Tag Archives: botnet

Referrer Botnet | 2017 Feb 25

This botnet’s purpose is to add referrer links to your Google Analytics, in the hopes that the webmaster or site owner will click on the link. They will then be exposed to an internet virus. Please do not click on any referrer spam link, as it is dangerous. I always copy the link and paste it into Google search first, to see if the site is dangerous.

1-99seo.com Content Spammer: Research, Ban

1-99seo.com looks like a similar content spammer campaign, from South America/Brazil. The style is very similar to fix-website-errors-com by Semalt, which was really terrible.

1-free-share-buttons.com looks to be the same

It is these types of content scraper marketing campaigns that wastes the receiving web site’s bandwidth. They visit the same pages daily, scraping from multiple IP addresses.

ztomy.com Content Spammer: Research, Ban

ns1648.ztomy.com has spammed me, but it has been difficult to track down and ban. The ips jump around like mexican jumping beans.

Observations:
I finally got a positive spam hit from 5.231.42.24. and then from 5.231.40.52.
5.41.178.9 ns1648.ztomy.com
5.62.21.221 ns1648.ztomy.com
23.27.250.179 ns1648.ztomy.com 2016-nov-17
104.144.22.219 ns1648.ztomy.com 2016-nov-08
104.144.28.122 ns1648.ztomy.com 2016-oct-12
104.144.28.155 ns1648.ztomy.com 2016-nov-20
184.83.3.154 ns1648.ztomy.com 2016-oct-25
193.169.144.179 ns1648.ztomy.com 2016-nov-20
193.169.144.221 ns1648.ztomy.com 2016-nov-17
193.169.144.230 ns1648.ztomy.com 2016-nov-20
193.169.144.241 ns1648.ztomy.com 2016-nov-20
193.169.144.243 ns1648.ztomy.com 2016-nov-20
193.169.144.247 ns1648.ztomy.com 2016-nov-20
202.51.195.38 ns1648.ztomy.com 2016-nov-16
204.188.238.39 ns1648.ztomy.com 2017-mar-13
205.211.138.134 ns1648.ztomy.com 2016-nov-04

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.

yota.com.ni, Part of Semalt Botnet: Research, Ban

wimax183-11.yota.com.ni hit my site as a part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Finally that campaign ended and they started with fix-website-errors.com and buttons-for-website. buttons-for-website is a really old Semalt SEO botnet campaign.

Pattern:
To the IP root of 190.181 for the first two octets, add the second two from the hostname.

Observed:
wimax183-11.yota.com.ni 190.181.183.11 190.181.128.0 – 190.181.191.255 190.181.128/18 Yota De Nicaragua

Research:
WiMax128-245.yota.com.ni 190.181.128.245
wimax129-115.yota.com.ni 190.181.129.115
wimax129-158.yota.com.ni 190.181.129.158
wimax132-70.yota.com.ni 190.181.132.70
WiMax133-44.yota.com.ni 190.181.133.44
WiMax137-187.yota.com.ni 190.181.137.187
WiMax139-2.yota.com.ni 190.181.139.2
WiMax141-57.yota.com.ni 190.181.141.57

greencloudvps.com: Research, Ban

10gbpsnl.greencloudvps.com hit my site looking for security weaknesses, so I thought it wise to research them and send them packing. They are a VPS, so I’ll never find the actual intruder.

They are spotty, so I will start small and work my way up.

Observed:
10gbpsnl.greencloudvps.com 93.158.215.90 93.158.215.0 – 93.158.215.255 SERVERIUS NL
mnt-by:
10gbpsnl.greencloudvps.com 93.158.215.92

Research:
lgvn.greencloudvps.com 66.249.69.189

kvmla2.greencloudvps.com 92.210.165.94
lgnl.greencloudvps.com 93.158.203.162

lgnv.Greencloudvps.com 104.194.14.71
104.223.6.19.static.greencloudvps.com 104.223.6.19

107.161.93.161.static.greencloudvps.com 107.161.93.161

lgaz.greencloudvps.com 148.163.90.3

kvmla2.greencloudvps.com 192.210.165.97
kvmla2.greencloudvps.com 192.210.165.96

198.55.115.24.static.greencloudvps.com 198.55.115.24
198.55.115.58.static.greencloudvps.com 198.55.115.58

hukot.net Tor Exit: Research, Ban

108-36.hukot.net seems to be a Tor exit server. While I am all for the philosophy of net privacy, these Tor servers more often than not are used to content spam me. As a result I ban almost all of them. It is human nature, I suppose, to take something that should be beneficial and, using selfish and personal reasons, turn it to a tool of the bad.

Oh well, who am I to judge. This is my site, I ban content spammers, and I therefore also ban Tor content spammers, exit or not.

hukot.net seems to be an ISP from the Czech Republic.

ubernet.com.bd: Research, Ban

host-64-166-83.ubernet.com.bd was testing my security, so I thought I would out them. ubernet.com.bd is an IP telephone and ISP, out of Bangledesh.

Pattern:
This guy seems to have an older and a newer pattern. The older pattern starts with 220.47 and then appends the last 2 octets of the host name. The newer pattern starts with 45 and appends the last 3 octets of the host name.

Research:
host-161-148.ubernet.com.bd 220.247.161.148 220.247.160.0 – 220.247.167.255 220.247.160.0/21
host-162-202.ubernet.com.bd 220.247.162.202
host-162-238.ubernet.com.bd 220.247.162.238
host-162-58.ubernet.com.bd 220.247.162.58
host-162-55.ubernet.com.bd 220.247.162.55
host-162-173.ubernet.com.bd 220.247.162.173

vnpt.vn Content Scraper: Research, Ban

static.vnpt.vn does not resolve as a host name, and as they scraped me I will track them down. They are pretty tricky. One of their tactics is that they use the host name “localhost”, which looks odd in the access log. Tech staff cannot find the actual IP address.

As I work with these IP ranges it is clear that this content scraper is doing a real detriment to Viet Nam. The use of his IPs would force me to pretty much ban the whole country. As an emerging country this would be very bad for Viet Nam, all for the greed and selfishness of a single bot maker. I know that there are no morals with stealing content, as with thieves, but at this stage of Viet Nam’s development this bot maker could easily damage the country.

dps.gov.co Content Scraper: Research, Ban

lyncdiscover.dps.gov.co has nothing to do with the Government of Columbia, and a good thing, because it is a content scraper bot.

dps.gov.co is the Departamento para la Prosperidad Social, part of the Columbian Government. I am unsure how a content scraper got hold of a Columbian Government extent, legally.

As this is a Government site I have contacted their tech contact, but they do not look too sophisticated. At least I have done my part to try to stop this abuse of the dps.gv.co host name.

Research:
186.170.31.134 186.170.0.0 /15 COLOMBIA TEL
186.170.31.134
186.170.31.134