pool.hdesknet.com.br is part of the fix-website-errors.com by Semalt SEO content scraper campaign, huge and very annoying. I wish they would just stop scraping my site. This botnet is huge and does not seem to want to end. It started with keywords-monitoring-success and free-video-tool.com, which then involved Virtua and megared.net.mx. The vast majority of these content scraper bots reside in Brazil and South America, but there are others from Italy and the US.
Thankfully, only one ip range kills this.
220.127.116.11 18.104.22.168 – 22.214.171.124 126.96.36.199/21 HELP DESK Br
ipredator.se is a Swedish VPN service that is comment spamming my site.
anon-48-125.vpn.ipredator.se 188.8.131.52 – 184.108.40.206 PrivActually
host anon-44-42.vpn.ipredator.se 220.127.116.11
exit1.ipredator.se 18.104.22.168 CYBERDYNE Monrovia I did not realize that I had banned this before. If this changes I will hunt it down again. There are a few IPs that have used this host name. They continue to content scrape me.
Add 46.246. to the two octets in the host name.
Permanent link to this post
(94 words, 0 images, estimated 23 secs reading time)
Kik content scraper bots sent me this IP from bredbandsbolaget.se. Kik uses single IPs from all over North American ISPs, and they’re now expanding globally. Kik content scrapes my site daily, so it is in my best interest to stop them.
Just for fun I translated from Swedish to English, “bredbandsbolaget” translates to “broadband company”! LOL! bredbandsbolaget.se provides TV, internet and telephone in Sweden. They have a web site. After the ip address the next set of numbers before the “cust” might be the Swedish telephone number, starting with the area code. Then again maybe not, as some have hex
vultr.com is a content scraper that I would like to remove from my site. They are persistent. Vultr.com seems to be the cloud offering from Choopa.
22.214.171.124.vultr.com 126.96.36.199 – 188.8.131.52 184.108.40.206/17
220.127.116.11.vultr.com 18.104.22.168 – 22.214.171.124 126.96.36.199/22
188.8.131.52 184.108.40.206 – 220.127.116.11 18.104.22.168/23
22.214.171.124.vultr.com 126.96.36.199 – 188.8.131.52 184.108.40.206/16
220.127.116.11.vultr.com 18.104.22.168 – 22.214.171.124 126.96.36.199/18
188.8.131.52.vultr.com 184.108.40.206 220.127.116.11 – 18.104.22.168
22.214.171.124 126.96.36.199 – 188.8.131.52 184.108.40.206/25
220.127.116.11.vultr.com. 18.104.22.168 – 22.214.171.124 126.96.36.199/19
188.8.131.52.vultr.com 184.108.40.206 – 220.127.116.11 18.104.22.168/23
bb.sky.com is a regular content scraper on my site, so I have decided to track them down. I finally figured out their hex IP address, so I can target ranges better.
Sky is a very large TV and internet provider in the Uk. They have a huge range of IPs.
5ad4e517.bb.sky.com 22.214.171.124 126.96.36.199 – 188.8.131.52
027e2f4c.bb.sky.com 184.108.40.206 220.127.116.11 – 18.104.22.168
5ad00af4.bb.sky.com 22.214.171.124 126.96.36.199 – 188.8.131.52
b0fb523c.bb.sky.com 184.108.40.206 220.127.116.11 – 18.104.22.168
fregat.ua is a bot from Russia. It was logged for ransomware, so you really don’t want them to try to break into your site. Quite bold, they are, trying to get my login and admin pages, so they are a definite security threat for trying to break into my site. Fregat.ua is an ISP with a web page.
182.43.PPPoE.fregat.ua 22.214.171.124 126.96.36.199 – 188.8.131.52 184.108.40.206/16
62.30.PPPoE.fregat.ua, IP Address, 220.127.116.11
54.146.dynamic.PPPoE.fregat.ua 18.104.22.168 22.214.171.124 – 126.96.36.199 188.8.131.52/22
This is part of the keywords-monitoring-your-success.com, free-video-tool.com Semalt Botnet that spread to other South American hosts, but they have changed the referrer name slightly to keywords-monitoring-success.com. This host is tricky because they only provide the last 2 octets of the IP address, leaving me to guess the first two.
Here is my clue: customer-qro-199-67.megared.net.mx
There are clues to the same pattern used by megared.net.mx, using a variety of new 2 initial octets combined with the last 2 from the host name. While I only have this one IP as a content scraper, their reputation is one of an email spammer. I guess they moved into a newer but related business model.
Persistent this botnet is. It’s like a virus that mutates but does not go away. Or an itch you scratch but does not stop. virtua.com.br has a content scraping bot going at my site that I need to stop. virtua.com.br is part of a large Semalt-led botnet I am trying to remove. They have no website. The host addresses I receive on my access log do not resolve, and there’s nothing specific on Google. I’m just giving this a simple domain ban to see how it goes. They also have a huge number of IP blocks, as they are connected to Akamai in the US.
Both keywords-monitoring-your-success.com and free-video-tool.com are Semalt tools for content scraping. This botnet is pretty extensive and tiring to kill.
The raw access log entries look seemingly legit, but being referred from the two Semalt tools, they could not be legit users.
These host names and Ip address, masquerading as valid browsers, took up a lot of my bandwidth. This botnet used mainly companies from Brazil such as TELEFÔNICA BRASIL, Vivo, Global Village, Brasil Telecom, Yawl, portalmail but also used a bunch of Italian and US companies as well.
Virtua.com.br continues to content scrape for Semalt. I have a separate research report on them.
This is a preview of
keywords-monitoring-your-success.com and free-video-tool.com: Semalt Botnet
. Read the full post (304 words, 0 images, estimated 1:13 mins reading time)