compromised servers
Hello,
It’s been about a week or two since one of my websites about photo gallery was taken as a target to mass spamming on the comment module. I’ve setted up the approuval configuration so all the mess i receive is not published dynamically online. I can now clean my database from time to time off this shit.
I think it can be a good way to work against those spams to publish all the ip of the compromised servers used in the attack. Hope some admin can find its own server in this list (by searching google !?) and get rid of that stupid bot…
I tried to learn more about the hosts running the spamming bot. Obviously a bot is posting the spam to the comment form. I’ve made some code adaptation to 2bgal3 to save the ip, agent, referrer of the comment poster in some databases. I’ve waited for a few days, made an extract, then run a unix script to resolve the ip to dns name… and here is the result :
(most of the agent refer to windows/MSIE 5.01 or 6.0)
200.175.240.26 : complexx.cba.gvt.net.br
84.55.183.208 : no Reverse DNS;
193.63.170.111 : no Reverse DNS;
83.80.81.132 : 53505184.cable.casema.nl
129.246.225.90 : bespin.ida.org
202.7.166.171 : syd-pow-pr9.tpgi.com.au
75.126.146.226 : metaspring.com
163.24.235.249 : no Reverse DNS;
213.3.42.33 : 33-42.3-213.fix.bluewin.ch
212.103.67.6 : 6.nts.ch
212.135.1.185 : filter10.brick.proxy.easynet.net
200.57.128.65 : cust-200-57-128-65.triara.com
220.245.178.132 : syd-nxg-pr2.tpgi.com.au
97.89.187.240 : 97-89-187-240.dhcp.gnvl.sc.charter.com
85.196.86.5 : c85-196-86-5.static.sdsl.no
78.31.106.146 : db3.commandtv.com
160.99.12.212 : wanaka.elfak.ni.ac.yu
66.84.148.179 : ph.magnetek.com
194.36.163.160 : moe.ubisan.com
76.74.187.169 : vps.pencilcasestudios.com
203.196.191.12 : chn-static-12-191-196-203.direct.net.in
194.79.174.189 : indom-174-189.cnt.nerim.net
149.156.142.139 : a8serwer.arch.pk.edu.pl
194.3.230.170 : no Reverse DNS;
203.39.223.160 : no Reverse DNS;
70.106.172.214 : pool-70-106-172-214.chi01.dsl-w.verizon.net
147.125.97.112 : vistula.iiasa.ac.at
92.42.224.251 : no Reverse DNS;
70.89.91.93 : 70-89-91-93-atlanta-ga.hfc.comcastbusiness.net
205.237.9.200 : no Reverse DNS;
217.30.208.202 : mail.badichovek.eu
mail.redfen.info
mail.red-bg.net
mail.media-bg.net
mail.bgsd.org
mail.red-bg.org
mail.red-bg.biz
mail.redfen.org
mail.media-bg.org
mail.red-bg.info
mail.bgdecor.net
mail.red-y.info
mail.redfen.net
mail.bsm-bg.org
158.64.4.164 : www.monitor-it.lu
80.191.19.4 : no Reverse DNS;
201.45.94.130 : no Reverse DNS;
62.219.168.150 : bzq-219-168-150.static.bezeqint.net
91.121.149.13 : ks357470.kimsufi.com
195.128.54.234 : midcollege-01.citytelecom.ru
160.92.130.131 : relayawl3-men.aw.atosorigin.com
75.65.217.102 : c-75-65-217-102.hsd1.ms.comcast.net
217.67.24.123 : no Reverse DNS;
128.123.107.122 : swatlab.nmsu.edu
170.65.128.6 : pasqual.teletech.com
83.16.214.163 : aig163.internetdsl.tpnet.pl
192.114.67.114 : bzq-114-67-114.static.bezeqint.net
212.135.1.186 : filter11.brick.proxy.easynet.net
121.3.75.92 : p034b5c.kngwnt01.ap.so-net.ne.jp
150.254.8.106 : zkwwux.mt.put.poznan.pl
133.50.216.78 : geos8.ees.hokudai.ac.jp
211.121.171.201 : www.iri.pref.niigata.jp
70.67.162.122 : S01060006b1340bf2.du.shawcable.net
76.199.18.205 : adsl-76-199-18-205.dsl.ksc2mo.sbcglobal.net
89.96.215.134 : 89-96-215-134.ip14.fastwebnet.it
222.166.160.16 : cm222-166-160-16.hkcable.com.hk
142.150.236.151 : no Reverse DNS;
133.50.216.207 : geos45.ees.hokudai.ac.jp
80.172.25.35 : mail.itfor.org
75.101.210.172 : ec2-75-101-210-172.compute-1.amazonaws.com
164.77.232.44 : no Reverse DNS;
203.63.223.178 : no Reverse DNS;
168.28.20.21 : host-21-21.guc.usg.edu
78.153.222.210 : 222-210.colo.sta.blacknight.ie
123.195.205.224 : 123-195-205-224.dynamic.kbronet.com.tw
83.249.71.133 : c83-249-71-133.bredband.comhem.se
74.233.129.29 : adsl-233-129-29.mia.bellsouth.net
80.152.205.160 : p5098cda0.dip0.t-ipconnect.de
202.4.105.236 : graphics.dhakacom.com
159.148.240.65 : no Reverse DNS;
82.226.26.179 : did75-8-82-226-26-179.fbx.proxad.net
80.88.172.197 : no Reverse DNS;
210.217.59.22 : no Reverse DNS;
89.179.124.231 : samael2003.dialup.corbina.ru
78.136.14.82 : 127932-web1.nex.nemerix.com
99.243.8.229 : CPE0010f30c308c-CM0016924d7942.cpe.net.cable.rogers.com
81.57.124.23 : put92-1-81-57-124-23.fbx.proxad.net
77.48.41.174 : no Reverse DNS;
213.68.224.54 : mincom.de
71.42.149.66 : rrcs-71-42-149-66.sw.biz.rr.com
194.254.137.131 : no Reverse DNS;
67.222.12.62 : flowring.no-ip.org
133.56.195.32 : usr032.tksc.jaxa.jp
168.100.186.149 : dev.unslept.com
211.196.143.204 : no Reverse DNS;
212.135.1.57 : filter3.brick.proxy.easynet.net
118.86.55.9 : 118-86-55-9.fnnr.j-cnet.jp
206.132.102.1 : no Reverse DNS;
193.14.195.42 : fw1.gp.se
212.25.91.107 : bzq-25-91-107.static.bezeqint.net
194.3.21.18 : no Reverse DNS;
203.116.91.46 : no Reverse DNS;
202.7.166.175 : syd-pow-pr12.tpgi.com.au
202.49.5.17 : vcsexpress.tekotago.ac.nz
198.65.122.125 : no Reverse DNS;
194.245.151.161 : no Reverse DNS;
128.128.175.16 : hickory.MBL.EDU
87.118.98.189 : ns.km22205-03.keymachine.de
62.68.252.138 : no Reverse DNS;
134.169.18.240 : dialog.ikmfbs.ing.tu-bs.de
38.106.132.90 : mail.jefe.org
217.75.53.165 : debica-217.75.53.165.debica53.ptc.pl
74.211.171.252 : dsl211-171-252.nyc1.dsl.speakeasy.net
192.115.90.150 : 192-115-90-150.shaanan.macam.ac.il
200.71.199.86 : no Reverse DNS;
193.168.50.136 : WEB02058.global-sp.net
195.114.26.147 : gaia.produhost.net
146.159.230.249 : out.sf.tv
217.198.114.17 : iapetus.zoner.com
83.114.71.89 : APlessis-Bouchard-152-1-25-89.w83-114.abo.wanadoo.fr
129.210.87.189 : no Reverse DNS;
76.210.56.237 : thufir.juxtaposeinc.com
41.222.105.7 : no Reverse DNS;
125.46.41.4 : hn.kd.ny.adsl
72.27.197.144 : port0144-ait-static-adsl.cwjamaica.com
92.54.130.219 : mail.minchinfellows.com
68.178.23.126 : exchtng.thenewgroup.com
219.174.12.119 : softbank219174012119.bbtec.net
147.83.87.2 : skarn.upc.es
192.114.67.113 : bzq-114-67-113.static.bezeqint.net
82.147.150.19 : s02-asp.nessebar-resort.com
212.191.174.103 : fifi87.tvsat364.lodz.pl
198.54.202.210 : rrba-ip-pcache-2-vif1.telkom-ipnet.co.za
96.56.154.53 : dev.unslept.com
207.35.10.36 : cs.weekenders.com
75.125.143.84 : no Reverse DNS;
199.216.209.253 : hfcrd.ab.ca
67.202.31.66 : ec2-67-202-31-66.compute-1.amazonaws.com
70.72.31.66 : S01060080c6f962f3.cg.shawcable.net
209.47.85.209 : no Reverse DNS;
85.32.228.238 : host238-228-static.32-85-b.business.telecomitalia.it
143.107.44.18 : pizza.ime.usp.br
89.249.176.87 : fw.tcn.ru
91.89.86.14 : HSI-KBW-091-089-086-014.hsi2.kabelbw.de
203.116.91.80 : no Reverse DNS;
147.96.240.22 : byd.hst.ucm.es
220.245.178.135 : syd-nxg-pr5.tpgi.com.au
98.208.30.193 : c-98-208-30-193.hsd1.ca.comcast.net
195.39.249.122 : gw-cz.dsip.net
78.90.24.115 : ssabchew.info
213.132.40.98 : eastnets.com
122.202.21.170 : 122.202.21.170.static.zoot.jp
193.253.32.242 : LNeuilly-152-21-1-242.w193-253.abo.wanadoo.fr
213.217.121.171 : mail.timconsulting.net
194.170.166.190 : no Reverse DNS;
60.190.88.90 : no Reverse DNS;
211.79.36.249 : no Reverse DNS;
194.44.116.4 : no Reverse DNS;
213.163.174.37 : no Reverse DNS;
200.80.205.31 : mailer3.tgn.com.ar
213.252.29.1 : web1.crossgate.de
193.2.67.17 : no Reverse DNS;
80.48.67.254 : no Reverse DNS;
69.217.73.52 : 69-217-73-52.ded.ameritech.net
202.175.46.27 : z46l27.static.ctm.net
75.128.124.37 : 75-128-124-37.static.aldl.mi.charter.com
136.145.185.200 : u185200.cnnet.upr.edu
193.194.91.130 : no Reverse DNS;
117.74.97.122 : no Reverse DNS;
62.109.75.168 : no Reverse DNS;
196.35.158.181 : nc5-rba-e0a-2.cache.isnet.net
170.185.71.25 : no Reverse DNS;
194.249.198.98 : no Reverse DNS;
212.116.236.36 : beer.ducat.kz
210.254.102.143 : no Reverse DNS;
209.47.85.206 : no Reverse DNS;
212.179.140.229 : bzq-179-140-229.static.bezeqint.net
123.50.227.192 : gd123050227192.u6l.kcn-tv.ne.jp
158.108.32.33 : omega.cpe.ku.ac.th
91.121.195.196 : rps936.ovh.net
86.41.89.74 : 86-41-89-74.b-ras2.chf.cork.eircom.net
124.84.34.141 : p1141-ipbf504sapodori.hokkaido.ocn.ne.jp
62.75.248.65 : jroith.de
193.92.70.208 : gziko.ath.forthnet.gr
142.22.16.56 : vance011.net.gov.bc.ca
62.80.98.84 : 62.80.98.84.not.updated.abovenet.de
195.40.4.49 : cache0.44whit.proxy.easynet.net
202.7.176.131 : nme-pow-pr2.tpgi.com.au
69.1.35.153 : user-69-1-35-153.knology.net
75.40.7.10 : adsl-75-40-7-10.dsl.hstntx.sbcglobal.net
192.148.223.148 : no Reverse DNS;
218.50.52.210 : no Reverse DNS;
195.70.45.98 : hq.virgosystems.hu
193.151.253.107 : 193.151.253.107.nash.net.ua
74.233.129.21 : adsl-233-129-21.mia.bellsouth.net
67.68.169.154 : bas4-quebec14-1128573338.dsl.bell.ca
216.23.245.18 : no Reverse DNS;
203.190.173.81 : user81-173.enet.vn
91.151.84.146 : net91-151-84-ip146.gigabit.web.tr
194.97.50.4 : www3.chat.freenet.de
190.17.19.113 : 113-19-17-190.fibertel.com.ar
60.32.125.37 : opuscore.oss-expert.com
196.25.255.210 : rrba-ip-pcache-2-vif0.telkom-ipnet.co.za
87.253.12.162 : 87-253-12-162.pppoe.yaroslavl.ru
202.81.215.242 : mail.twpaustralia.com.au
170.210.192.19 : tatacua
tatacua.unam.edu.ar
217.133.22.20 : 217-133-22-20.b2b.tiscali.it
189.131.128.240 : dsl-189-131-128-240.prod-infinitum.com.mx
62.181.1.150 : ons.wdc.pl
122.103.244.32 : daftej.com
75.146.21.73 : 75-146-21-73-Richmond.hfc.comcastbusiness.net
198.54.202.226 : rrba-ip-pcache-1-vif1.telkom-ipnet.co.za
217.153.57.250 : wraith.worldixi.com
74.205.85.189 : chc01.customer-help-center.com
90.156.9.75 : 90-156-9-75.as.kn.pl
77.226.32.47 : static-47-32-226-77.ipcom.comunitel.net
205.129.163.112 : blue.cau.edu
202.91.8.202 : no Reverse DNS;
200.49.83.184 : host083184.static.metrored.net.ar
98.223.38.152 : c-98-223-38-152.hsd1.in.comcast.net
88.57.116.18 : host18-116-static.57-88-b.business.telecomitalia.it
202.7.166.165 : syd-pow-pr3.tpgi.com.au
189.181.11.109 : dsl-189-181-11-109.prod-infinitum.com.mx
61.9.140.139 : CPE-61-9-140-139.static.vic.bigpond.net.au
83.94.204.212 : x1-6-00-03-0d-2d-05-08.k683.webspeed.dk
193.109.102.222 : galileo.nixsolutions.com
212.45.52.221 : proxy-8.kliksafe.nl
203.177.74.136 : no Reverse DNS;
217.12.16.54 : 54.zone-217.12.16.juntadeandalucia.es
195.82.158.2 : mail.monsterserver.de
222.92.69.125 : no Reverse DNS;
117.74.97.174 : no Reverse DNS;
200.53.53.162 : mail.fletestauro.com.mx
202.52.74.26 : no Reverse DNS;
200.247.88.130 : no Reverse DNS;
80.71.118.27 : no Reverse DNS;
201.172.194.88 : cablelink194-88.telefonia.intercable.net
194.150.111.155 : dc257clone.rackhosting.com
221.243.18.13 : www.grandvoice-station.jp
62.2.156.130 : 62-2-156-130.static.cablecom.ch
98.240.148.127 : c-98-240-148-127.hsd1.mn.comcast.net
85.159.69.228 : 85-159-69-228.cozumturk.net
195.229.241.182 : 35iycle9.emirates.net.ae
195.143.92.100 : smtp.12snap.com
195.215.128.50 : magnus.nerdonline.dk
116.240.200.138 : 138.200.idc.iprimus.net.au
195.137.194.123 : se02.se.cdsfms.dr.dk
se02.se.1downol.dr.dk
se02.se.cds.dr.dk
se02.se.livedr1qt.cds.dr.dk
se02.se.cdsfms.cds.dr.dk
se02.se.live.cds.dr.dk
58.93.172.165 : i58-93-172-165.s05.a001.ap.plala.or.jp
15.192.16.44 : g5t0113g.atlanta.hp.com
89.122.203.154 : no Reverse DNS;
220.145.165.19 : hmmt131019.catv.ppp.infoweb.ne.jp
74.86.112.212 : turkish.usa.ansearch.com
212.45.53.79 : proxy-6.kliksafe.nl
160.75.90.69 : hpc.be.itu.edu.tr
200.254.124.2 : ns1.trt22.gov.br
nege.trt22.gov.br
222.122.66.187 : no Reverse DNS;
122.208.200.235 : no Reverse DNS;
89.3.143.125 : ip-125.net-89-3-143.rev.numericable.fr
190.139.33.172 : host172.190-139-33.telecom.net.ar
77.37.13.42 : no Reverse DNS;
82.115.57.29 : no Reverse DNS;
77.226.50.60 : static-60-50-226-77.ipcom.comunitel.net
58.28.172.120 : ip-58-28-172-120.wxnz.net
91.146.31.198 : no Reverse DNS;
218.249.83.87 : no Reverse DNS;
220.122.214.90 : no Reverse DNS;
156.17.195.50 : dwspit.pl
125.13.0.97 : 125-13-0-97.rev.home.ne.jp
122.26.255.146 : p4146-ipbf3005marunouchi.tokyo.ocn.ne.jp
192.68.112.32 : no Reverse DNS;
213.186.168.163 : mail.rscn.org.jo
216.191.142.126 : no Reverse DNS;
190.41.213.24 : no Reverse DNS;
194.103.241.229 : no Reverse DNS;
190.25.249.2 : corporat190-025249002.sta.etb.net.co
62.29.161.226 : no Reverse DNS;
129.130.43.151 : ganymede.engg.ksu.edu
190.154.206.114 : mail.entrepapeles.com
mail.entredulces.com
163.19.111.248 : no Reverse DNS;
80.91.187.198 : mgmt.bew.energy.gov.ua
83.175.188.194 : ip188-194.ghnet.pl
213.134.180.50 : 213-134-180-50.net.autocom.pl
212.45.52.186 : proxy-9.kliksafe.nl
88.208.233.228 : server88-208-233-228.live-servers.net
77.67.52.92 : no Reverse DNS;
74.92.182.121 : 74-92-182-121-Savannah.hfc.comcastbusiness.net
82.169.92.213 : 82-169-92-213.ip.telfort.nl
220.245.178.136 : syd-nxg-pr6.tpgi.com.au
212.45.53.58 : proxy-5.kliksafe.nl
78.159.107.65 : unknown.vectoral.info
212.135.1.53 : filter2.brick.proxy.easynet.net
83.244.130.95 : web11.hostingweb.co.uk
124.30.212.174 : segment-124-30.sify.net
202.218.113.26 : sv.noguchi.co.jp
193.219.89.250 : no Reverse DNS;
200.85.165.131 : iMax-GJM-host-131-165-85-200.ibw.com.ni
134.34.71.66 : heewee-2.wiwi.uni-konstanz.de
217.86.155.175 : pd9569baf.dip0.t-ipconnect.de
88.156.189.218 : 088156189218.who.vectranet.pl
218.177.58.79 : softbank218177058079.bbtec.net
82.100.29.185 : no Reverse DNS;
212.118.50.207 : no Reverse DNS;
59.125.227.227 : 59-125-227-227.HINET-IP.hinet.net
213.134.40.89 : baphealth.c.mad.interhost.com
203.76.124.204 : no Reverse DNS;
85.72.66.240 : athedsl-310098.home.otenet.gr
212.45.47.122 : dsl-47122.solcon.nl
78.29.212.44 : cable-78.29.212.44.coditel.net
78.102.156.126 : r9fa126.net.upc.cz
202.221.27.107 : no Reverse DNS;
86.96.226.14 : no Reverse DNS;
125.141.217.6 : no Reverse DNS;
213.140.111.73 : no Reverse DNS;
61.117.148.4 : yellow.big-e.ne.jp
83.205.5.239 : AMarseille-253-1-6-239.w83-205.abo.wanadoo.fr
72.0.255.131 : adsl.131.255.0.72.maskatel.ca
220.245.179.131 : nme-nxg-pr2.tpgi.com.au
November 13th, 2008 at 4:38 am
m2kr7×0qr8p0f0×0