Category: bot

Henan Police Academy 河南公安学院, China, CERN spams me

Henan police Academy 河南公安学院, Zhengzhou, China, left me some comment spam today.

Henan police Academy 河南公安学院, Zhengzhou, China, left me some comment spam today.

Today the Henan Police Academy 河南公安学院 from Zhengzhou, Henan, visited my site and left comment spam. I thought it very odd, because Chinese government organizations, including Chinese police, are usually quite discreet and don’t present themselves in such an open way.

183.169.128.30 Henan Police Academy Henan Gongan Xueyuan 河南公安学院 HNGAZK-CN at http://hnp.edu.cn/. Their IP range is 183.169.128.0 – 183.169.159.255. There are a couple of abuse postings from them such as 1, 2

Metasploit, Armitage and NMap Install on Ubuntu 16.04

Yep, very popular hacking tools! Metasploit
Took the install from Rapid7’s site. It all went very well.

To start they had the command “./msfconsole”, which did not work for me. It started with “msfconsole”. The initial run created the initial database. The “db_status” command also worked.

I did not seem to need to do the “service postgresql start” command. I did a search and received a message: Module database cache not built yet, using slow search. To build the cache do “db_rebuild_cache”. This worked, link. Now my searches work.

search WordPress
67 WordPress vulnerabilities
search drupal
6 Drupal vulnerabilities

Nikto Web Server Scan: View from the Access Log

Playing, I am, with the Nikto web server scanning package. I scanned my own site, just for fun. While it does take some time, it did finish. I wondered how it would look from my site’s raw access log viewpoint. In summary, Nikto is not stealthy at all. It is also easily detected and banned mid-scan, as it takes a long time to complete.

Essentially you start a Terminal, and type “nikto -h “. There are lots of options, such as output to a log. The Nikto output highlights web site vulnerabilities and cross references these with a database of known hacks. Using this tool you can highlight the site’s weaknesses and then strengthen your site from hackers.

strider.delmarvagroup.com 173.49.213.106 really wants to contact me

173.49.213.106 strider.delmarvagroup.com, from the MCI Communications block, you really need to put some smarts into your bot. What are you thinking?

173.48.0.0 – 173.63.255.255 MCI Communications

I’m not sure why you are doing this, but please stop. I don’t have a contact form at that location.

The Chinese Magic Behind the Special Number 163

For the longest time my site has been tracked and spammed by 163data.com.cn. I, and others, have wondered about the story behind the number 163. Was it a Chinese Army unit number similar to 解放军 61398部隊? Alas, there seems to be nothing so exciting. There are only a few links about the history of 163.

It looks like in the ’90s when you had to dial a telephone number to a modem and reach the internet, 163 was appended to a local number. Thus 163 was commonly used and therefore memorable. After this time NetEase started 163.com and used 163 to start China’s largest free email service, the Chinese equivalent to gmail. 163.com remains very popular in China today.

204.101.124.227 Bell Canada has 12 Web Sites

This Bell Canada IP address is unusual and came up when I did a host command. It hosts 12 sites. I did not find anything else suspicious about it on X-Force Exchange.

librairiesboyer.qc.ca
ftp.nipcc.ca
mail.it-today.com
www.librairiesboyer.qc.ca
ftp.thelearningcentres.com
mail.mission-critical.ca
ftp.it-today.com
www.it-today.com
www.mission-critical.ca
it-today.com
itwebserver.doxess.com
mail.lexusrh.com

City of Toronto Internet Scraper Bot

City of Toronto internet scraper bot scrapes my site a couple of times per month. Why? Toronto, Canada

City of Toronto internet scraper bot scrapes my site a couple of times per month. Why? Toronto, Canada

I live in the City of Toronto, and write about Toronto-related subjects. What is surprising is that the City of Toronto has an internet bot that randomly scrapes content from my site a couple of times each month. The bot started scraping me near the end of January 2017.

What is interesting was that I, concerned citizen, actually emailed them because I thought they had a Zombie PC taken over by a bot, or some other security issue. I sent the City a log of the relevant entries related to their IP address. Was I naive. Here is their reply (isg@toronto.ca):

193.42.159.25 United Computer Systems: Lots of Host Names

This IP address came up on my usual log processing as unusual. Usually an IP address lookup returns a single host name and not multiples. All these host names are associated with the IP 193.42.159.25 United Computer Systems, Sweden. It is a busy IP, with 25 hostnames, so very unusual. It also tried to break my login security. Risk 1/10, known for bots

xn--datorskp-g0a.se
tingstadmaleri.se
irc.europetheband.com
ruggad-notebook.se
hpcenter.se
ruggad.se
hpparts.se
xn--rackskp-jxa.se
annotadvokat.se
asus-server.se
cramlot.se
ruggad-pc.se
pglots.se
www.cramlot.se
topmobile.ucsit.se
kallerstadgruppen.se
linkitab.nu
acs-aero.com
aerospacealmedalen.se
xn--rackskp-jxa.nu
serieportsserver.se
flygetsdag.se
linkitab.se
linkitab.com
hpcenter.nu

US Anti-Scalper Bot Bill may soon come to Canada?

Want you do, to go to a concert, but just after the supposed start time for ticket sales, all the tickets are gone. You, again, have lucked out. Minutes later these tickets are all available on reseller sites for double the price. It really does sound like a scam. While the US just enacted a federal law, here in Ontario we are just starting the investigation phase. I hope that we can adopt something as strong as the US in order to keep an even keel with bot technology and online shopping safe.

Bot Strategy: Fetch, Scrape, Change IP, repeat

Four IPs scraped my site in identical ways: Fetch the most recent document, then scrape parts of the rest of the site. The IP changes, and they repeat. They fetch the same identical document, but then scrape different parts of my site but only for images.

I’ll keep my eye on such activity and see if I further pin down something more definite.

UA: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727), which seems to be not unique