You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.
Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.
Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.
Friend DI pointed me to an IBM web page on Entity Resolution, specifically recognition. This is a machine recognition problem. I will never know if the Colombians purposely used this system, if they are just sloppy, or if the person creating the host names has an arts background!
My observation is a great example: 181500198200. Is the IP 181.50.19.82 but what about the last 2 zeros? 181.5.1.98 but what about the last 200? 181.50.198.200 seems to be the best answer, but the third octet has a leading zero. This would throw off a machine. on only these first 2 octets did they add a leading zero to the 3 digit third octet. Odd for computers and computer people, and this is the point.
As I have 3 other examples of the third octet, triple digit number with a leading zero, this must be a strategy.
As this pattern is ambiguous, I can see many problems when managing their server farm.
Observed:
dynamic-ip-181500198200.cable.net.co seems to resolve to 181.50.198.200
static-ip-cr19015824598.cable.net.co 190.158.245.98
Research:
Dynamic-IP-1814991177.cable.net.co 181.49.91.177 181.48.0.0 – 181.55.255.255 181.48/13 Telmex Colombia
Dynamic-IP-181500131.cable.net.co 181.50.13.1 *
Dynamic-IP-18150014873.cable.net.co 181.50.148.73 *
Static-IP-18151024780.cable.net.co 181.51.247.80 *
Static-IP-1815611434.cable.net.co 181.56.114.34 181.56.0.0 – 181.63.255.255 181.56/13
Static-IP-181581641.cable.net.co 181.58.164.1
Dynamic-IP-18161128128.cable.net.co 181.61.128.128
static-ip-18681112230.cable.net.co 186.81.112.230
static-ip-18681176146.cable.net.co 186.81.176.146
Static-IP-18681224128.cable.net.co 186.81.224.128
Dynamic-IP-18687101222.cable.net.co 186.87.101.222
Dynamic-IP-18687192198.cable.net.co 186.87.192.198
Static-IP-186146194168.cable.net.co 186.146.194.168
Static-IP-186147130212.cable.net.co 186.147.130.212
Static-IP-cr1908424577.cable.net.co 190.84.245.77
Dynamic-IP-19014646126.cable.net.co 190.146.46.126
Static-IP-190146603.cable.net.co 190.146.60.3
Dynamic-IP-19014612821.cable.net.co 190.146.128.21
Static-IP-cr1901478398.cable.net.co 190.147.83.98
Static-IP-cr19014784102.cable.net.co 190.147.84.102
Static-IP-cr1901471975.cable.net.co 190.147.197.5
Static-IP-cr190156251187.cable.net.co 190.156.251.187
Static-IP-190157833.cable.net.co 190.157.8.33
Dynamic-IP-1901581631.cable.net.co 190.158.163.1
Static-IP-cr19015822769.cable.net.co 190.158.227.69