Tag: research

454a986e.cst.lightpath.net: Research, Ban

454a986e.cst.lightpath.net is a content scraper bot that has been visiting my site, so I would like to remove the welcome mat.

lightpath.net seems to change their front extent many times, as a search on Google did not yield an exact match, but many variants.

Pattern:
Take the numbers before “.cst.lightpath.net” and convert them from hex to decimal, giving you 4 octets.

lightpath.net resolves to 216.2.192.141, Optimum Online or Cablevision Systems, XO Communications (ISP), but they have no website. cablevisionlightpath.org also resolves to the same ip address.

454a986e.cst.lightpath.net Their hex converts to 69.74.152.110, Cablevision Systems.

IPVNow.com Will Fool Anti-Bot Software

Fool, it would, an automated anti-bot system, because humans are more intelligent than bots. They are innovative, in their evil genius way. Computer security is all about the arms race. The better the methods, the better the counter measures, and then it repeats. No security measure is foolproof for very long.

IPVNow.com has a slew of host names that when you look them up, resolve successfully and all point to the same IP address, 103.224.182.241. This misdirection is what would fool the anti-bot software, because this IP is real and it points to a valid company, Trellian, which owns IPVNow.com. But banning this single IP does not stop the content scraping. Each host name has its own IP address that uses ISPs Ubiquity and Nobis. These are the IPs you need to ban.

customer.worldstream.nl: Banning Content Scraper

This host name is constantly scraping my site, but when I look it up it does not resolve. Searches on Google reveal that they seem to change their IP address very often. Many other sites are getting spammed and content scraped by this host. I have no alternative than to ban the whole IP range of customer.worldstream.nl.

I read my raw access log and the first column provides me with an IP address or host name. This first column is usually enough to target the specific IP that is errant, and I ban the last IP octet of 256 addresses.

Host Names I have Researched, Flummoxed

intra.cea.fr content scraped me, so I researched them.

is005045.intra.cea.fr 10.0.5.45
archie6420.intra.cea.fr 32.166.1.28

napsaci011.intra.cea.fr 132.166.177.50
napsaci012.intra.cea.fr 132.166.177.51
is151991.intra.cea.fr 132.166.118.1

kalahari.intra.cea.fr 132.167.4.137
aster.intra.cea.fr 132.167.197.147

gre018941.intra.cea.fr 132.168.11.11
gre019465.intra.cea.fr 132.168.11.112
gre045998.intra.cea.fr 132.168.11.183
grecfnimon01.intra.cea.fr 132.168.16.105
gre058496-24.intra.cea.fr 132.168.24.180
gre047417.intra.cea.fr 132.168.28.194
gre033069.intra.cea.fr 132.168.30.141
moises.intra.cea.fr 132.168.37.241
gre022491.intra.cea.fr 132.168.65.0
gre035045-160.intra.cea.fr 132.168.160.31

altairnew.intra.cea.fr 132.169.8.1
717rccair5235b.intra.cea.fr 132.169.13.1
aurel.intra.cea.fr 132.169.33.1
celaeno.intra.cea.fr 132.169.11.129

0x667.crypt.gy came back with a host lookup of 94.23.147.30, OVH. I cannot verify this IP address. Research is inconclusive. This guy uses a Microsoft server error code “1639 (0x667). Invalid command line argument” in his hostname.
server.crypt.gy 188.165.211.48