Tag: keywords-monitoring-your-success.com

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.

yota.com.ni, Part of Semalt Botnet: Research, Ban

wimax183-11.yota.com.ni hit my site as a part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Finally that campaign ended and they started with fix-website-errors.com and buttons-for-website. buttons-for-website is a really old Semalt SEO botnet campaign.

Pattern:
To the IP root of 190.181 for the first two octets, add the second two from the hostname.

Observed:
wimax183-11.yota.com.ni 190.181.183.11 190.181.128.0 – 190.181.191.255 190.181.128/18 Yota De Nicaragua

Research:
WiMax128-245.yota.com.ni 190.181.128.245
wimax129-115.yota.com.ni 190.181.129.115
wimax129-158.yota.com.ni 190.181.129.158
wimax132-70.yota.com.ni 190.181.132.70
WiMax133-44.yota.com.ni 190.181.133.44
WiMax137-187.yota.com.ni 190.181.137.187
WiMax139-2.yota.com.ni 190.181.139.2
WiMax141-57.yota.com.ni 190.181.141.57

hdesknet.com.br Content Scraper: Research, Ban

pool.hdesknet.com.br is part of the fix-website-errors.com by Semalt SEO content scraper campaign, huge and very annoying. I wish they would just stop scraping my site. This botnet is huge and does not seem to want to end. It started with keywords-monitoring-success and free-video-tool.com, which then involved Virtua and megared.net.mx. The vast majority of these content scraper bots reside in Brazil and South America, but there are others from Italy and the US.

Thankfully, only one ip range kills this.

Observed:
pool.hdesknet.com.br

Research:
177.67.176.0 177.67.176.0 – 177.67.183.255 177.67.176.0/21 HELP DESK Br
177.67.176.129
177.67.176.131
177.67.177.192
177.67.177.0
177.67.177.228
177.67.178.1
177.67.178.88
177.67.178.158
177.67.178.158
177.67.179.126
177.67.179.167
177.67.179.181

fix-website-errors.com by Semalt: Research, Ban

fix-website-errors.com is a new content scraper campaign from Semalt. It follows from the keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Damn them.

Anyway, they hit your site, you track them down, ban them, rinse and repeat.

megared.net.mx: Research, Ban

This is part of the keywords-monitoring-your-success.com, free-video-tool.com Semalt Botnet that spread to other South American hosts, but they have changed the referrer name slightly to keywords-monitoring-success.com. This host is tricky because they only provide the last 2 octets of the IP address, leaving me to guess the first two.

Here is my clue: customer-qro-199-67.megared.net.mx

There are clues to the same pattern used by megared.net.mx, using a variety of new 2 initial octets combined with the last 2 from the host name. While I only have this one IP as a content scraper, their reputation is one of an email spammer. I guess they moved into a newer but related business model.

keywords-monitoring-your-success.com and free-video-tool.com: Semalt Botnet

Both keywords-monitoring-your-success.com and free-video-tool.com are Semalt tools for content scraping. This botnet is pretty extensive and tiring to kill.

The raw access log entries look seemingly legit, but being referred from the two Semalt tools, they could not be legit users.

These host names and Ip address, masquerading as valid browsers, took up a lot of my bandwidth. This botnet used mainly companies from Brazil such as TELEFÔNICA BRASIL, Vivo, Global Village, Brasil Telecom, Yawl, portalmail but also used a bunch of Italian and US companies as well.

Virtua.com.br continues to content scrape for Semalt. I have a separate research report on them.