158.224.0 – 216.158.239.255 216.158.224.0/20 Interserver
216.158.233.117
216.158.238.119
216.158.238.123

mxd87.amrepla.eu is a content spammer. 212.92.127.87 Pattern: First 2 octets are 212.92.127 followed by the number in the hostname.
mxa1.amrepla.eu 212.92.124
mxd30.amrepla.eu 212.92.127.30
mxd107.amrepla.eu 212.92.127.107
mxb5.amrepla.eu 212.92.125.5
mxd49.amrepla.eu 212.92.127.49

blahz.info seems to be a bunch of tor servers. They are specific in IP.
jupiter.blahz.info spammed me
45.62.235.96
45.62.246.184
162.248.160.144
minos.blahz.info 167.88.46.205
minos.blahz.info 162.248.160.144
minos.blahz.info 104.233.124.244
ceres.blahz.info 45.62.251.146
blog.blahz.info 50.116.9.75
apollo.blahz.info 74.207.254.236

intelnet.net.gt
77.148.static.intelnet.net.gt 216.230.148.77

ool-18b802ec.dyn.optonline.net 24.184.2.236 hex to dec

torrelay1.tomhek.net fake host 163.172.211.135 195.154.8.111. I tried to ban the researched IP but it was already banned, so what!?! I also banned the hostname one.

host213.net17.clients.redcom.ru 212.19.17.213
srv98.dedicated.server-hosting.expert 89.163.135.98

exit.leblibrary.com host 198.57.216.20 is fake research 173.14.173.227

server1.peach-hosting.com host 98.124.243.32 is fake research 216.17.99.183

This .cn.ru host name can be confusing, but is not Chinese at all. It is from Novotel in Russia. While the 4 octet hostname is straightforward, they also have a 3 octet host name scheme. Simply add 178 before the three octet host name.

l5-128-36-96.cn.ru
l5-130-34-96.cn.ru 5.130.34.96.cn.ru

l5-130-96-1.cn.ru 5.130.96
l49-96-36.cn.ru 178.49.96.36
l49-202-96.cn.ru 178.49.202.96
l49-242-96.cn.ru 178.49.242.96
l49-154-96.cn.ru 178.49.154.96
l49-132-85.cn.ru 178.49.132.85
l49-154-96.cn.ru 178.49.154.96
l49-96-229.cn.ru 178.49.96.229
l49-96-229.cn.ru 178.49.96.229
l49-96-195.cn.ru 178.49.96.195
l49-154-146.cn.ru 178.49.154.146

zem.dreamhost.com created a list of 404s on my site, so I needed to hunt them down. They have unique host names for their servers but no numeric system.

173.236.154.220 apache2-sith.zem.dreamhost.com 173.236.128.0 – 173.236.255.255 173.236.128.0/17
173.236.154.156 apache2-linus.zem.dreamhost.com

173.236.155.235 apache2-kant.zem.dreamhost.com
173.236.155.98 apache2-pat.zem.dreamhost.com
173.236.155.10 apache2-noxim.zem.dreamhost.com

173.236.156.129 apache2-twiddle.zem.dreamhost.com

173.236.158.107 apache2-fritz.zem.dreamhost.com
173.236.158.110 apache2-argon.zem.dreamhost.com
173.236.158.112 apache2-emu.zem.dreamhost.com
173.236.158.113 apache2-dap.zem.dreamhost.com
173.236.158.113 apache2-dap.zem.dreamhost.com
173.236.158.114 apache2-cabo.zem.dreamhost.com
173.236.158.122 apache2-igloo.zem.dreamhost.com
173.236.158.123 apache2-jolly.zem.dreamhost.com
173.236.158.124 apache2-heavy.zem.dreamhost.com

tlc.httpint.globe.com.ph is part of the fix-website Semalt botnet.
112.198.101.1
112.198.101.76
112.198.101.78
112.198.101.170
112.198.101.229
112.198.101.232
112.198.102.16
112.198.102.35
112.198.102.42
112.198.102.54
112.198.102.63
112.198.102.69
112.198.102.119
112.198.102.180
112.198.102.187
112.198.102.210
112.198.102.229
112.198.103.1
112.198.103.160
112.198.103.182
112.198.103.184
112.198.103.191
112.198.103.2
112.198.103.23
112.198.103.39
112.198.103.56
112.198.103.70
112.198.103.75
112.198.103.81
112.198.103.99
112.198.103.113
112.198.103.251
112.198.103.252

dsl-olubrasgw1-50dd9f-67.dhcp.inet.fi 80.221.159.103 hex to dec

edge04.simnet.ca is from Pickering, On, Canada!
64.90.97.85 404

web01.simnet.ca 64.90.98.99
Email01.simnet.ca 64.90.96.55
nsa.simnet.ca 64.90.98.99

server.cmwu.net host has a fake host lookup of 47.88.3.233, which is Alibaba. Ban 65.181.118.10

11.hostingfuze.net There is not much research on this Romanian company. Add 89.43.62 to the hostname octet.
11.hostingfuze.net 89.43.62.11
20.hostingfuze.net 89.43.62.20
211.fr.hostingfuze.net 195.154.217.211
wolf.hostingfuze.net 89.43.62.250
vps-53-fr.hostingfuze.net 46.105.137.53

196-196-94-108.cable-amsterdam.broadbands.nl fake host name 184.168.221.57 ban 196.196.94.108
165-231-99-41.cable-amsterdam.broadbands.nl fake host name 184.168.221.57 ban 165.231.99.41
165-231-101-50.cable-amsterdam.broadbands.nl 165.231.101.50
165-231-96-244.ams.broadbands.nl fake h 184.168.221.57 r 165.231.96.244

WideOpenWeb has a funky pattern: first octet = 2, second octet = 1, third octet = 4, fourth octet = 3. They also have a straight pattern, alas without the prepended “d”.

d4-50-85-231.evv.wideopenwest.com 50.4.231.85

d192-24-173-79.col.wideopenwest.com 24.192.79.173
d179-68-103-149.evv.wideopenwest.com 68.179.149.103
d14-69-198-75.try.wideopenwest.com 69.14.75.198
d4-50-1-124.nap.wideopenwest.com 50.4.124.1
d118-75-1-92.nap.wideopenwest.com 75.118.92.1
d118-75-1-87.nap.wideopenwest.com 75.118.87.1
d27-96-1-35.nap.wideopenwest.com 96.27.35.1
d14-69-78-248.try.wideopenwest.com. 69.14.248.78

64-233-245-236.static.col.wideopenwest.com 64.233.245.236

This guy has an odd host name, but since he spammed me he left his IP address.
server-9.private 192.241.137.90

server.questerhost.in spammed me. Their host lookup is: 199.231.189.251. They do not have many ip ranges.
Research:
64.20.37.182
162.216.113.18
162.220.165.203
199.231.189.2
199.231.189.212
199.231.189.216
199.231.189.250

no-rdns.lalabhola.win has a fake host name of 69.172.201.218, but don’t be fooled. One ban range and you are good. The host name might also include the fourth octet, so append to 176.119.26. and you’ll be good.

78.142.19.0
78.142.19.3
78.142.19.10
78.142.19.11
78.142.19.12
78.142.19.13
78.142.19.17
78.142.19.19
78.142.19.22
78.142.19.23
78.142.19.47
78.142.19.54
78.142.19.62
78.142.19.154
78.142.19.171
78.142.19.177
78.142.19.178
78.142.19.195
78.142.19.195
78.142.19.197
78.142.19.201
78.142.19.201
78.142.19.213
78.142.19.218
78.142.19.219
78.142.19.228
78.142.19.255

no-rdns.host-177.lalabhola.win 176.119.26.177
no-rdns.host-188.lalabhola.win 176.119.26.188
no-rdns.host-192.lalabhola.win 176.119.26.192
no-rdns.host-195.lalabhola.win 176.119.26.195
no-rdns.host-198.lalabhola.win 176.119.26.198
no-rdns.host-201.lalabhola.win 176.119.26.201
no-rdns.host-203.lalabhola.win 176.119.26.203
no-rdns.host-204.lalabhola.win 176.119.26.204
no-rdns.host-207.lalabhola.win 176.119.26.207
no-rdns.host-209.lalabhola.win 176.119.26.209
no-rdns.host-210.lalabhola.win 176.119.26.210
no-rdns.host-212.lalabhola.win 176.119.26.212
no-rdns.host-35.lalabhola.win 176.119.30.35
no-rdns.host-52.lalabhola.win 176.119.30.52
no-rdns.host-58.lalabhola.win 176.119.30.58
no-rdns.host-60.lalabhola.win 176.119.30.60
no-rdns.host-92.lalabhola.win 176.119.30.92
no-rdns.host-101.lalabhola.win 176.119.30.101
no-rdns.host-113.lalabhola.win 176.119.30.113
no-rdns.host-116.lalabhola.win 176.119.30.116
no-rdns.host-119.lalabhola.win 176.119.30.119
no-rdns.host-122.lalabhola.win 176.119.30.122
no-rdns.host-127.lalabhola.win 176.119.30.127

tor-exit-node.tk has a fake host 195.20.41.139 ban
217.13.197.5

212-51-156-173.fiber7.init7.net fake host name 212.51.156.173 ban 185.80.130.125

Observation:
vps-60-92.cloudhosting.lv 185.8.60.92
Pattern: 185.8 append the last two octets
Research:
static-133.43.220.91.cloudhosting.lv 91.220.43.133
static-10.181.30.94.cloudhosting.lv 94.30.181.10
cp53072.cloudhosting.lv 91.220.43.29
vps-60-66.cloudhosting.lv 185.8.60.66

25.221.223.60.adsl-pool.sx.cn has a fake host name 103.51.144.81 Cloudie.hk so ban
60.223.221.25. In fact sx.cn directs all its links to the same host name IP.

crawl13.crawl.production.synthesio.net 51.254.168.34 spammed me, so here is the research:

doc07.datastore.production.synthesio.net 5.135.134.76
kafka05.compute.production.synthesio.net 5.135.136.185
crawl12.crawl.production.synthesio.net 51.254.168.33
crawl13.crawl.production.synthesio.net 51.254.168.34
crawl01.crawl.production.synthesio.net 51.254.168.38
esdata56.escluster03.production.synthesio.net 51.255.81.94
crawl05.crawl.production.synthesio.net 94.23.220.222
crawl05.crawl.production.synthesio.net 149.202.157.216
crawl02.crawl.production.synthesio.net 149.202.157.217
crawl03.crawl.production.synthesio.net 149.202.157.218
us02.lb.production.synthesio.net 158.69.27.75
crawl.production.synthesio.net 178.33.227.174
meta07.datastore.production.synthesio.net 178.33.62.33
data11.datastore.production.synthesio.net 188.165.14.57

mta0.mailwish.com spammed me. They were hard to track down. It turns out their names servers were the IPs I was after.
www.mailwish.com 184.106.55.11

ns1.mailwish.com 104.168.142.213
mta0.mailwish.com 104.168.142.213
ns2.mailwish.com 104.168.134.145
mta1.mailwish.com 104.168.134.145

whip.cs.ox.ac.uk ua 163.1.88.191
University of Oxford

hosted-by.seedvps.com spammed me, I believe as a tor exit server, but they are much more.
46.166.129.140
46.166.129.147
46.166.129.153
46.166.129.190
46.166.176.174
46.166.129.175
46.166.129.184
46.166.176.185
46.166.129.245
46.166.176.151
46.166.176.157
46.166.176.224
46.166.176.225
46.166.176.226
46.166.176.230
46.166.176.235
They changed their host name by a single hyphen.
hostedby.seedvps.com 109.201.140.16
hostedby.seedvps.com 109.201.140.35
hostedby.seedvps.com 109.201.140.42
hostedby.seedvps.com 109.201.140.46
hostedby.seedvps.com 109.201.148.31
mail.seedvps.com 109.201.148.0

81-171-108-56.ipvanish.com 81.171.108.56
nyc-a26.ipvanish.com 64.145.79.33
nyc-a18.ipvanish.com 64.145.79.18

541938c4.cm-5-2a.dynamic.ziggo.nl 84.25.56.196 ip is first portion of host name in hex

541A87DC.cm-5-3c.dynamic.ziggo.nl 84.26.135.220
54180000.cm-5-1a.dynamic.ziggo.nl 84.24.0.0
535315C1.cm-6-4a.dynamic.ziggo.nl 83.83.21.193

Observations:
ducato.websitewelcome.com 192.185.83.240
stealth.websitewelcome.com 192.185.82.78

Research:
ducato.websitewelcome.com 54.213.200.95
rbl.Websitewelcome.com 192.185.0.107
Puma.websitewelcome.com 192.185.2.125
suzuki.websitewelcome.com 192.185.2.175
porsche.websitewelcome.com 192.185.2.21
pontiac.websitewelcome.com 192.185.2.237
Lariat.websitewelcome.com 192.185.2.250
nyayo.websitewelcome.com 192.185.12.16
ns8283.websitewelcome.com 192.185.14.237
premacy.websitewelcome.com 192.185.81.238
stealth.websitewelcome.com 192.185.82.78
Laser.websitewelcome.com 192.185.82.122
multipla.websitewelcome.com 192.185.82.190
captiva.websitewelcome.com 192.185.82.202
ducato.websitewelcome.com 192.185.83.240
nikken.websitewelcome.com 192.185.83.183
terminator.websitewelcome.com 192.185.179.124

c-2ec2a1b4-74736162.cust.telenor.se tor 46.194.161.180 ip is hex after the “c-”

squid.ams3.digitalocean.24 works as a tor exit but has used many other ip addresses.
188.166.6.210
188.166.55.0
188.166.34.159
188.166.11.80
188.166.7.38 tor
188.166.40.28
188.166.0.128

This is a very persistent spammer, but elusive. I now have an observation.
static.vdc.vn host 203.162.0.78 actual 123.30.75.115

toutelanutrition.com is a french nutrition site that really jumps around. Interestingly it seems to use many ISPs, but unique IPs. If they give you trouble try banning the individual IPs.

toutelanutrition.com h 5.196.84.205 46.105.109.169 78.40.127.175 70.32.96.171

5.196.84.205
23.91.5.20
46.105.56.203
46.105.109.169
61.129.47.7
70.32.96.171
78.157.60.27
78.40.127.175
88.86.120.21
89.107.184.39
91.121.106.105
178.237.37.155
184.107.100.60
192.232.216.176
213.186.33.2
213.186.33.5

ns.tor-node.felix.io has a fake host name of 213.251.188.154, but actual tor address is 87.118.92.43

liskov.tor-relays.net actually has 3 tor exit servers, so do a 0/24 ban on the last octet.
exit0.liskov.tor-relays.net h 149.56.223.241 tor
relay0.liskov.tor-relays.net 149.56.223.240
relay2.liskov.tor-relays.net 149.56.223.244

yui.cat posted to my site,so I tracked them down. There are a bunch of tor exit servers, hosted on Psychz. The other is on Hetzner.
web-1.yui.cat h 45.34.143.4 p psychz
45.34.143.3
tor-1.yui.cat 176.9.127.69
tor-relay-1.yui.cat 45.34.143.6

ecbiz178.inmotionhosting.com has a narrow 4 ip range, so easy to ban.
ecbiz178.inmotionhosting.com h 104.193.143.55 104.193.143.56 104.193.143.57 r 104.193.143.58
Research:
ecbiz147.inmotionhosting.com 67.199.146.104
ecbiz168.inmotionhosting.com 104.193.143.92
biz141.inmotionhosting.com 216.194.169.105
biz146.inmotionhosting.com 194.152.52.69
biz157.inmotionhosting.com 192.145.239.20
biz177.inmotionhosting.com 192.145.239.28
biz179.inmotionhosting.com 66.249.64.73
biz183.inmotionhosting.com 205.134.239.12

ld110.inmotionhosting.com 173.247.255.35
vps19723.inmotionhosting.com 216.194.173.46
elite1983.inmotionhosting.com 216.194.165.86
vps6663.inmotionhosting.com 70.39.148.48
advanced1523.inmotionhosting.com 74.124.215.71
vps19398.inmotionhosting.com 70.39.250.221
vps6101.inmotionhosting.com 173.247.249.132
vps15246.inmotionhosting.com 23.235.207.145
vps17988.inmotionhosting.com 172.81.118.248
vps6663.inmotionhosting.com 70.39.148.48
vps8345.inmotionhosting.com 74.124.214.155
vps6101.inmotionhosting.com 173.247.249.132

For spottyhorse.com, the last octet is in its host name. The frst three octets are 107.151.155 and are prepended.

mail-148.spottyhorse.com 107.151.155.148

mail-145.spottyhorse.com 107.151.155.145
mail-146.spottyhorse.com 107.151.155.146
mail-147.spottyhorse.com 107.151.155.147
mail-149.spottyhorse.com 107.151.155.149
mail-150.spottyhorse.com 107.151.155.150

h-254-244.scoutjet.com 199.87.254.244
prepend 199.87

reverse-dns.chicago also prepends its host name with an ip address, but this one is more obscured.
74.121.182.135
82.98.86.173 404
167.88.10.162
173.243.112.163
192.208.184.98
199.192.201.44
199.192.207.146
216.107.144.0
216.231.140.252
216.107.155.114

forpsi.net prepends with 81.2, then reverse the 2 host numbers for the last 2 octets
62.242.forpsi.net 81.2.242.62

tor-exit1.mcintosh.network h 209.123.234.23 23.92.18.254
tor-exit2.mcintosh.network 80.85.84.23
tor-exit3.mcintosh.network 45.33.23.23
tor-exit4.mcintosh.network 85.90.244.23
tor-exit5.mcintosh.network 23.92.27.23
tor-exit6.mcintosh.network 23.92.28.23
tor-exit7.mcintosh.network 139.162.28.23
tor-exit8.mcintosh.network 106.184.0.23

wan.fastsignal.com.br referral spammed me with 1-99seo, but I could not track down an IP. Hmm, but I did find their dns servers:
ns1.wtek.com.br 186.209.224.11
ns2.wtek.com.br 186.209.224.12

3g.y.4g
67.205.128.0 – 67.205.191.255
Digital Ocean
67.205.131.228

31.161.128.151 static.kpn.net is suspiciously short
31.161.108.134 static.kpn.net 2016-nov-03
62.41.133.58 static.kpn.net
62.132.253.57 static.kpn.net
145.129.111.70 static.kpn.ne 2016-oct-09
188.203.1.33 static.kpn.net 2016-sept-22
188.203.24.138 static.kpn.net 2016-oct-18
188.207.69.222 static.kpn.net 2016-nov-04
194.151.37.123 static.kpn.net 2016-sept-30
194.151.76.46 static.kpn.net 2016-oct-15

188.120.255.200 trs-tel.ru
82.146.33.225
92.63.99.167
149.154.64.15
149.154.64.132
188.120.251.219
188.120.255.167
188.120.255.202

151.248.113.145 rus6.localhost is doing wierd stuff

103.18.4.83 v103-18-4-83.myvps.vn

RADORE Sayfa Tr 46.45.176.0 – 46.45.183.255
46.45.177.104 vpn is the host name?!?
SAYFA Tr 176.53.21.0 – 176.53.21.255
176.53.21.210 vpn
176.53.21.215 vpn
176.53.21.216 vpn 2016-oct-20

115.73.141.127 adsl.viettel.vn 2016-nov-01
115.73.240.221 adsl.viettel.vn 2016-oct-19
115.74.70.72 adsl.viettel.vn 2016-oct-20
115.76.156.99 adsl.viettel.vn 2016-oct-09
115.76.70.248 adsl.viettel.vn 2016-oct-18
115.77.140.179 adsl.viettel.vn 2016-oct-21
115.77.147.24 adsl.viettel.vn
115.79.77.120 adsl.viettel.vn 2016-nov-16
115.79.174.162 adsl.viettel.vn 2016-oct-29

206.47.0.0 – 206.47.255.255 Bell Canada (LINX) I’m unsure who this is and why they have such a short host name
206.47.249.251 DMOCK0
206.47.249.251 dmock0.bell.ca
206.47.249.253 DMOCEW
206.47.249.253 dmoc1a.bell.ca

181.174.190.206 hosted-by.sered.net

64.90.240.50 minisink.com Minisink Valley High School

195.173.18.146 no-dns-yet.demon.co.uk

Very odd host name for fpt.vn, as if they want to hide something
118.71.18.56 ip-address-pool-xxx.fpt.vn
118.71.74.87 ip-address-pool-xxx.fpt.vn
118.71.162.243 ip-address-pool-xxx.fpt.vn

162.254.218.98 domain.not.configured

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *