Tag: hex

yota.com.ni, Part of Semalt Botnet: Research, Ban

wimax183-11.yota.com.ni hit my site as a part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Finally that campaign ended and they started with fix-website-errors.com and buttons-for-website. buttons-for-website is a really old Semalt SEO botnet campaign.

Pattern:
To the IP root of 190.181 for the first two octets, add the second two from the hostname.

Observed:
wimax183-11.yota.com.ni 190.181.183.11 190.181.128.0 – 190.181.191.255 190.181.128/18 Yota De Nicaragua

Research:
WiMax128-245.yota.com.ni 190.181.128.245
wimax129-115.yota.com.ni 190.181.129.115
wimax129-158.yota.com.ni 190.181.129.158
wimax132-70.yota.com.ni 190.181.132.70
WiMax133-44.yota.com.ni 190.181.133.44
WiMax137-187.yota.com.ni 190.181.137.187
WiMax139-2.yota.com.ni 190.181.139.2
WiMax141-57.yota.com.ni 190.181.141.57

vnpt.vn Content Scraper: Research, Ban

static.vnpt.vn does not resolve as a host name, and as they scraped me I will track them down. They are pretty tricky. One of their tactics is that they use the host name “localhost”, which looks odd in the access log. Tech staff cannot find the actual IP address.

As I work with these IP ranges it is clear that this content scraper is doing a real detriment to Viet Nam. The use of his IPs would force me to pretty much ban the whole country. As an emerging country this would be very bad for Viet Nam, all for the greed and selfishness of a single bot maker. I know that there are no morals with stealing content, as with thieves, but at this stage of Viet Nam’s development this bot maker could easily damage the country.

hdesknet.com.br Content Scraper: Research, Ban

pool.hdesknet.com.br is part of the fix-website-errors.com by Semalt SEO content scraper campaign, huge and very annoying. I wish they would just stop scraping my site. This botnet is huge and does not seem to want to end. It started with keywords-monitoring-success and free-video-tool.com, which then involved Virtua and megared.net.mx. The vast majority of these content scraper bots reside in Brazil and South America, but there are others from Italy and the US.

Thankfully, only one ip range kills this.

Observed:
pool.hdesknet.com.br

Research:
177.67.176.0 177.67.176.0 – 177.67.183.255 177.67.176.0/21 HELP DESK Br
177.67.176.129
177.67.176.131
177.67.177.192
177.67.177.0
177.67.177.228
177.67.178.1
177.67.178.88
177.67.178.158
177.67.178.158
177.67.179.126
177.67.179.167
177.67.179.181

fix-website-errors.com by Semalt: Research, Ban

fix-website-errors.com is a new content scraper campaign from Semalt. It follows from the keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Damn them.

Anyway, they hit your site, you track them down, ban them, rinse and repeat.

bb.sky.com Content Scraper: Research, Ban

bb.sky.com is a regular content scraper on my site, so I have decided to track them down. I finally figured out their hex IP address, so I can target ranges better.

Sky is a very large TV and internet provider in the Uk. They have a huge range of IPs.

Site hits:
5ad4e517.bb.sky.com 90.212.229.12 90.212.0.0 – 90.213.255.255
027e2f4c.bb.sky.com 2.126.47.76 2.126.0.0 – 2.126.255.255
5ad00af4.bb.sky.com 90.208.10.244 90.208.0.0 – 90.209.255.255
b0fb523c.bb.sky.com 176.251.82.60 176.248.0.0 – 176.251.255.255

virtua.com.br Content Scraper: Research, Ban

Persistent this botnet is. It’s like a virus that mutates but does not go away. Or an itch you scratch but does not stop. virtua.com.br has a content scraping bot going at my site that I need to stop. virtua.com.br is part of a large Semalt-led botnet I am trying to remove. They have no website. The host addresses I receive on my access log do not resolve, and there’s nothing specific on Google. I’m just giving this a simple domain ban to see how it goes. They also have a huge number of IP blocks, as they are connected to Akamai in the US.