Moar Cooties
-
@boomzilla said in Moar Cooties:
Huh. That's coming from a German IP. User agent:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
But definitely looks like it's scraping.
Outdated version of Firefox? There is only one person on this forum that uses severely out of date Firefoxes. I say we have our prime suspect!
-
@Atazhaia said in Moar Cooties:
@boomzilla said in Moar Cooties:
Huh. That's coming from a German IP. User agent:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
But definitely looks like it's scraping.
Outdated version of Firefox? There is only one person on this forum that uses severely out of date Firefoxes. I say we have our prime suspect!
Oh, I can do better than that! Not quite as egregious, but still part of the problem, from Russia:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0"
-
-
@Luhmann said in Moar Cooties:
@boomzilla said in Moar Cooties:
from Russia
with love?
:Sean_Connery: Shaken, Not Stirrrred.
-
@Vixen said in Moar Cooties:
@Luhmann said in Moar Cooties:
@boomzilla said in Moar Cooties:
from Russia
with love?
:Sean_Connery: Shaken, Not Stirrrred.
I've been talking about chemical bonds in chemistry class recently. And I couldn't resist introducing one type as Bond. Ionic Bond.
-
@Benjamin-Hall said in Moar Cooties:
@Vixen said in Moar Cooties:
@Luhmann said in Moar Cooties:
@boomzilla said in Moar Cooties:
from Russia
with love?
:Sean_Connery: Shaken, Not Stirrrred.
I've been talking about chemical bonds in chemistry class recently. And I couldn't resist introducing one type as Bond. Ionic Bond.
i too would not be able to resist that introduction either. i would have even done it in my best connery or brosnan impression.
-
-
@topspin said in Moar Cooties:
@boomzilla said in Moar Cooties:
Gecko/2010
Oh, it's Lorne
Firefox/57.0
No, definitely isn't.
e:
Isn't he canadian? Doesn't seem like the type to come here over vpn.
-
@PleegWat said in Moar Cooties:
@topspin said in Moar Cooties:
@boomzilla said in Moar Cooties:
Gecko/2010
Oh, it's Lorne
Firefox/57.0
No, definitely isn't.
e:
Isn't he canadian? Doesn't seem like the type to come here over vpn.
Definitely not using NordVPN, at least.
-
@Atazhaia said in Moar Cooties:
There is only one person on this forum that uses severely out of date Firefoxes. I say we have our prime suspect!
14 versions ago could be last month.
-
It doesn't seem to be causing significant cooties, but the spike in unique visitors seems weird:
It looks like these are mostly coming from Cloudflare. What the heck does that mean? I thought they were more for putting in front of your site than as a VPN or proxy or whatever.
Hmm...some of them are YandexBot. But, they seem to be following the robots.txt throttling.
-
Noticing the forum going down (disconnected toasters). Hmm...let's take a look...
That...doesn't look right. Let's go to the access logs!
Lots of low digit accesses from lots of similar looking IPs (106.57.150.105, 106.57.150.11, 106.57.150.136, etc...) with this sort of user agent:
Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0"
And whois:
inetnum: 106.56.0.0 - 106.63.255.255
netname: CHINANET-YN
descr: CHINANET YunNan PROVINCE NETWORK
descr: China TelecomLooks like it's time to expand the blacklist.
-
@boomzilla said in Moar Cooties:
Noticing the forum going down
-
@boomzilla said in Moar Cooties:
Looks like it's time to expand the blacklist.
It looks like there are many more deserving entries but this is what I've added:
deny 106.56.0.0/13; deny 106.11.0.0/16; deny 112.112.0.0/14; deny 113.136.0.0/13; deny 114.104.0.0/14; deny 114.224.0.0/12; deny 116.248.0.0/15; deny 116.52.0.0/14; deny 117.57.0.0/16; deny 117.80.0.0/12; deny 119.128.0.0/12; deny 121.16.0.0/13;
-
@boomzilla Random thought of the day: rather than trying to block outgoing connections, the Great Firewall of China is actually implemented as bots taking random Chinese IPs and hammering random Western sites until they get on enough blacklists to be blocked everywhere...
In other words: they've mastered the power of and are letting you implement the Great Firewall. How does it feel to be a pawn in their game?
-
@remi said in Moar Cooties:
rather than trying to block outgoing connections, the Great Firewall of China is actually implemented as bots taking random Chinese IPs and hammering random Western sites until they get on enough blacklists to be blocked everywhere...
The one does not exclude the other.
-
@remi in that case, should we just blacklist mainland China and be done with it?
(Apologies to any Chinese members, no offense)
-
-
@TwelveBaud Hong Kong is specifically not "mainland China".
-
@TwelveBaud Yeah, none of these are anything close to his IP address.
-
@boomzilla Yup. AFAIK, the IPv4 range of Hong Kong is allocated before China implemented their network infrastructure, therefore the range is very different.
However if there are Hong Kong user visiting sites with malicious-code-injected CDNs, they'd also contribute to the attacking traffic volume.
-
@cheong said in Moar Cooties:
@boomzilla Yup. AFAIK, the IPv4 range of Hong Kong is allocated before China implemented their network infrastructure, therefore the range is very different.
However if there are Hong Kong user visiting sites with malicious-code-injected CDNs, they'd also contribute to the attacking traffic volume.
So far I haven't noticed any.
-
Today's winners:
deny 112.111.0.0/16; deny 111.72.0.0/13; deny 111.0.0.0/10; deny 110.52.0.0/15; deny 106.4.0.0/14; deny 101.16.0.0/12; deny 112.192.0.0/14; deny 112.122.0.0/15; deny 112.16.0.0/13; deny 112.224.0.0/11; deny 112.32.0.0/13; deny 112.80.0.0/13; deny 113.96.0.0/12; deny 113.112.0.0/13; deny 113.120.0.0/13; deny 113.128.0.0/15; deny 113.12.0.0/14; deny 113.16.0.0/12; deny 113.32.0.0/11; deny 113.64.0.0/11; deny 113.96.0.0/12; deny 113.112.0.0/14; deny 113.200.0.0/15; deny 113.218.0.0/15; deny 113.220.0.0/14; deny 113.224.0.0/12; deny 113.240.0.0/13; deny 113.248.0.0/14; deny 113.56.0.0/15; deny 113.64.0.0/11; deny 114.119.128.0/18;
-
Some more lucky souls:
deny 110.228.0.0/14; deny 112.109.128.0/17; deny 112.64.0.0/15; deny 114.216.0.0/13; deny 115.152.0.0/15; deny 115.208.64.0/18; deny 116.128.0.0/10; deny 116.16.0.0/12; deny 123.128.0.0/13; deny 123.138.0.0/15; deny 123.152.0.0/13; deny 123.160.0.0/14; deny 125.104.0.0/13;
-
@boomzilla
China be like "Deny me harder, daddy"
-
For a minute, I was afraid that Canada could get banned at some point, then I remembered where this is hosted
-
What's happening? More lucky souls to round up?
-
@JBert looks like increased bot activity. Well, that's been relatively heavy but not obviously spiking or anything right now:
I took a look and there are some unusual ones but they all seem to be behaving. I do see some more contestants who deserve a shot today.
-
@boomzilla said in Moar Cooties:
I do see some more contestants who deserve a shot today.
deny 101.204.0.0/14; deny 101.64.0.0/13; deny 101.72.0.0/14; deny 101.80.0.0/12; deny 106.108.0.0/14; deny 106.112.0.0/13; deny 106.120.0.0/13; deny 106.224.0.0/12; deny 106.32.0.0/12; deny 106.80.0.0/12; deny 111.112.0.0/15; deny 111.121.64.0/19; deny 111.176.0.0/13; deny 111.224.0.0/14; deny 112.0.0.0/13; deny 112.100.0.0/14; deny 113.132.0.0/14; deny 113.0.0.0/13; deny 114.240.0.0/12; deny 115.148.0.0/14; deny 115.202.0.0/16; deny 115.203.0.0/16; deny 115.204.0.0/15; deny 115.208.0.0/18; deny 115.221.0.0/16; deny 115.48.0.0/12; deny 116.8.0.0/14; deny 117.136.0.0/13;
See how that goes for now.
-
Knock on wood. There were 11 watchdog restarts during a 20 minute period about an hour ago and none since.
-
@boomzilla Seems intermittently slow again.
-
@loopback0 I'm getting intermittent disconnects
-
:sigh: Yeah, a bunch of restarts.
-
@cheong For some reason most of the recent visits to my website are from Hong Kong, according to Google Analytics. Nothing looks malicious and it's not enough to DoS it, but they're all super-short sessions of just a couple of seconds.
-
@mott555 said in Moar Cooties:
but they're all super-short sessions of just a couple of seconds.
: What is that site? <looks> Oh, them. <proceeds to ignore>
-
Next round:
deny 117.172.0.0/14; deny 124.112.0.0/15; deny 182.32.0.0/12; deny 182.240.0.0/13; deny 223.96.0.0/12; deny 60.180.0.0/16; deny 61.138.192.0/19; deny 117.60.0.0/14; deny 124.112.0.0/15; deny 175.152.0.0/14; deny 180.96.0.0/11; deny 183.160.0.0/13; deny 220.163.0.0/16; deny 220.164.0.0/15; deny 222.208.0.0/13; deny 222.219.0.0/16; deny 222.220.0.0/15; deny 223.64.0.0/11; deny 223.214.0.0/15; deny 223.240.0.0/13; deny 220.178.0.0/15; deny 220.180.0.0/16;
-
It turns out there are lots of IP addresses in China
deny 60.166.0.0/15; deny 60.168.0.0/13; deny 36.4.0.0/14; deny 27.16.0.0/12; deny 39.128.0.0/10; deny 59.62.0.0/15; deny 60.188.0.0/17; deny 123.178.0.0/15; deny 27.192.0.0/11; deny 42.242.0.0/15; deny 49.64.0.0/11; deny 58.242.0.0/15; deny 117.24.0.0/13;
-
@boomzilla said in Moar Cooties:
Knock on wood. There were 11 watchdog restarts during a 20 minute period about an hour ago and none since.
@boomzilla said in Moar Cooties:
:sigh: Yeah, a bunch of restarts.
You really shouldn't have bought these second-hand servers from @Tsaukpaetra.
-
Getting random disconnects again.
-
@topspin yep.
deny 60.176.0.0/16; deny 60.10.0.0/16; deny 60.187.0.0/17; deny 123.184.0.0/14; deny 122.232.0.0/16; deny 123.184.0.0/14; deny 125.112.0.0/12; deny 182.84.0.0/14; deny 182.96.0.0/12; deny 183.0.0.0/10; deny 221.228.0.0/14; deny 121.56.0.0/15; deny 121.204.0.0/14; deny 122.192.0.0/14; deny 122.236.0.0/16; deny 183.192.0.0/11;
-
They do seem to come in waves.
-
deny 60.0.0.0/13; deny 110.88.0.0/14; deny 110.240.0.0/12; deny 112.40.0.0/13; deny 112.98.0.0/15; deny 115.207.128.0/17; deny 115.210.0.0/16; deny 120.0.0.0/12; deny 120.240.0.0/13; deny 121.224.0.0/12; deny 122.156.0.0/14; deny 182.96.0.0/12; deny 220.173.0.0/16; deny 117.40.0.0/14; deny 119.176.0.0/12; deny 120.32.0.0/13; deny 121.204.0.0/14; deny 171.8.0.0/13; deny 218.62.128.0/17; deny 14.104.0.0/13; deny 60.185.64.0/18; deny 117.32.0.0/13;
-
@boomzilla
Might be time to just give up and deny 0.0.0.0/0
-
@boomzilla said in Moar Cooties:
It turns out there are lots of IP addresses in China
You block 16 bots, what do you get?
Another day older from the Internet
Saint-Peter don't you call me cause I can't go...
I got new bots all over the floor...
-
Just put some "Free Hong Kong" manifestos all over the front page until China blocks your site and you'll get no more unwanted traffic.
-
@anonymous234 said in Moar Cooties:
put some "Free Hong Kong" manifestos all over the front page
well..... you heard Anonymous.... and it was 234 of them that said it so....
it's not like i've got a choice.....
(some of those probably belong in the cute things thread but........)
also, for good measure:
天安门广场大屠杀1989
-
@Vixen while you’re at it, maybe we should mention Best Korea for good measure.
-
@topspin huh. I got a 502 Bad Gateway immediately after that post.
Coincidence.
-
@boomzilla said in Moar Cooties:
It turns out there are lots of IP addresses in China
deny 60.166.0.0/15; deny 60.168.0.0/13; deny 36.4.0.0/14; deny 27.16.0.0/12; deny 39.128.0.0/10; deny 59.62.0.0/15; deny 60.188.0.0/17; deny 123.178.0.0/15; deny 27.192.0.0/11; deny 42.242.0.0/15; deny 49.64.0.0/11; deny 58.242.0.0/15; deny 117.24.0.0/13;
I've set my router to accept RDP connection and deny port scan IPs.
After the blacklist grow into 100+ number of entries, I switched to use whitelist instead.
-
@anonymous234 said in Moar Cooties:
Just put some "Free Hong Kong" manifestos all over the front page until China blocks your site and you'll get no more unwanted traffic.
Actually, those "internet army" got to run on exception IP range list, or they can't reach Yahoo or other site banned in China.