?

Log in

No account? Create an account

Unwelcome website visitors - Journal of Omnifarious

Jul. 24th, 2004

05:14 pm - Unwelcome website visitors

Previous Entry Share Next Entry

I was checking over log files for my website, and I noticed that my two biggest visitors were companies that spider the web looking for trademark violations. One followed all the rules. It read robots.txt and it wasn't overly aggressive about fetching pages. And the User-Agent string for the bot said it was a bot.

The other was from Cyveillance. It was very rude. It gave a User-Agent string that claimed it was a real web browser, and it fetched pages at a rate of 12/minute. And it never fetched the robots.txt file, so I must assume that it completely ignored it.

I sent a message to the second company telling them that I would out them and their practices to the world while also filing an abuse report with their ISP if they ever did that to my server again.

The first company, who I didn't especially mind, though I still think the whole thing is slightly sleazy, is called NameProtect, and they have a very nice page explaining all about their bot.

Current Mood: [mood icon] annoyed

Comments:

From:redheadgirl
Date:July 24th, 2004 05:33 pm (UTC)
(Link)
(Reply) (Thread)
[User Picture]
From:omnifarious
Date:July 24th, 2004 05:40 pm (UTC)
(Link)

I believe they used 3:

  • 63.148.99.239
  • 69.110.221.130
  • 63.148.99.234

Here is what ARIN says about each of them:

63.148.99.239 & 63.148.99.234
Qwest Communications NET-QWEST-BLKS-2 (NET-63-144-0-0-1) 
                                  63.144.0.0 - 63.151.255.255
Cyveillance QWEST-63-148-99-224 (NET-63-148-99-224-1) 
                                  63.148.99.224 - 63.148.99.255

# ARIN WHOIS database, last updated 2004-07-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
69.110.221.130
OrgName:    Pac Bell Internet Services 
OrgID:      PACB
Address:    208 Bush St. #5000
City:       San Ramon
StateProv:  CA
PostalCode: 94104
Country:    US

NetRange:   69.104.0.0 - 69.111.255.255 
CIDR:       69.104.0.0/13 
NetName:    PBI-NET-0803
NetHandle:  NET-69-104-0-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PBI.NET
NameServer: NS2.PBI.NET
Comment:    
Comment:    Contact IPAdmin-PBI@sbcis.sbc.com for general IP support.
Comment:    Contact support@pacbell.net for technical support issues.
Comment:    Contact abuse@pacbell.net for policy abuse issues.
RegDate:    2003-11-21
Updated:    2004-02-18

TechHandle: PIA2-ORG-ARIN
TechName:   IPAdmin-PBI 
TechPhone:  +1-877-722-3755
TechEmail:  IPAdmin-PBI@sbis.sbc.com 

OrgAbuseHandle: APB2-ARIN
OrgAbuseName:   Abuse - Pacific Bell 
OrgAbusePhone:  +1-877-722-3755
OrgAbuseEmail:  abuse@pacbell.net

OrgNOCHandle: SPBI-ARIN
OrgNOCName:   Support - Pacific Bell Internet 
OrgNOCPhone:  +1-877-722-3755
OrgNOCEmail:  support@pacbell.net

OrgTechHandle: PIA2-ORG-ARIN
OrgTechName:   IPAdmin-PBI 
OrgTechPhone:  +1-877-722-3755
OrgTechEmail:  IPAdmin-PBI@sbis.sbc.com

# ARIN WHOIS database, last updated 2004-07-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
(Reply) (Parent) (Thread)
[User Picture]
From:omnifarious
Date:July 24th, 2004 05:47 pm (UTC)

Oops

(Link)

After doing a bit more research, the IP 69.110.221.130 isn't Cyveillance. It's actually someone who seems obsessed with fetching a page I copied off of FREEP to illustrate how they were organizing some very nasty harassment of people who disagreed with them. The person is repeatedly fetching that page and giving a spoofed User-Agent string that seems to consist largely of strings of random characters. I don't know what they're up to.

I did send Pacbell an abuse report about them. What they're doing is very fishy and looks like an attempt to hack my webserver.

(Reply) (Parent) (Thread)
[User Picture]
From:omnifarious
Date:July 24th, 2004 05:49 pm (UTC)

Re: Oops

(Link)

Again, the page being fetched is this one. Sorry for the error.

(Reply) (Parent) (Thread)
[User Picture]
From:scottscidmore
Date:July 24th, 2004 09:46 pm (UTC)

Re: Oops

(Link)
Interesting. I need to talk with someone, I may wish to clone that page and/or some other FREEP pages to see what happens. A lot of people from Left to Right are having problems with some FREEPers.


(Reply) (Parent) (Thread)
[User Picture]
From:omnifarious
Date:July 24th, 2004 10:19 pm (UTC)

Re: Oops

(Link)

I'm not really left or right. Though I seem very left these days because Bush is so incredibly awful. But, it's interesting that FREEP seems to be causing so many problems. I may have to make a top level post about my problem involving FREEP.

(Reply) (Parent) (Thread)
[User Picture]
From:scottscidmore
Date:July 24th, 2004 10:42 pm (UTC)

Re: Oops

(Link)
I'm in the center, as per

http://www.livejournal.com/users/scottscidmore/30468.html

the FREEPers seem to dislike everyone who doesn't agree with them.
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:July 31st, 2004 05:49 pm (UTC)

Re: Oops

(Link)
First: I've also been getting hits from this guy (69.110.221.130). With two exceptions, it's always the same page, and he's downloaded it 35 times this month. It's a semi-arcane research paper that has nothing to do with FREEP.

Second: I'm also getting another series of hits on the SAME page from a different address: 68.123.196.18 -- 39 times this month. As with 69.110..., the agent string is a bunch of random characters, always different. nslookup maps this address to adsl-68-123-196-18.dsl.irvnca.pacbell.net.

Finally, I've gotten a few hits this month of the same form (same file, same random agent string) from a few other places:

200.183.92.15 (somewhere in Brazil, according to nslookup)
200.95.71.85 (somewhere in Mexico, according to nslookup)
213.181.81.66 (the NetGeo service at dnsstuff claims that this is in/near Amsterdam)

These are all hits on my webhosting account at SBC, so I can't speak to whether there are other interesting behaviors coming from these addresses, and I haven't taken the time to follow up with SBC at either end. But it certainly looks suspicious -- judging from the addresses, I would guess some scriptkiddie software. Anyway, if you have any further information and want to follow up, drop me a note at jmiller at millerclan.com (I don't have a LJ account).

Jim Miller
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:August 22nd, 2004 06:02 pm (UTC)

Re: Oops

(Link)
i run a web server too, and i just got hit with the same IPs. my partner googled the IP i gave her and popped up your blog / lj site. this is what i've done with them:

blackhole 69.110.221.130 proto kernel scope link src 127.0.0.2
blackhole 63.148.99.234 proto kernel scope link src 127.0.0.2
blackhole 63.148.99.239 proto kernel scope link src 127.0.0.2

0 0 blacklist all -- * * 69.110.221.130 0.0.0.0/0
0 0 blacklist all -- * * 63.148.99.239 0.0.0.0/0
0 0 blacklist all -- * * 63.148.99.234 0.0.0.0/0

and added them to my permaban packet filter script ;)

very obnoxious, requesting a page between 5 and ~25 seconds. like WTH? msn and google bots are nice and gentle on servers.
(Reply) (Parent) (Thread)
From:(Anonymous)
Date:August 22nd, 2004 06:18 pm (UTC)

Re: Oops

(Link)
oh and :
HEAD www.cyveillance.com
200 OK
Cache-Control: private
Connection: close
Date: Mon, 23 Aug 2004 01:20:45 GMT
Server: Microsoft-IIS/5.0
Content-Length: 16509
Content-Type: text/html
Client-Date: Mon, 23 Aug 2004 01:06:31 GMT
Client-Peer: 63.100.163.127:80
Client-Response-Num: 1

a "security" firm, and they run a vulnerable HTTP server? (AFAICR, IIS 5.0 is unpatched).
(Reply) (Parent) (Thread)
[User Picture]
From:pleasant_muse
Date:July 24th, 2004 05:38 pm (UTC)
(Link)
Cyveillance: Minding your business on the Net.

Mind yer own damn business! Leave me alone!




There. I had to say it. Big Brother isn't government, it's corporate. yick!
(Reply) (Thread)
From:hattifattener
Date:July 25th, 2004 03:36 pm (UTC)

Cyveillance

(Link)
Huh. Cyveillance also has some sort of connection to SpamCop, the service I use to find spam complaint addresses. By default "Cyveillance Spam Collection" gets cc'd on all reports. It's not at all clear what they might do with those reports.

(Reply) (Thread)