Jan 29, 2008

Some type of botnet using libwww-perl/5.xxx

This all looks to be related it all showed up at the same time.
Looks to be a bot net.


74.54.29.114,BB2,[01-29-2008-16:01:24],72.1d.364a.static.theplanet.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
69.64.77.89,BB2,[01-29-2008-16:01:28],ardentexchange.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
85.233.166.54,BB2,[01-29-2008-16:01:43],vps1.unluckyforsome.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.177.9,BB2,[01-29-2008-16:01:45],s15267347.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
91.142.209.168,BB2,[01-29-2008-16:01:48],sl002.servidores-dns.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
88.84.157.36,BB2,[01-29-2008-16:01:51],v32556.1blu.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
87.106.183.154,BB2,[01-29-2008-16:01:52],s15277454.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.122.224,BB2,[01-29-2008-16:01:56],alte-wutz.de,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.214.64.202,BB2,[01-29-2008-16:01:57],psit-domains.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
86.109.163.242,BB2,[01-29-2008-16:03:45],lincl435.web3l.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
128.205.213.57,BB2,[01-29-2008-16:05:06],hyperion.eng.buffalo.edu,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
74.54.22.2,BB2,[01-29-2008-16:05:25],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:05:26],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:05:33],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.232.101.54,BB2,[01-29-2008-16:06:10],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
216.129.112.22,BB2,[01-29-2008-16:06:26],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:06:54],mail.tradehousem.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
78.110.163.108,BB2,[01-29-2008-16:07:14],server2.suspected.co.uk,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:08:14],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:08:51],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
74.54.22.2,BB2,[01-29-2008-16:10:32],hm3.hostmas.net,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
66.7.194.105,BB2,[01-29-2008-16:10:45],66-7-194-105.static.dimenoc.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
69.61.30.100,BB2,[01-29-2008-16:10:48],alpha.webserverdns.com,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
72.36.154.242,BB2,[01-29-2008-16:10:58],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
66.232.101.54,BB2,[01-29-2008-16:11:25],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
62.193.224.77,BB2,[01-29-2008-16:11:42],wpc0075.amenworld.com,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
216.129.112.22,BB2,[01-29-2008-16:12:57],nexenta.com,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
87.233.129.198,BB2,[01-29-2008-16:13:21],mail.tradehousem.com,403 User-Agent was found on blacklist ww ,libwww-perl/5.79,-
77.79.88.105,BB2,[01-29-2008-16:13:32],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
87.106.37.48,BB2,[01-29-2008-16:14:45],s15207528.onlinehome-server.info,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
64.202.115.189,BB2,[01-29-2008-16:15:01],server.hotelskerala.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
82.192.68.176,BB2,[01-29-2008-16:16:07],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
82.192.68.176,BB2,[01-29-2008-16:16:31],svhw.woz-visie.nl,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:16:36],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
85.25.139.97,BB2,[01-29-2008-16:16:57],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-
81.171.102.74,BB2,[01-29-2008-16:17:04],webhost3.eweka.nl,403 User-Agent was found on blacklist ,libwww-perl/5.805,-
80.89.224.38,BB2,[01-29-2008-16:17:10],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
80.89.224.38,BB2,[01-29-2008-16:17:35],wolfram.noc.iaf.nl,403 User-Agent was found on blacklist ,libwww-perl/5.79,-
72.36.154.242,BB2,[01-29-2008-16:18:30],72.36.154.242.svservers.com,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
77.79.88.105,BB2,[01-29-2008-16:22:54],-,403 User-Agent was found on blacklist ,libwww-perl/5.808,-
85.25.139.97,BB2,[01-29-2008-16:30:40],echo643.server4you.de,403 User-Agent was found on blacklist ,libwww-perl/5.803,-

woriobot heritrix/1.10.0 +http://worio.com) bot

Mozilla/5.0 (compatible; heritrix/1.6.0 +http://www.worio.com/)
137.82.84.97 worio.com

A new bot just showed up claiming another beta test.

This bot is blocked by Bad Behaivor for using improper headers.

(edited)
Klaas said...
Could you elaborate on the problem with the headers? I'm eager to fix real an perceived problems with our crawler.


Here is the BB error

bad-behavior 403 Required header 'Accept' missing
Agent: Mozilla/5.0 (compatible; woriobot heritrix/1.10.0 +http://worio.com)
207.23.252.129 worio.com


Your just going to have to test it on a blog using Bad Behavior.

If it were a worthwhile bot I would whitelist it but since it doesn't do anything yet why bother. If your project ever gets off the ground let me know and I will erase this post.

89.253.240.112 justclickme.org

justclickme.org is running a robot from this IP. It has no agent. a search on google shows a lot of spam links being posted using that url as a redirect to another site.
The webserver at that domain has a canned preset webpage.

Agent: -NO AGENT-
89.253.240.112 justclickme.org

Jan 21, 2008

New proxy server to ban

https://65.110.6.43/ also known as http://proxyweb.net

Add proxyweb.net to the domain ban file and
65.110.6.43 to the IP ban file. Please report any other IPS.

Jan 8, 2008

Shareaza.com domain hijacked

This is not related to robots but since someone took one of my domain's years ago everyone needs to spread the news. Shareaza the open source P2P program has lost its domain name to some pay service. Shareaza has moved to this URL.

The new owners of the domain are pushing some pay software labeled shareazav4.exe this is not the real shareaza which is at this time v2.3.1.0

See this story here P2P File Sharing: Shareaza site hijacked