Does anyone know anything about this Site/IP address?

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Does anyone know anything about this Site/IP address?

Post by Void Main »

Does anyone know anything about the address 203.194.168.171? The site http://www.shaolinmicro.com/ appears to be associated with it. I just blocked their IP address as this is the second time they have run a web suck on these forums. I have no problem with this if it is legit but it appears to be some sort of robot. If you know anything about this please let me know and I will unblock the address. Thanks.

ThePreacher
scripter
scripter
Posts: 61
Joined: Tue Jan 28, 2003 4:43 am
Location: Kansas City
Contact:

Post by ThePreacher »

What exactly is a web suck?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I just meant a program like "websuck" or a "wget -r" that goes through your entire site and pulls everything it can from every link it can. This is not good to run on a forum for several reasons. At worst the program will go into a rucursion of links eating up bandwidth and CPU on the server which is what this thing seemed to have been doing. And it wasn't doing it through just one connection but seemed to spawn several connections in order to maximize it's suckness.

It happened about a week ago and I killed it. It ran for over an hour today before I finally blocked it. Here is the user agent string which I would assume is not the real agent:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020

Panos
user
user
Posts: 45
Joined: Mon Feb 03, 2003 12:54 pm
Location: Florence, Italy
Contact:

Post by Panos »

It could be a spider or web-crawler. It could also be a spambot. In either case, that IP address points to that site which is strange. If I were you I'd block it as well.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

If it's a crawler it's not a very good one. Google is nice and stays out of that stuff.

Linux Frank
administrator
administrator
Posts: 239
Joined: Fri Jan 10, 2003 2:06 pm

Post by Linux Frank »

Well I dont know if this helps. It appears to be assigned to an ISP based in Hong Kong.

the APNIC whois gives this
inetnum: 203.194.168.170 - 203.194.168.185
netname: CLEVERMOTIONTECH-HK
country: HK
descr: CLEVER MOTION TECHNOLOGY LTD
admin-c: KK135-AP
tech-c: DI16-AP
changed: hostmaster@iadvantage.net.hk 20020904
mnt-by: MAINT-HK-IS
source: APNIC
status: UNSPECIFIED

person: KAN KAM YUEN ALAN
nic-hdl: KK135-AP
e-mail: alankan@cmindhk.com
address: ROOM 3A, 3/F., MOW SHING CENTRE,
address: 118 BEDFORD ROAD,
address: TAI KOK TSUI
phone: +852-27870778
fax-no: +852-27870778
country: HK
changed: hostmaster@iadvantage.net.hk 20020904
mnt-by: MAINT-HK-IS
source: APNIC

person: DNS IADVANTAGE
address: MEGATOP,
address: Mega-iAdvantage,
address: 399 Chai Wan Road,
address: Chai Wan, Hong Kong
country: HK
phone: +852-22088333
fax-no: +852-22672237
e-mail: dns@iadvantage.net
nic-hdl: DI16-AP
mnt-by: MAINT-HK-IS
changed: hostmaster@iadvantage.net 20010807
source: APNIC
Does this help? Sorry I can't find anything else, but if I can I'll let you know.

If you don't want this info on your site feel free to remove it without fear of offense :) [/code]

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yeah, I had already looked at that information. I just assumed it was an unfriendly bot of some sort. But if it was really someone interested in pulling my stuff because they found it useful I wanted to give them a chance to be unblocked, and of course to be informed that the way they were pulling it was causing me problems.

Panos
user
user
Posts: 45
Joined: Mon Feb 03, 2003 12:54 pm
Location: Florence, Italy
Contact:

Post by Panos »

Void Main wrote:If it's a crawler it's not a very good one. Google is nice and stays out of that stuff.
Yes i agree. The symptoms you prescribed though resemble those of a spambot scan. I wouldn't unblock it if i were you void, but then again you know that already. :wink:

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

If it is a spambot does anyone know any DoS kiddies looking for a target? :)

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum »

a small linux forum isn't really a target (but then, a society providing free software (like slackware.com) isn't either).

that site sucks. (haw haw! i kill me!)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

No, I wanted to know if anyone knew any DoS kiddies looking for a target that could blast that spambot machine. It will save everyone from getting one more SPAM in their email.

Panos
user
user
Posts: 45
Joined: Mon Feb 03, 2003 12:54 pm
Location: Florence, Italy
Contact:

Post by Panos »

I wish I knew some 'cause I really hate spammers! But then again who doesn't? :evil:

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Here is today's "bot o' the day":

IP: 64.140.49.66, 67, 68, 69
Interesting information: http://www.turnitin.com/robot/crawlerinfo.html

IP has been blocked, I saw it trying to go through private messages. If you are responsible for this bot then send me a note. I do not appreciate this.

Sample Log entry:
64.140.49.67 - - [06/Feb/2003:00:13:57 -0600] "GET /robots.txt HTTP/1.0" 404 1081
"-" "TurnitinBot/1.5 (http://www.turnitin.com/robot/crawlerinfo.html)"
Guess I need to start working on my robots.txt file, for those that are nice enough to look for one.

Panos
user
user
Posts: 45
Joined: Mon Feb 03, 2003 12:54 pm
Location: Florence, Italy
Contact:

Post by Panos »

Void Main wrote:IP has been blocked, I saw it trying to go through private messages. If you are responsible for this bot then send me a note. I do not appreciate this.
Who exactly are you refering to void main? I hope that it's not me! :shock:

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Panos wrote:Who exactly are you refering to void main? I hope that it's not me! :shock:
Heh heh, if I was referring to you, you never would have been able to post that message, and wouldn't be able to read this one. But if you are in charge of http://www.turnitin.com/ then yes, I would be referring to you. But I am pretty sure that is not the case. :)

Post Reply