The Linux Page

Attack by Bots

Since the ZmEu attack, I've been watching my logs a little closer. I also found a page that I could not read (but Google could and was kind enough to provide a cached version.) That page listed many bots that are not nice bots. So? I decided to block some of them, especially those that use very bad URLs or load many pages too quickly.

The result is that I'm getting more and IP addresses in my firewall. Although they get removed in a schedule that I will not state here, I can tell you that each time I block tenth when not hundredth of useless hits (worst than that at times those could be viewed as dangerous hits.)

Some of the IPs look legitimate so probably using a computer that someone got infected. Others are addresses that are not assigned and those could be black listed.

This list is in no way complete. But all of those I've blocked for one reason or another.

59.120.145.13
61.192.161.38
64.9.53.20
67.15.97.25
67.225.164.101
69.16.238.193
69.16.239.36
69.167.138.175
72.3.233.173
72.52.150.94
74.54.23.226
74.63.10.96
74.86.154.37
81.25.120.83
83.96.188.200
87.117.198.179
91.186.11.81

161.58.27.213
174.139.12.170
174.143.33.218
178.32.40.3

202.160.120.220
207.178.136.143
208.43.146.104
208.77.216.5
208.115.101.50
209.85.109.36
209.240.96.35
212.34.157.193
212.92.23.98
216.12.222.154

If one of these is your IP address, then you've got a problem or a hacker spoofed your address.

The following is a list of bots that I block:

  • libwww-perl—This is a perl script, using libwww to handle the HTML, that one can use to access the Internet. Someone serious would change the name to his or her own tool and not use libwww-perl.
  • slitebot.*robot—If I'm correct this robot is expecting to find products on your website and offer them for sale through a bad search engine. I've never seen any one product of mine appearing on their website so I guess it does not work too well. Plus it tends to read many pages very quickly.