Unusual behavior from SLURP(?). Who owns 66.196.90?

  • quantumcloud
  • Proficient
  • Proficient
  • User avatar
  • Posts: 456
  • Loc: Dhaka, Bangladesh

Post 3+ Months Ago

Today I just noticed some very unusual bot activity from the IP blocks

66.196.91
and
66.196.90

in our forum at http://www.dna88.com

All of a sudden there was like 300 guests. Naturally I thought these were the bots. So I looked into the whois online from the admin section. And all the bots were generated from the above IP blocks. Which was ok. The disturbing fact was that they all were seemingly trying to log in and post a message. This is how it looks in the phpbb admin:

Quote:
Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.63

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.80

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.180

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Posting a message
66.196.90.61

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Posting a message
66.196.90.153

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.185

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.139

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Posting a message
66.196.91.116

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Posting a message
66.196.91.103

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.91.87

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Posting a message
66.196.91.42

Guest 13 Jan 2005 09:45 pm 13 Jan 2005 09:45 pm Logging on
66.196.90.212


........................etc. etc. over 300 hits in a minute.


So I assumed someone was trying to run a brute force password hack. I instantly blocked the two ip ranges with htaccess and did a search in the whois for the IPs. This is what they say:

Quote:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
changed: bitbucket@ripe.net 20010529
changed: bitbucket@ripe.net 20020625
changed: hostmaster@ripe.net 20031014
changed: bitbucket@ripe.net 20040422
changed: bitbucket@ripe.net 20040504
source: RIPE
organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/ipaddress/ip-addresses.htm
remarks: and http://www.iana.org/assignments/as-numbers
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: bitbucket@ripe.net 20040417
source: RIPE
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
changed: bitbucket@ripe.net 20010411
source: RIPE


Which, is not very helpful.

A google search reveals that the IP range is associated with SLURP(yahoo bot) in other web site's logs. Well if it was the Yahoo bot then it was certainly behaving mighty strangely!!!

So can any one shade any light on who really owns this IP ranges? And what could be the cause for such strange behaviors.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

It's Inktomi Slurp which Yahoo uses for their search results.

The activity is normal (and I've noticed the same significant amount from Inktomi ). What you have to remember is that the bots follow links. So it will follow links to login, posting, viewing private messages, etc., but obviously won't be able to do anything there.

In truth you should be pretty happy about the activity.

The one that really went wild on me was AskJeeves. I had over 6000 hits from them yesterday, which is great because the last cached copy they have for me was from my old location. I don't think they had even indexed the new one yet because the last cached copy they have for me was from back in August. To me it's a warm fuzzy feeling to see the activity.
  • quantumcloud
  • Proficient
  • Proficient
  • User avatar
  • Posts: 456
  • Loc: Dhaka, Bangladesh

Post 3+ Months Ago

Thanks ATNO. But one would expect slurp to hit some other links besides login.php! But it was just one page hit time and again by hundreds of bots for a stretch of 10 minutes or more! It sure looked like a broot force attack. IP addresses can be spoofed.

Any other opinions?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Well, think about it logically. A bot is not logged in. Therefore, every page it spiders on your board is going to include a link to the login page. Guess what? The bot doesn't know any better, so it simply follows the link. At least that's what I have determined so far. I could be wrong, but I don't think so. Believe me, it concerned me at first, but I've watched it happen at OZZU. You have no idea what the admin page looks like here when there are over 1000 visitors at any given moment. *lol You should have seen it the day we hit our record 2101. I kept scrolling and scrolling, and I don't remember if I ever did get to the bottom of the page or not!
  • quantumcloud
  • Proficient
  • Proficient
  • User avatar
  • Posts: 456
  • Loc: Dhaka, Bangladesh

Post 3+ Months Ago

Thanks Atno. I think, you might be right. :)
  • bbott1982
  • Proficient
  • Proficient
  • User avatar
  • Posts: 320
  • Loc: NJ, USA

Post 3+ Months Ago

Inktomi is bombing our site and forum today as well. We have about 80 bots on our site at the moment :shock:

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 3 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.