spam

How Constant are Hacking Attempts?

November 27, 2012 lucia 43 Comments

From time to time, valued visitors are banned. This happens most frequently when I am adding new “rules”. Unfortunately, sometimes the rules — especially new rules– hammer people. Those people are often at universities and research institutions. They are naturally puzzled to a rule might cover their institute. It may seem odd, but IPs at universities and research agencies often do look suspicious. I suspect the reason for this is related to the fairly transient population of students, graduate students some of whom might decide to get involved in a little “private enterprise”. Also, from point of view of security– universities often have a rather open and free-wheeling nature valuing novelty and research. But it is fairly apparent that “research” bots sometimes behave rather badly during the development stage. Bad bot behavior can be due to bugs, incomplete implementation of the design or — quite likely — an oblivious designer who doesn’t think through how their nifty new agent might affect operation of a site it hits. (Note that the oblivious designer might be an undergraduate assigned the task of writing a scraper for their course on “intro to scraping”; their priority is generally “get the assignment done in time to turn in”.)

Anyway, over the past two weeks three or so people wrote to tell me they got banned. Needless to say: I was adding new rules and some were “less than perfect”. I you all for your patience and especially thank those who write telling me the script made a mistake.

But enough of the chit-chat. Today, I want to show you just how bad it really is.
After the “more” tag, I have pasted a list of the IPs banned for connections that appear highly likely to be actual hacking. This list is limited to 15 days worth of attempts that were diagnosed as “hack” or “penetration testing” attempts. This is actually a small fraction of the bans— some bans are just “snoop”, “scrape”, or “spam” attempts. The following list is limited to connections whose “reason” for banning includes the word “hack”. (Note the “reason” is trimmed to a finite length. Some of these things violate numerous rules so the word “hack” might not appear in the reason displayed.)

380 Connections with ‘hack’ appearing in the ‘reason’ for banning between 11/12/2012 and 11/27/2012.
Note: User agents can be faked. Limited to most recent 400.
IP HOST	Reason Banned (Opinion) UA string
96.49.110.211 (1 times)	Opinion (Suspected): ; Visit to login from [CA]. Possible hack. You must accept cookies to log in. \|\| ( ax=0) [CA] ; ( 0 ) Mozilla/ 5.0 (Windows NT 6.1; rv:6.0) Gecko/ 20110814 Firefox/ 6.0
96.239.234.72 (1 times) pool9623923472.nwrknj.east.verizon.net	Opinion (Suspected): ; Programming language, utillity or weird extension. INSTA-BAN. You have been instantly banned! \|-\| (1: php ) ; xmlrpc.php . Hack. INSTA-BAN. Custom: ax=0 dif=[1353378905] \|\| ( ax=0) [US] ; ( 0 ) PHP /5.2.10
95.81.248.41 (3 times) 041.248.81.95.chtts.ru	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
95.79.114.206 (3 times) dynamicip9579114206.pppoe.nn.ertelecom.ru	Opinion (Suspected): Suspected hacktool (UA-0142). Bothost and /or Server Farm (HN-086). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
95.67.106.110 (1 times) triel.cosmonova.net.ua	Opinion (Suspected): Suspected hacktool (UA-0142). RBN. Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
95.211.9.144 (230 times) hostedby.leaseweb.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check host SEO, referrer -, marketing bots, scraper, or dedicated /mystery hosts. INSTA-BAN. You have been instantly banned! \|-\| (2: leaseweb ) SEO, reputation management, mystery, servers , site monitoring, sniffers, scrape Mozilla/ 4.0 .compatible; MSIE 6.0; Windows NT 5.1)
95.141.35.196 (1 times) server1.touchweb.it	Opinion (Suspected): ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (1: / /wp- ) uploadify hack . INSTA-BAN. (2: /upload.php ) TimThumb hack. INSTA-BAN. (3: /thumb.php ) INSTA-BAN. (404) Fingerprint, scrape or hack behavior. (4: wp-content /plugin ) INSTA-BAN. Custo Mozilla /5.0 (Windows NT 5.1; rv:11.0) Gecko /20100101 Firefox /11.0
94.75.210.15 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
94.72.156.21 (3 times)	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
94.50.141.111 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
94.41.140.15 (3 times) host944114015.unknown.o56.ru	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
94.24.236.204 (1 times) pool94.24.236204.is74.ru	Opinion (Suspected): Proxy provider for -s (HN-080). Mozilla /5.0 (Windows NT 6.1; rv:16.0) Gecko /20100101 Firefox /16.0
94.24.137.116 (1 times) pool94.24.137116.is74.ru	Opinion (Suspected): Proxy provider for -s (HN-080). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /537.11 (KHTML, like Gecko) Chrome /23.0.1271.64 Safari /537.11
94.24.130.94 (1 times) pool94.24.13094.is74.ru	Opinion (Suspected): Proxy provider for -s (HN-080). Mozilla /4.0 .compatible; MSIE 8.0; Windows NT 6.1; Trident /4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
94.23.2.140 (1 times) ns365111.ovh.net	Opinion (Suspected): Cloud Services. Not an ISP. Allows IP hopping. INSTA-BAN (CLD-210). Hack attempt, INSTA-BAN (IB-015). Mozilla /5.0 (X11;U;Linux i686 (x86_64);en-US;rv:1.9.0.16) Gecko /2009122206 Firefox /3.0.16 Flock /2.5.6
93.91.49.18 (1 times) snat18cb.inet4.cz	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /www.jeuxdevoiture.fr /">jeux.de action< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
92.53.123.96 (1 times) curiosity.timeweb.ru	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
92.113.76.49 (2 times) 497611392.pool.ukrtel.net	Opinion (Suspected): Suspected hacktool (UA-0142). ukrtel, — -bots (HN-007). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
9123674116 (1 times)	Opinion (Suspected): http url injection (UAB-006)– Anchor hack (UAB-026)– Anchor hack (UAB-027)– HTTP_REFERER pollution of serverlogs with – ads ad word cigar, we don't link from there (REFSPAM-038)– Heavy hit– INSTA-BAN– Opera /9–80 <a href="http: / /301electroniccigarettes3-.com /">disposable electronic cigarettes< /a> (Windows NT 5–1; U; en) Presto /2–10–229 Version /11–60
91.236.74.251 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [PL] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /536.5 (KHTML, like Gecko) Chrome /19.0.1084.56 Safari /536.5
91.224.160.25 (1 times) hostedby.bergdorfgroup.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) SEO, reputation management, mystery, servers , site monitoring, sniffers, scrapers etc. INSTA-BAN. You have been instantly banned! \|-\| (2: hosted- ) Custom: ax=0 dif=[1353452684] \|\| ( ax=0) [NL] \| 1 X_Forward= [91.224.160.25 ] C Mozilla/ 5.0 .compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/ 5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
91.218.245.155 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
91.217.90.82 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check address Custom: ax=0 dif=[4] \|\| ( ax=0) [UA] ( 404=1 ) Custom address [91.217.90.82] ; ( 0 ) Mozilla /5.0 (Windows NT 5.1; rv:11.0) Gecko /20100101 Firefox /11.0
91.189.219.107 (1 times) ip91.189.219.107.skyware.pl	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /theghostsofohio.org /page /1">theghostsofohio.org< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
91.124.71.145 (1 times) 1457112491.pool.ukrtel.net	Opinion (Suspected): ukrtel, forum -bots. INSTA-BAN. You have been instantly banned! \|-\| ; (404) Fingerprint, scrape or hack behavior. (2: .php ) Custom: ax=1 dif=[1353417936] \|\| ( ax=1) [UA] ( 404=1 ) ; ( 0 ) Mozilla/ 4.0 .compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
89.31.74.118 (1 times)	Opinion (Suspected): ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (1: / /wp- ) Visit to login from [IT]. Possible hack. You must accept cookies to log in. Custom: ax=0 dif=[1353544895] \|\| ( ax=0) [IT] \| 1 X_Forward= [89.31.74.118 ] ; ( 0 ) Mozilla /5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko /2009102815 Ubuntu /9.04 (jaunty) Firefox /3.0.15
89.222.254.123 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /moneyalerts.Co.uk /deals /category /deals-in-newcastle /">blockbuster voucher codes< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
88.83.34.146 (1 times) 888334146.customer.t3.se	Opinion (Suspected): Global stream hack (QU-134). Mozilla /5.0 (X11; Linux i686; rv:16.0) Gecko /20100101 Firefox /16.0 Iceweasel /16.0.2
87.207.108.52 (3 times) 8720710852.dynamic.chello.pl	Opinion (Suspected): Problematic ISP /Host, source of suspect connections. Initial ax= 1 Subtracted 1 for Poles but don't let it fall below 0. Can still be banned for something else. Initial ax= 0 Subtracted 1 for Poles but don't let it fall below 0. Can still be banned for something else. ; Suspected hacktool (UA-1 Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YE
87.106.143.55 (1 times) s16335749.onlinehomeserver.info	Opinion (Suspected): RFI (http). (a)Bothost and /or Server Farm. INSTA-BAN. serve: HTTP Server Detection, usually infected. INSTA-BANNED. You have been instantly banned! \|-\|-\| ; Suspected hack attempt INSTA-BAN. ] \|-\| (3: / /wp- ) INSTA-BAN. uploadify hack . INSTA-BAN. (4: /upload.php ) INSTA-BA Mozilla /5.0 .compatible;Baiduspider /2.0;+http: / /www.baidu.com /search /spider.html)
86.105.32.15 (6 times) speedtest.datanet.ro	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
85.53.132.231 (2 times) 231.pool8553132.dynamic.orange.es	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
85.25.243.170 (3 times) puck234.startdedicated.com	Opinion (Suspected): login hack attempt (QU-094). Scraper host (HN-119). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
84.123.63.104 (2 times) 84.123.63.104.dyn.user.ono.com	Opinion (Suspected): Hacker Link Probe. Bothost and /or Server FarmBot UA. Xenu Link Sleuth /1.3.8
84.109.73.220 (1 times) bzq8410973220.red.bezeqint.net	Opinion (Suspected): http url injection (UAB-006). Extended Ascii Not Allowed in User-Agent Hack (UAB-011). Extended Ascii Not Allowed in User-Agent Hack (UAB-012). Extended Ascii Not Allowed in User-Agent Hack (UAB-015). Anchor hack (UAB-026). Anchor hack (UAB-027). Bothost and /or Server Farm (HN-072). Heavy hit. INSTA Mozilla /4.0 <a href="http: / /www.mystics.co.il /categories /286-%D7%A1%D7%A8%D7%98%D7%99%D7%9D_%D7%A1%D7%A7%D7%A1">Screwing sexual category equipped with bisexual whore key dicks.company bottoms< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
83.21.213.98 (3 times) elt98.neoplus.adsl.tpnet.pl	Opinion (Suspected): Network turned clean, turned dirty again. Initial ax= 1 Subtracted 1 for Poles but don't let it fall below 0. Can still be banned for something else. Initial ax= 0 Subtracted 1 for Poles but don't let it fall below 0. Can still be banned for something else. ; Suspected hacktool (UA-142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
82.251.45.213 (2 times) lnsbzn368225145213.adsl.proxad.net	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
81.94.201.186 (2 times) 1862019481.rackcentre.redstation.net.uk	Opinion (Suspected): ; Visit to login from [GB]. Possible hack. You must accept cookies to log in. \|\| ( ax=0) [GB] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:12.0) Gecko /20100101 Firefox /12.0
81.210.239.90 (2 times) ip8121023990.unitymediagroup.de	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
81.201.61.138 (1 times) skolkabosen.mh2net.cz	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /yemekoyunu.com /restoran /">oyunlarÄ±< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
81.180.86.106 (1 times) exatom2.nipne.ro	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /Sickseo.Co.uk /se.ukexcr.html">sickseo.co.uk< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
81.169.152.192 (1 times) h2081307.stratoserver.net	Opinion (Suspected): 503 INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: sr http ) (Googlebot spoof. 81.169.152.192 INSTA-BAN. ); possible Googlebot Spoof? (or someone is feeding google bad links!) ; Heavy hit. INSTA-BAN. Custom: ax=0 dif=[1353442503] \|\| ( a Mozilla/ 5.0 .compatible; Googlebot/ 2.1; +http:/ / www.google.com/ bot.html)
80.81.149.26 (3 times) ppp0326.cyberia.net.lb	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
79.78.253.14 (3 times) 797825314.dynamic.dsl.as9105.com	Opinion (Suspected): ; Visit to login from [GB]. Possible hack. \|:\| Begin custom: ax=0 \|\| ( ax=0) [GB] \| 1 X_Forward= [79.78.253.14 ] Check Cookies ; ( 0 ) Mozilla /5.0 .compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident /5.0)
79.142.65.54 (1 times) hostedby.altushost.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Bothost and /or Server Farm (HN-057). Heavy hit. INSTA-BAN. Mozilla /5.0 <a href="http: / /www.telefoonboek.nl /zoeken /tandartsen /apeldoorn /">tandarts groningen< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
78.85.93.167 (2 times) a167.sub93.net78.udm.net	Opinion (Suspected): Bad UA. a167.sub93.net78.udm.net is not a valid googlebot domain. See: http: / /googlewebmastercentral.–spot.com /2006 /09 /how-to-verify-googlebot.html (UA-139). php program file upload not allowed (FILE-0001). Hack Detection (FILE-0009). php command in file (FILE-0034). Mozilla /5.0 .compatible; Googlebot /2.1; +http: / /www.google.com /bot.html)
78.46.239.173 (1 times) static.173.239.46.78.clients.yourserver.de	Opinion (Suspected): ; Anonymizing, proxy or just odd host. INSTA-BAN. serve: HTTP Server Detection, usually infected. INSTA-BANNED. You have been instantly banned! \|-\| (1: your-server. ) Suspected hack attempt INSTA-BAN. (2: / /wp- ) Vulnerable plugin or PHP probing Hack. INSTA-BAN. (3: sr ) IN Mozilla /5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko /20070928 Firefox /2.0.0.7 Navigator /9.0RC1
78.158.165.74 (1 times) 7815816574.aryasat.ir	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /sickseo.Co.uk /">inte.net marketing< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
78.111.120.190 (1 times) u120190.static.grapesc.cz	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /sickseo.co.uk /seo-tools.html">seo Online tools< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
77.46.215.126 : Proxy reputation? (1 times) 7746215126.static.isp.telekom.rs	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [RS] ; FORWARDED_FOR=[192.168.124.50,77.46.215.126] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 537.11 (KHTML, like Gecko) Chrome/ 23.0.1271.64 Safari/ 537.11
72.47.210.217 (2 times) bigmethod.com	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko /20101026 Firefox /3.6.12
72.233.77.178 (1 times) 178.77.233.72.static.reverse.ltdomains.com	Opinion (Suspected): Cloud Services. Not an ISP. INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: / /wp- ) Vulnerable plugin or PHP probing Hack. INSTA-BAN. (3: sr ) INSTA-BAN. ; Probably timthumb. Hack. INSTA-BAN. query sr ; Heavy hit. INSTA-BAN. \|\| ( ax= Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
71.91.40.38 (1 times) 71914038.dhcp.leds.al.charter.com	Opinion (Suspected): ; Trying to login, publish, sniff for authors or similar; hack INSTA-BAN. You have been instantly banned! \|-\| (1: /register / ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [US] \| 1 X_Forward= [71.91.40.38 ] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 5.1; rv:8.0) Gecko/ 20100101 Firefox/ 8.0
69.73.164.95 (3 times) vps.mexhost.net	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 .compatible; MSIE 9.0; Windows NT 6.0; Trident /5.0; yie9)
69.72.216.107 (1 times)	Opinion (Suspected): ; Trying to login, publish, sniff for authors or similar; hack INSTA-BAN. You have been instantly banned! \|-\| (1: /register / ) \|:\| Begin custom: ax=0 dif=[1353765276] , useragent match=[no_ua_cookie ] ip match=[no_ip_cookie ] \|\| ( ax=0) [US] \| 1 X_Forward= [69.72.216.107 ] ( 404=1 ) Mozilla/ 5.0 (Windows NT 5.1; rv:8.0) Gecko/ 20100101 Firefox/ 8.0
69.65.48.123 (2 times) ip69.65.48.123.servernap.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /proimblogger.com /wicked-article-creator-review /">wicked article creator< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
68.98.109.218 (2 times) ip6898109218.ph.ph.cox.net	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
68.68.107.208 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check host check address : dif=[3] \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit /532.0 (KHTML, like Gecko) Chrome /3.0.195.38 Safari /532.0
68.224.244.40 (2 times) ip6822424440.lv.lv.cox.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /Lasvegaswebdesigners.Wordpress.com /">best web design software< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
68.168.211.143 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:9.0) Gecko /20100101 Firefox /9.0
67.78.72.111 (1 times) rrcs677872111.sw.biz.rr.com	Opinion (Suspected): 503 INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: sr http ) Custom: ax=0 dif=[1353415527] \|\| ( ax=1) ( Caution: php sniff? — bypass /plugins / ); [US] ; ( 0 ) Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/ 20100115 Firefox/ 3.6
67.208.247.130 (1 times) email.charlottenet.org	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.jeuxdevoiture.fr /">voiture 2012< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
66.96.218.117 (2 times) tdneptune.fastdnshost.com	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
66.96.201.139 (3 times) 6696201139.static.hostnoc.net	Opinion (Suspected): No access allowed from hosts listed on http: / /www.stop—.com / (local block). Suspected -tool mail.ru agent (UA-0135). hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /4.0 .compatible; MSIE 8.0; Windows NT 5.1; Trident /4.0; MRA 5.10 (build 5310); .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
66.249.74.158 (1 times) crawl6624974158.googlebot.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 .compatible; Googlebot/ 2.1; +http:/ / www.google.com/ bot.html)
64.90.55.229 (1 times) sabik.dreamhost.com	Opinion (Suspected): Injection (Unprintable ASCII escaping) (QU-004). Null truncation attempt (QU-090). Prevalent hack to an unknown script (QU-239). Bot Detection, INSTA-BAN (IB-004). Directory traversal attackHeavy hit. INSTA-BAN. Mozilla /5.0 (Windows NT 5.1; rv:11.0) Gecko /20100101 Firefox /11.0
64.31.37.227 (4 times) 227373164.static.reverse.lstn.net	Opinion (Suspected): login hack attempt (QU-094). Limestone Networks ASN46475 (ASN-LSN-02). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
64.22.65.3 (1 times)	Opinion (Suspected): 503 INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: sr http ) \|\| ( ax=1) ( Caution: php sniff? — bypass /plugins / ); [US] ; ( 0 ) Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/ 20100115 Firefox/ 3.6
63.245.25.82 (1 times) 82.25.245.63.alfanumeric.com.ni	Opinion (Suspected): ; Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (1: /forum / ) ; bad cookie:(whosonlineid,); INSTA-BAN. (404) Fingerprint, scrape or hack behavior. (3: .php ) INSTA-BAN. \|\| ( ax=0) [NI] left over cookies:(0, names=[] ) ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/ 19.0.1084.56 Safari/ 536.5
62.75.181.210 (1 times) pro1132.startdedicated.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check host check address : dif=[1] \|\| ( ax=0) [DE] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.27) Gecko /20120216 Firefox /3.6.27
62.149.165.246 (2 times) host24616514962.serverdedicati.aruba.it	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
58.68.148.103 (1 times)	Opinion (Suspected): ; Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (1: /forum / ) (404) Fingerprint, scrape or hack behavior. (2: .php ) \|\| ( ax=0) [CN] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 5.1; rv:10.0.3) Gecko/ 20100101 Firefox/ 10.0.3
58.63.224.75 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
58.249.8.206 (1 times)	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|\| ( ax=0) [CN] ; ( 0 ) Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
58.248.115.240 (2 times)	Opinion (Suspected): ; Suspected hacktool (UA-142). \|\| ( ax=0) [CN] ; ( 0 ) Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
58.248.112.162 (2 times)	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|\| ( ax=0) [CN] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
54.247.158.237 (2 times) ec254247158237.euwest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko /20100101 Firefox /16.0
54.246.97.168 (2 times) ec25424697168.euwest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko /20100101 Firefox /13.0
54.243.136.80 (1 times) ec25424313680.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -POST unescaped ( POST-010. POST unescaped ) POST-011. POST unescaped ' POST-013. POST unescaped ; POST-014. POST EX POST-015. POST CLOAK POST-016. POST RFI POST-028. P Mozilla /4.61 [en] (OS /2; U)
54.242.64.194 (1 times) ec25424264194.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.64.193 (1 times) ec25424264193.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.57.65 (1 times) ec2542425765.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.57.236 (1 times) ec25424257236.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
54.242.54.194 (1 times) ec25424254194.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Scraper user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: seo ) Subscription crawler service or crawler user agent. INSTA-BAN. (3: se rogerbot/ 1.0 (http:/ / www.seomoz.org/ dp/ rogerbot, rogerbot-crawler@seomoz.org)
54.242.53.215 (1 times) ec25424253215.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.53.197 (5 times) ec25424253197.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
54.242.50.8 (1 times) ec254242508.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.29.98 (1 times) ec2542422998.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.247.250 (1 times) ec254242247250.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity or we Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.235.73 (1 times) ec25424223573.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.225.250 (1 times) ec254242225250.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.214.1 (1 times) ec2542422141.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.186.121 (1 times) ec254242186121.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.175.18 (1 times) ec25424217518.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.169.33 (1 times) ec25424216933.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 4.0 .compatible; MSIE 8.0; Windows NT 6.0)
54.242.166.8 (2 times) ec2542421668.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.166.229 (1 times) ec254242166229.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.163.38 (2 times) ec25424216338.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.161.27 (1 times) ec25424216127.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity or we Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
54.242.160.184 (3 times) ec254242160184.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
54.242.153.23 (1 times) ec25424215323.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.153.210 (1 times) ec254242153210.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
54.242.127.28 (2 times) ec25424212728.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
54.242.114.109 (1 times) ec254242114109.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
54.242.108.56 (2 times) ec25424210856.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
50.31.9.127 (1 times) ip127.50319.static.steadfastdns.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /www.rejoy.se /wii /wii-tillbehor /supernintendo-snes-adapter-for-wii">rejoy.se< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
50.31.29.243 (1 times) ip243.503129.static.steadfastdns.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /Mybrandseo.com /">seo sem< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
50.31.29.220 (1 times) ip220.503129.static.steadfastdns.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /spmcdata.org /–?title=Great-Search-Engine-Optimization-Tips-That-Are-Simple-To-Follow">seo reseller services< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
50.31.29.172 (2 times) ip172.503129.static.steadfastdns.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /kidneydiseasedietplan.com /stage-3-kidney-disease /">Kidneydiseasedietplan.com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
50.31.107.122 (1 times) ip122.5031107.static.steadfastdns.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /www.squidoo.com /getting-the-most-out-of-your-new-ipad">best buy ipad< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
50.19.30.169 (1 times) ec2501930169.compute1.amazonaws.com	Opinion (Suspected): Rogue Site Crawler (SPD-038). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Nutch /Nutch-2.0 (Nutch Crawler)
50.19.156.117 (2 times) ec25019156117.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
50.19.129.229 (1 times) ec25019129229.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
50.19.127.124 (1 times) ec25019127124.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit /536.26 (KHTML, like Gecko) Version /6.0 Mobile /10A523 Safari /8536.25
50.18.8.47 (1 times) ec25018847.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
50.18.78.156 (1 times) ec2501878156.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
50.18.65.230 (1 times) ec2501865230.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /4.0 .compatible; MSIE 8.0; Windows NT 6.0; Trident /4.0; Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 3.5.30729)
50.18.57.103 (1 times) ec2501857103.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – newsme /1.0; feedback@news.me
50.18.41.131 (1 times) ec2501841131.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1)
50.18.244.134 (2 times) ec25018244134.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko /20100101 Firefox /15.0.1
50.18.238.120 (1 times) ec25018238120.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
50.18.237.185 (1 times) ec25018237185.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http:/ / js-kit.com/
50.18.236.168 (1 times) ec25018236168.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; INSTA-BAN. You have been instantly banned! \|-\| Link hunting ua INSTA-BAN. (2: link ) Unwanted bot, search, crawler. INSTA-BAN. (3: bot ) SkimBot /1.0 (www.skimlinks.com <dev@skimlinks.com>)
50.18.233.136 (1 times) ec25018233136.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
50.18.150.207 (1 times) ec25018150207.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
50.18.144.44 (2 times) ec2501814444.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko /20100101 Firefox /15.0.1
50.18.103.42 (3 times) ec2501810342.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko /20100101 Firefox /15.0.1
50.17.74.34 (2 times) ec250177434.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.17.69.56 (1 times) ec250176956.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. bitlybot
50.17.65.178 (1 times) ec2501765178.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 (X11; U; Linux x86_64; en-US) AppleWebKit /534.3 (KHTML, like Gecko) Ubuntu /10.04 Chromium /6.0.472.53 Chrome /6.0.472.53 Safari /534.3
50.17.244.179 (1 times) ec25017244179.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1)
50.17.154.102 (2 times) ec25017154102.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.17.153.58 (1 times) ec2501715358.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity or we Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.17.134.92 (1 times) ec2501713492.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.17.132.15 (7 times) ec2501713215.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit /534.16 (KHTML, like Gecko) Chrome /10.0.648.204 Safari /534.16
50.17.130.67 (1 times) ec2501713067.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
50.17.110.148 (1 times) ec25017110148.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.16.51.20 (3 times) ec250165120.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. MetaURI API /2.0 +metauri.com
50.16.46.195 (2 times) ec2501646195.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
50.16.44.80 (1 times) ec250164480.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
50.16.181.229 (1 times) ec25016181229.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-01. Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
50.117.78.139 (1 times)	Opinion (Suspected): ; Trying to login, publish, sniff for authors or similar; hack INSTA-BAN. You have been instantly banned! \|-\| (1: /register / ) \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 5.1; rv:8.0) Gecko/ 20100101 Firefox/ 8.0
50.112.81.49 (1 times) ec2501128149.uswest2.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; rv:7.0.1) Gecko /20100101 Firefox /7.0.1
50.112.20.16 (4 times) ec2501122016.uswest2.compute.amazonaws.com	Opinion (Suspected): Robot Probe (modsecurity.org) (UA-0002). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – curl /7.22.0 (x86_64-pc-linux-gnu) libcurl /7.22.0 OpenSSL /1.0.1 zlib /1.2.3.4 libidn /1.23 librtmp /2.3
50.112.107.16 (14 times) ec25011210716.uswest2.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko /20100101 Firefox /15.0.1
5.8.242.10 (2 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /cincinnatigalloway.com /profile.php?mode=viewprofile&u=414&sid=d96314ff6c9cc88c749eb113577b12c3">free 02 3g sim cards< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
5.39.37.149 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
5.34.59.139 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [KZ] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko /20100101 Firefox /14.0
5.144.176.176 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). HSHNetworkInternational (IP-103). Heavy hit. INSTA-BAN. Opera /9.80 <a href="http: / /votrematelas.sk.netblogs.be /archive /2012 /11 /15 /matelas-clic-clac.html">literie< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
46.71.42.104 (1 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YI
46.51.132.92 (2 times) ec2465113292.euwest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Custom: ax=1 dif=[1353549854] \|\| ( ax=1) [IE] \| 1 X_Forward= [46.51.132.92 ] Check Cookies check host ec2-46-51-132-92.eu-west-1.compute.amazonaws.com NING/ 1.0
46.37.162.59 (1 times) 463716259.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks. INSTA-BAN. You have been instantly banned! \|-\| ; \|:\| Begin custom: ax=1 dif=[1353805889] , useragent match=[no_ua_cookie ] ip match=[no_ip_cookie ] \|\| ( ax=1) [GB] \| 1 X_Forward= [46.37.162.59 ] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.1 (KHTML, like Gecko) Chrome /13.0.782.112 Safari /535.1
46.227.68.189 (1 times) 4622768189.static.obenetwork.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /makemoneyonlineinte.netmarketing.co.uk /Juan9">sexual supplements for men< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
46.137.55.47 (2 times) ec2461375547.euwest1.compute.amazonaws.com	Opinion (Suspected): Suspected hacktool (UA-0142). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
46.137.151.107 (2 times) ec246137151107.euwest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8) Gecko/ 20100722 Firefox/ 3.6.8
46.137.133.56 (1 times) ec24613713356.euwest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8) Gecko /20100722 Firefox /3.6.8
31.28.240.88 (2 times) 882402831.host.sevstar.net	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|\| ( ax=0) [UA] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
31.180.195.41 (3 times) host3118019541.stv.ru	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
31.149.105.193 (1 times) static.kpn.net	Opinion (Suspected): Possibly hostile scraper /harvester. ; Visit to login from [NL]. Possible hack. You must accept cookies to log in. check host static.kpn.net check address Custom: ax=1 dif=[1353414449] \|\| ( ax=1) [NL] Check Cookies Custom host [static.kpn.net] Custom address [31.149.105.193] ; ( 0 ) Mozilla/ 4.0 .compatible; Win32; WinHttp.WinHttpRequest.5)
27.153.150.187 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
24.168.88.146 (2 times) cpe2416888146.si.res.rr.com	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
24.154.128.155 (1 times) staticacs24154128155.zoominternet.net	Opinion (Suspected): ; You must accept cookies to log in. (404) Fingerprint, scrape or hack behavior. (2: .php ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [US] \| 1 X_Forward= [24.154.128.155 ] Check Cookies ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows; U; Win9x; en; Stable) Gecko/ 20020911 Beonex/ 0.8.1-stable
24.103.243.195 (1 times) rrcs24103243195.nyc.biz.rr.com	Opinion (Suspected): php program file upload not allowed (FILE-0001). php command in file (FILE-0002). php command in file (FILE-0006). php command in file (FILE-0007). login hack attempt (QU-094). Heavy hit. INSTA-BAN. Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
23.27.129.213 (1 times)	Opinion (Suspected): comment with bad referrer : end 1 (404) Fingerprint, scrape or hack behavior. (2: .php ) Custom: ax=0 dif=[1353457737] \|\| ( ax=0) the comment: ] [US] \| 1 X_Forward= [23.27.129.213 ] Check Cookies ( 404=1 ) check address 23.27.129.213 ; ( 0 ) Mozilla /4.0 .compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident /4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
23.23.8.222 (1 times) ec223238222.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Subscription crawler service or crawler user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: proximic ) Programming language, utillity Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.23.68.8 (1 times) ec22323688.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
23.23.53.68 (1 times) ec223235368.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
23.23.42.81 (1 times) ec223234281.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.23.187.48 (2 times) ec2232318748.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
23.23.17.187 (3 times) ec2232317187.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/ 534.30 (KHTML, like Gecko) Chrome/ 12.0.742.91 Safari/ 534.30
23.22.87.166 (1 times) ec2232287166.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass –
23.22.49.112 (1 times) ec2232249112.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.22.39.206 (1 times) ec2232239206.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible
23.22.245.115 (1 times) ec22322245115.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
23.22.198.195 (2 times) ec22322198195.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
23.22.169.179 (1 times) ec22322169179.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.22.169.100 (3 times) ec22322169100.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – ZillaCrawler
23.22.146.146 (1 times) ec22322146146.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – HubSpot Links Crawler 1.0 http: / /www.hubspot.com /
23.22.122.151 (1 times) ec22322122151.compute1.amazonaws.com	Opinion (Suspected): No known valid python clients or spiders. Infected machine (UA-0026). Possibly hostile scraper /harvester (SPD-176). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -unknown agent, use Python-urllib, don't use robots. Python-urllib /2.7
23.21.35.165 (2 times) ec2232135165.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.21.138.178 (1 times) ec22321138178.compute1.amazonaws.com	Opinion (Suspected): Injection (Unprintable ASCII escaping) (QU-004). Null truncation attempt (QU-088). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Bot Detection, INSTA-BAN (IB-004). Directory traversal attackHeavy hit. INSTA-BAN. Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
23.20.86.203 (1 times) ec2232086203.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
23.20.67.74 (1 times) ec223206774.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.20.233.84 (1 times) ec2232023384.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
23.20.230.239 (1 times) ec22320230239.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
23.20.226.47 (5 times) ec2232022647.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/ 534.30 (KHTML, like Gecko) Chrome/ 12.0.742.91 Safari/ 534.30
23.20.214.123 (2 times) ec22320214123.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – MetaURI API /2.0 +metauri.com
23.20.159.231 (1 times) ec22320159231.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
23.20.135.155 (5 times) ec22320135155.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
23.20.114.6 (1 times) ec223201146.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko /20100921 Firefox /4.0b7pre
23.19.92.31 (1 times) 23.19.92.31.rdns.ubiquity.io	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Nobis AS15003 NB01. Nobis AS15003 NB44. Heavy hit. INSTA-BAN. Opera /9.80 <a href="http: / /www.cheapairmax90s.co.uk /">nike air max< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
23.19.34.177 (1 times) 23.19.34.177.rdns.ubiquity.io	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Nobis AS15003 NB01. Nobis AS15003 NB44. Heavy hit. INSTA-BAN. Mozilla /4.0 <a href="http: / /bxc8.com /">bxc8.com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
23.19.34.161 (1 times) 23.19.34.161.rdns.ubiquity.io	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Nobis AS15003 NB01. Nobis AS15003 NB44. Heavy hit. INSTA-BAN. Mozilla /5.0 <a href="http: / /b2ty.com">4pr8.com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
23.19.241.236 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Nobis AS15003 NB01. Heavy hit. INSTA-BAN. Opera /9.80 <a href="http: / /www.xaevo.com /zeige /752065096357004_1353230830.html">air max 2009< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
222.89.154.6 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /glotrada.net /blogs /554 /539 /how-to-discover-the-most-accepta">birmingham conference venues< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
222.77.214.39 (3 times) 39.214.77.222.broad.pt.fj.dynamic.163data.com.cn	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
222.214.218.211 (2 times) 211.218.214.222.broad.ls.sc.dynamic.163data.com.cn	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
221.235.188.225 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142.1). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
220.249.164.189 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) Custom: ax=0 dif=[4] \|\| ( ax=0) [CN] \| 1 X_Forward= [220.249.164.189 ] Check Cookies ( 404=1 ) check address 220.249.164.189 ; ( 0 ) Mozilla /5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit /536.11 (KHTML, like Gecko) Chrome /20.0.1132.47 Safari /536.11
220.110.51.147 (1 times) www.netcominc.co.jp	Opinion (Suspected): ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (1: / /wp- ) TimThumb hack. INSTA-BAN. (2: /thumb.php ) It looks like you are trying to call the theme directly. (404) Fingerprint, scrape or hack behavior. (4: wp-content /theme ) INSTA-BAN. \|\| ( ax=0) Mozilla /3.0 (X11; I; SunOS 5.4 sun4m)
219.94.239.77 (2 times) emotiongraphics.jp	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
219.75.27.19 (1 times) bb219752719.singnet.com.sg	Opinion (Suspected): ; Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (1: /– / ) (404) Fingerprint, scrape or hack behavior. (2: .php ) \|\| ( ax=0) [SG] ( 404=1 ) ; ( 0 ) Opera /9.80 (Windows NT 6.1; U; Edition Ukraine Local; en) Presto /2.10.289 Version /12.00
219.75.27.18 (1 times) bb219752718.singnet.com.sg	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [SG] ( 404=1 ) ; ( 0 ) Opera /9.80 (Windows NT 6.1; Win64; x64; U; ru) Presto /2.10.289 Version /12.00
219.75.27.16 (2 times) bb219752716.singnet.com.sg	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|\| ( ax=0) [SG] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
219.75.27.15 (1 times) bb219752715.singnet.com.sg	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|\| ( ax=0) [SG] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
219.234.82.88 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="HTTP: / /www.Rdn.education.edu.au /user /view.php?id=7847&course=1">personal finance< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
218.94.149.114 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /www.newgadgets4you.com /how-it-works.php">Free iTunes Vouchers< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
218.204.39.172 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142.1). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
218.106.150.196 (1 times)	Opinion (Suspected): ; Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (1: /forum / ) (404) Fingerprint, scrape or hack behavior. (2: .php ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [CN] \| 1 X_Forward= [218.106.150.196 ] ( 404=1 ) ; ( 0 ) Mozilla/ 4.0 .compatible; MSIE 5.5; Windows NT 4.0; .NET CLR 1.0.2914)
217.163.49.51 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /www.ppgia.pucpr.br /pesquisa /mining /index.cgi /AndrewIkk">cheap beds guest beds< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
216.104.40.76 (3 times) myserver.productsnetworksx.net	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
212.67.205.246 (3 times) lvps21267205246.vps.webfusion.co.uk	Opinion (Suspected): login hack attempt (QU-094). Bothost and /or Server Farm (HN-076). Mozilla /5.0 .compatible; Konqueror /3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)
212.227.22.31 (3 times) s15700202.onlinehomeserver.info	Opinion (Suspected): Bothost and /or Server Farm. 503 INSTA-BAN. serve: HTTP Server Detection, usually infected. INSTA-BANNED. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (3: / /wp- ) INSTA-BAN. It looks like you are trying to call the theme directly. \|\| ( ax=2) ( Cautio Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
212.117.63.93 : Proxy reputation? (1 times) files.speedynet.bg	Opinion (Suspected): ; You are forwarding through [BG]. Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (2: /forum / ) (404) Fingerprint, scrape or hack behavior. (3: .php ) INSTA-BAN. \|\| ( ax=0) [BG] ; FORWARDED_FOR=[127.0.0.1,212.117.63.93] ( 404=1 ) ; ( 0 ) Opera/ 9.80 (Windows NT 6.1; U; Edition Ukraine Local; en) Presto/ 2.10.289 Version/ 12.00
211.167.112.16 (4 times) reserve.cableplus.com.cn	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
209.73.137.9 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.abbeyglen.co.uk">Uniform Rental< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
209.217.252.178 (3 times) static178252217209.nocdirect.com	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
209.177.145.82 (1 times) pbx.crescensinc.com	Opinion (Suspected): RFI (http). (a) ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (2: / /wp- ) Vulnerable plugin or PHP probing Hack. INSTA-BAN. (3: sr ) INSTA-BAN. ; Probably timthumb. Hack. INSTA-BAN. query sr ; Heavy hit. INSTA-BAN. \|\| ( ax=1) ( Caution: php snif Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/ 20100115 Firefox/ 3.6
208.99.195.242 (1 times)	Opinion (Suspected): login hack attempt (QU-094). Swift Ventures – /scrape network (IP-084). Mozilla /3.0 (X11; I; SunOS 5.4 sun4m)
208.80.194.150 (1 times) static20880194150.as13448.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) Custom: ax=0 dif=[1353451861] \|\| ( ax=0) [US] \| 1 X_Forward= [208.80.194.150 ] Check Cookies ( 404=1 ) check host static-208-80-194-150.as13448.com check address 208.80.194.150 ; ( 0 ) Mozilla/ 5.0 (Windows NT 5.1) AppleWebKit/ 535.7 (KHTML, like Gecko) Chrome/ 16.0.912.63 Safari/ 535.7
208.53.157.199 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="HTTP: / /home.Exetel.com.au /thetree /mediawiki /index.php?title=Search-Engine-Optimization-Tips-That-Are-Easy-To-Understand">seo black hat< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
208.53.157.129 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /crushe.info /story.php?title=seo-service-88">seo firm< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
207.45.177.42 (3 times) b2cmts.com	Opinion (Suspected): Uploads Not Allowed->login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
207.182.148.183 (1 times) b7.94.b6.static.xlhost.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) Known anonymizing or proxy host. INSTA-BAN. You have been instantly banned! \|-\| (2: host.com ) SEO, referrer -, marketing bots, scraper, or dedicated /mystery hosts. INSTA-BAN. (3: xlhost ) INSTA-BAN. Custom: ax=0 dif=[135 Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)
206.77.0.155 (1 times) p155.austinisd.org	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: wp-content /plugin ) Custom: ax=0 dif=[2] \|\| ( ax=0) [US] \| 1 X_Forward= [206.77.0.155 ] Check Cookies ( 404=1 ) check host p155.austinisd.org check address 206.77.0.155 ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:15.0) Gecko /20100101 Firefox /15.0
206.214.93.139 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /r4sdhcx.se /onlive-salt-till-nytt-foretag /">Playstation 4< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
205.204.81.100 (1 times) wirelessresolve.net	Opinion (Suspected): Command injection (QU-031). Command injection (QU-033). Command injection (QU-038). Globvar hack (QU-135). Heavy hit. INSTA-BAN.
204.93.219.137 (1 times) unknown.scnet.net	Opinion (Suspected): RFI (http). (a) ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (2: / /wp- ) uploadify hack . INSTA-BAN. (3: /upload.php ) INSTA-BAN. Vulnerable plugin or PHP probing Hack. INSTA-BAN. (4: sr ) INSTA-BAN. INSTA-BAN. ; Probably timthumb. Hack. INSTA- Mozilla/ 4.0 .compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
204.74.223.115 (1 times) 20474223115.take2hosting.com	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). check host 204-74-223-115.take2hosting.com SEO, referrer -, marketing bots, scraper, or dedicated /mystery hosts. INSTA-BAN. You have been instantly banned! \|-\| (3: hosting ) INSTA-BAN. Custom: ax=0 dif=[1353420584] \|\| ( a Mozilla/ 5.0 (Windows NT 5.1) AppleWebKit/ 535.19 (KHTML, like Gecko) Chrome/ 18.0.1025.1634 Safari/ 535.19 YI
204.236.159.86 (1 times) ec220423615986.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
203.121.145.50 (1 times)	Opinion (Suspected): php program file upload not allowed (FILE-0001). php command in file (FILE-0005). php function in file (FILE-0013). php function in file (FILE-0015). php command in file (FILE-0021). php command in file (FILE-0022). php command in file (FILE-0023). php command in file (FILE-0024). login hack attempt Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
2021821722 (1 times) 2172182202jktpesatnetid	Opinion (Suspected): http url injection (UAB-006)– Anchor hack (UAB-026)– Anchor hack (UAB-027)– Opera /9–80 <a href="http: / /sickseo–co-.uk /seo-tools–html">Seo Reporting Tools< /a> (Windows NT 5–1; U; en) Presto /2–10–229 Version /11–60
202.156.10.14 (1 times) 202.156.10.14.cache.maxonline.com.sg	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.StopAcneOutbreaks.com /">Acne No More< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
202.131.117.195 (1 times) smtp.silvertouch.com	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
200.98.67.21 (1 times) 200986721.clouduol.com.br	Opinion (Suspected): login hack attempt (QU-094). No known valid perl clients or spiders. Infected machine (UA-0001). libwww-perl /5.834
200.98.175.199 (1 times) 20098175199.clouduol.com.br	Opinion (Suspected): 503 INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: / /wp- ) \|\| ( ax=1) ( Caution: php sniff? — bypass /plugins / ); [BR] ; ( 0 ) Mozilla/ 5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/ 20100228 K-Meleon/ 1.5.4
200.98.129.231 (1 times) 20098129231.clouduol.com.br	Opinion (Suspected): login hack attempt (QU-094). No known valid perl clients or spiders. Infected machine (UA-0001). libwww-perl /5.834
200.98.129.117 (1 times) 20098129117.clouduol.com.br	Opinion (Suspected): 503 INSTA-BAN. Illegal URL formatYou have been instantly banned! \|-\| ; Suspected hack attempt or penetration testing INSTA-BAN. (2: / /wp- ) uploadify hack . INSTA-BAN. (3: /upload.php ) INSTA-BAN. \|:\| Begin custom: ax=0 dif=[1353805947] , useragent match=[no_ua_cookie ] ip mat Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/ 20100115 Firefox/ 3.6
200.35.181.189 (1 times)	Opinion (Suspected): PHP hack probing attempt. INSTA-BAN (IB-030). Mozilla/ 5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
200.107.65.88 (1 times) cp1.pokerchile.cl	Opinion (Suspected): Injection (Unprintable ASCII escaping) (QU-004). Question mark at end of query. Badly formed query, must not have 2 question marks in a row (QU-104). RFI (http) (QU-107). Path hack (QU-118). Path hack (QU-205). Nesting attack (QU-219). Bad UA. cp1.pokerchile.cl is not a valid googlebot domain. See: Googlebot /2.1 (+http: / /www.google.com /bot.html)
199.204.18.130 (1 times) mail.methodhosting.net	Opinion (Suspected): RFI (http). (a) ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (2: / /wp- ) Vulnerable plugin or PHP probing Hack. INSTA-BAN. (3: sr ) INSTA-BAN. ; Probably timthumb. Hack. INSTA-BAN. query sr ; Heavy hit. INSTA-BAN. \|\| ( ax=1) ( Caution: php snif Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
199.15.234.211 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
198.27.91.195 (1 times) vks33418.ip1982791.net	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [XX] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.0; rv:12.0) Gecko /20100101 Firefox /12.0
198.20.67.231 (1 times) wnode22.windowsnodes.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /pokemonfirered.net /where-can-i-buy-pokemon-fire-red /">Pokemon Leaf Green Cheat Codes< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
198.15.124.171 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check address Custom: ax=0 dif=[1] \|\| ( ax=0) [US] Check Cookies ( 404=1 ) Custom address [198.15.124.171] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.2 (KHTML, like Gecko) Chrome /15.0.874.121 Safari /535.2
198.144.116.70 (2 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /periodontal.ucoz.com /">Gum disease treatment< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
198.136.53.234 (4 times) 19813653234.static.dimenoc.com	Opinion (Suspected): Host caught trying to hack (HN-117). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /534.24 (KHTML, like Gecko) Chrome /11.0.694.0 Safari /534.24
195.211.213.176 (1 times) client213176.expressnikopol.net.ua	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check host client-213-176.expressnikopol.net.ua check address Custom: ax=0 dif=[1] \|\| ( ax=0) [UA] Check Cookies ( 404=1 ) Custom host [client-213-176.expressnikopol.net.ua] Custom address [195.211.213.176] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1) AppleWebKit /536.11 (KHTML, like Gecko) Chrome /20.0.1132.47 Safari /536.11
194.146.132.135 (1 times) nat06.iteam.ua	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|\| ( ax=0) [UA] ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit /532.0 (KHTML, like Gecko) Chrome /3.0.195.38 Safari /532.0
193.25.4.73 (4 times) ip473.gemini.net.pl	Opinion (Suspected): Hacker Link Probe. Bot UA. Xenu Link Sleuth /1.3.8
193.205.136.6 (1 times) mrtg.iuo.it	Opinion (Suspected): Injection (Unprintable ASCII escaping) (QU-004). Null truncation attempt (QU-090). Prevalent hack to an unknown script (QU-239). Bot Detection, INSTA-BAN (IB-004). Directory traversal attackHeavy hit. INSTA-BAN. Mozilla/ 5.0 (Windows NT 5.1; rv:11.0) Gecko/ 20100101 Firefox/ 11.0
192.168.0.200 (12 times) zaphodunit3	Opinion (Suspected): Hack Attempt (GIP-001)Hack Attempt (GIP-002) Mozilla /5.0 (Windows NT 5.1; rv:16.0) Gecko /20100101 Firefox /16.0
190.39.136.139 (2 times) 19039136139.dyn.dsl.cantv.net	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|:\| Begin custom: ax=0 dif=[20] , useragent match=[yes ] ip match=[yes ] \|\| ( ax=0) [VE] \| 1 X_Forward= [190.39.136.139 ] Check Cookies ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
190.153.3.37 : Proxy reputation? (1 times) 37.3.153.190.netuno.net	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|:\| Begin custom: ax=0 dif=[47] , useragent match=[yes ] ip match=[yes ] \|\| ( ax=0) [VE] \| 2 X_Forward= [190.153.3.37,190.153.3.37 ] Check Cookies; FORWARDED_FOR=[190.153.3.37,190.153.3.37] ( 404=1 ) Check if forwarding ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:10.0) Gecko /20100101 Firefox /10.0
190.153.213.90 (1 times)	Opinion (Suspected): Hack attempt, INSTA-BAN (IB-015). Mozilla /5.0 (Windows NT 6.1; rv:12.0) Gecko /20100101 Firefox /12.0
190.0.57.98 (1 times) staticbafibra19005798.epm.net.co	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /www.netevolution.co.uk">web hosting management script< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
189.28.36.146 (2 times) mail.floripahd.com.br	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). \|:\| Begin custom: ax=0 dif=[4] , useragent match=[yes ] ip match=[yes ] \|\| ( ax=0) [BR] \| 2 X_Forward= [unknown,189.28.36.146 ] Check Cookies Check if forwarding ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
188.231.197.12 (1 times) 188.231.197.12.freenet.com.ua	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) check host 188.231.197.12.freenet.com.ua check address Custom: ax=0 dif=[1] \|\| ( ax=0) [UA] Check Cookies ( 404=1 ) Custom host [188.231.197.12.freenet.com.ua] Custom address [188.231.197.12] ; ( 0 ) Opera /9.80 (Windows NT 5.1; U; Edition Ukraine Local; ru) Presto /2.10.289 Version /12.00
188.165.86.189 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /WinningTradeSystemReview.com /">Www.Winningtradesystemreview.Com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
188.165.199.224 (1 times) ns1.systeme.fr	Opinion (Suspected): 503 INSTA-BAN. Name Server Detection, usually infected. Please access from a non server hostnameYou have been instantly banned! \|-\| ; Suspected hack attempt INSTA-BAN. (2: sr http ) \|:\| Begin custom: ax=0 dif=[1353630091] , useragent match=[no_ua_cookie ] \|\| ( ax=1) ( Caution: ph Mozilla/ 5.0 (Windows NT 5.1; rv:16.0) Gecko/ 20100101 Firefox/ 16.0
188.165.125.51 (3 times)	Opinion (Suspected): ; Suspected hacktool (UA-142). \|\| ( ax=0) [FR] ; ( 0 ) Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
188.116.20.67 (3 times) s15.hekko.net.pl	Opinion (Suspected): ; Visit to login from [PL]. Possible hack. You must accept cookies to log in. \|\| ( ax=0) [PL] ; ( 0 ) Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/ 2010061201 Firefox/ 3.0.19 Flock/ 2.6.0
187.45.240.66 (3 times) hm5529.locaweb.com.br	Opinion (Suspected): Prevalent hack to an unknown script (QU-239). Question mark at end of query. Badly formed query, must not have 2 question marks in a row (QU-104). Mozilla /5.0 (Windows NT 6.1; rv:16.0) Gecko /20100101 Firefox /16.0
184.82.91.142 (1 times) 1848291142.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko /20100101 Firefox /5.0
184.82.203.15 (2 times) 1848220315.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Opera /9.80 (Windows NT 5.1; U; en) Presto /2.10.289 Version /12.01
184.82.185.197 (1 times) 18482185197.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /4.0 .compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
184.73.99.2 (3 times) ec218473992.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass –
184.73.9.68 (1 times) ec218473968.compute1.amazonaws.com	Opinion (Suspected): Rogue Site Crawler (SPD-038). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 /Nutch-1.1 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13)
184.73.42.84 (2 times) ec2184734284.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
184.73.39.47 (1 times) ec2184733947.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
184.73.185.224 (2 times) ec218473185224.compute1.amazonaws.com	Opinion (Suspected): Suspected hacktool (UA-0142). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
184.73.148.159 (1 times) ec218473148159.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
184.73.14.223 (1 times) ec21847314223.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit /534.24 (KHTML, like Gecko)
184.73.129.12 (1 times) ec21847312912.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
184.73.122.96 (2 times) ec21847312296.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
184.72.83.30 (1 times) ec2184728330.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit /534.24 (KHTML, like Gecko)
184.72.82.95 (1 times) ec2184728295.compute1.amazonaws.com	Opinion (Suspected): Rogue Site Crawler (SPD-038). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Nutch /Nutch-2.0 (Nutch Crawler)
184.72.76.131 (2 times) ec21847276131.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
184.72.194.49 (1 times) ec21847219449.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
184.72.118.177 (1 times) ec218472118177.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; check host ec2-184-72-118-177.compute-1.amazonaws.com check address Custom: ax=1 dif=[1353368003] \|\| ( ax=1) [US] Custom host [ec2-184-72-118-177.compu Mozilla /5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.168 Safari /535.19
184.22.53.203 (2 times) 1842253203.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /4.0 .compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
184.22.52.21 (1 times) 184225221.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). WP Probe Detected (CUST-URI-001). INSTA-BAN. Mozilla/ 5.0 (Windows NT 5.1; rv:5.0.1) Gecko/ 20100101 Firefox/ 5.0.1
184.22.232.162 (2 times) 18422232162.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla/ 5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/ 534.56.5 (KHTML, like Gecko) Version/ 5.1.6 Safari/ 534.56.5
184.22.192.71 (1 times) 1842219271.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /5.0 (Windows NT 5.1; rv:5.0.1) Gecko /20100101 Firefox /5.0.1
184.22.183.114 (3 times) 18422183114.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /5.0 (X11; Linux i686; rv:6.0) Gecko /20100101 Firefox /6.0
184.22.132.42 (1 times) 1842213242.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)
184.22.1.144 (1 times) rtb3mjh08t.coooperstowninns.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /Chasedix.Momaroo.com /weblog /">chasedix.momaroo.Com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
184.169.252.0 (1 times) ec21841692520.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.169.247.35 (1 times) ec218416924735.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.169.245.99 (1 times) ec218416924599.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; Scraper user agent. INSTA-BAN. You have been instantly banned! \|-\| (2: js-kit ) Custom: ax=1 dif=[1353447555] \|\| ( ax=1) [US] \| 1 X_Forward= [18 JS-Kit URL Resolver, http: / /js-kit.com /
184.169.227.30 (1 times) ec218416922730.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.169.226.107 (1 times) ec2184169226107.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.169.203.244 (1 times) ec2184169203244.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.169.203.101 (8 times) ec2184169203101.uswest1.compute.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-114). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – UnwindFetchor /1.0 (+http: / /www.gnip.com /)
184.169.199.213 (1 times) ec2184169199213.uswest1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – JS-Kit URL Resolver, http: / /js-kit.com /
184.154.4.81 (1 times) chicago.vpn.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /electriccarsdealerships.com /categories /nissan-electric-cars /">electric car dealership< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
184.154.156.209 (1 times) wnode19.windowsnodes.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.sfbrp.com /wiki /index.php?title=The-Most-Suitable-Self-Storage-in-Bellingham">storage unit< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
180.96.62.21 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
178.64.229.53 (1 times) shpd1786422953.vologda.ru	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /mormonsandgenealogy.com /res /the-mormon-book-90">mormons genealogy< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
178.33.63.220 (1 times) unicorn.seedboxes.cc	Opinion (Suspected): ; Vulnerable plugin or PHP probing Hack. INSTA-BAN. You have been instantly banned! \|-\| (1: sr ) ; Probably timthumb. Hack. INSTA-BAN. query sr \|:\| Begin custom: ax=0 dif=[1353629163] , useragent match=[no_ua_cookie ] \|\| ( ax=0) [FR] \| 1 X_Forward= [178.33.63.220 ] ; ( 0 ) Mozilla /5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko /20100228 K-Meleon /1.5.4
178.33.170.239 (2 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /beulah.co.ke /blog /index.php /friedapid">.compare online schools< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
178.238.140.68 (1 times) 17823814068.static.hostnoc.net	Opinion (Suspected): hostnoc.net, Suspicious network, SQL hacks. ; \|\| ( ax=1) [GB] ; ( 0 ) Mozilla/ 5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/ 20090824 Firefox/ 3.5.3
178.184.90.167 (1 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
178.18.19.74 (2 times) server5.svrmng.info	Opinion (Suspected): Prevalent hack to an unknown script (QU-239). Question mark at end of query. Badly formed query, must not have 2 question marks in a row (QU-104). RFI (http) (QU-107). Nesting attack (QU-208). Function directory access violation (QU-235). Heavy hit. INSTA-BAN. Mozilla /5.0 (Windows NT 6.1; rv:16.0) Gecko /20100101 Firefox /16.0
178.158.221.73 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
178.137.93.37 (1 times) 1781379337lvv.broadband.kyivstar.net	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) SEO, referrer -, marketing bots, scraper, or dedicated /mystery hosts. INSTA-BAN. You have been instantly banned! \|-\| (2: kyivstar ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [UA] \| 1 X_Forward= [178.137.93.37 ] Check Cookies ( 404= Opera/ 9.80 (Windows NT 6.1; U; ru) Presto/ 2.8.131 Version/ 11.10
178.121.185.164 (3 times) mm164185121178.dynamic.pppoe.mgts.by	Opinion (Suspected): INSTA-BAN ; Does not exist. INSTA-BAN. \|-\| ua (2: .exe ) (404) Fingerprint, scrape or hack behavior. (3: wp-content /plugin ) INSTA-BAN. Custom: ax=1 dif=[1353367919] \|\| ( ax=1) ( Caution: php sniff? — bypass /plugins / ); [BY] ( 404=1 ) ; ( 0 ) xpymep.exe
177.80.3.35 (2 times) b1500323.virtua.com.br	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.domainhome.net /whois /skribles.com /">kÄ±z oyunu< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
177.71.224.133 (1 times) ec217771224133.saeast1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; \|\| ( ax=1) [BR] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:11.0) Gecko /20100101 Firefox /11.0
177.71.171.90 (2 times) ec21777117190.saeast1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -Checked for bypass – ; \|\| ( ax=1) [BR] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:11.0) Gecko /20100101 Firefox /11.0
177.71.170.105 (1 times) ec217771170105.saeast1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass – Mozilla /5.0 (Windows NT 6.0; rv:10.0.2) Gecko /20100101 Firefox /10.0.2
177.124.231.98 (1 times) mvx17712423198.mundivox.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /sixthformcollegelaw.–spot.com">sixthformcollegelaw.–spot.com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
177.103.228.159 (1 times) 177103228159.dsl.telesp.net.br	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.squidoo.com /the-benefits-of-a-gluten-free-diet-plan">Gluten Free< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
176.34.78.244 (1 times) ec21763478244.euwest1.compute.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-115). Possibly hostile scraper /harvester (SPD-116). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Kimengi /nineconnections.com
176.104.137.73 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
175.44.27.91 (3 times)	Opinion (Suspected): No access allowed from hosts listed on http: / /www.stop—.com / (local block). Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
175.41.249.4 (1 times) ec2175412494.apnortheast1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Crowsnest/ 0.5 (+http:/ / www.crowsnest.tv/ )
175.41.233.177 (1 times) ec217541233177.apnortheast1.compute.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Crowsnest /0.5 (+http: / /www.crowsnest.tv /)
174.63.22.218 (1 times) c1746322218.hsd1.vt.comcast.net	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .js ) \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ 20100101 Firefox/ 16.0
174.44.22.52 (2 times) oolae2c1634.dyn.optonline.net	Opinion (Suspected): ; Query breaking hack (QU-207). \|\| ( ax=0) [US] ; ( 0 ) Mozilla/ 5.0 (Macintosh; Intel Mac OS X 10.5; rv:16.0) Gecko/ 20100101 Firefox/ 16.0
174.136.32.3 (3 times) sierra.unisonplatform.com	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
174.129.90.13 (1 times) ec21741299013.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories. Checked for bypass -alexa bypass. Checked for bypass – ; Archivers like wayback, foreign wayback etc. INSTA-BAN. You have been instantly banned! \|-\| (1: archive ) Unwanted bot, search, crawler. ia_archiver (+http:/ / www.alexa.com/ site/ help/ webmasters; crawler@alexa.com)
174.129.52.157 (1 times) ec217412952157.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
174.129.186.17 (1 times) ec217412918617.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 .compatible; proximic; +http: / /www.proximic.com /info /spider.php)
174.129.168.206 (1 times) ec2174129168206.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
174.129.107.129 (2 times) ec2174129107129.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – MetaURI API /2.0 +metauri.com
173.51.134.227 (1 times) pool17351134227.lsanca.dslw.verizon.net	Opinion (Suspected): ; You must accept cookies to log in. (404) Fingerprint, scrape or hack behavior. (2: .php ) \|\| ( ax=0) [US] ( 404=1 ) ; ( 0 ) Mozilla/ 5.0 (Windows NT 6.1; rv:12.0) Gecko/ 20100101 Firefox/ 12.0
173.245.64.81 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /Www.Extremefairings.com /Honda-5 /Honda-CBR600RR /2007-2008-24">2008 Honda CBR600RR Fairings< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
173.236.63.96 (2 times) chicago2.vpn.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /afattyliverdisease.com /alcoholic-fatty-liver /">fatty liver disease diet< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
173.234.250.220 (1 times) 173234250220.ipvnow.com	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Nobis AS15003 NB31. Heavy hit. INSTA-BAN. Opera /9.80 <a href="http: / /q30s.com">q30s.com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
173.212.228.218 (2 times) 173212228218.static.hostnoc.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). hostnoc.net, Suspicious network, SQL hacks (HN-109). Heavy hit. INSTA-BAN. Opera /9.80 <a href="http: / /www.quantriwebsite.net /checkrank /nomorerackreview.com">online deals on laptops< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
173.212.212.7 (1 times) 1732122127.static.hostnoc.net	Opinion (Suspected): bsalsa user agent not allowed (UA-0076). hostnoc.net, Suspicious network, SQL hacks (HN-109). Mozilla /4.0 .compatible; MSIE 8.0; Windows NT 6.0; Trident /4.0; Orange 8.0; GTB6.3;Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Embedded Web Browser from: http: / /bsalsa.com /; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.1.3)
173.208.153.175 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /oilsynthetic.tumblr.com /">synthetic oil< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
163.152.97.39 (1 times) econ.korea.ac.kr	Opinion (Suspected): RFI attack /SQL injection (nested percent and ' e.g. %2527) (QU-013). Command injection (QU-027). General CMS /RFI attack (QU-069). General CMS attack (QU-076). Question mark at end of query. Badly formed query, must not have 2 question marks in a row (QU-104). Globvar hack (QU-136). Heavy hit. IN Mozilla /3.0 (OS /2; U)
159.226.43.56 (1 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|:\| Begin custom: ax=0 dif=[8] , useragent match=[yes ] \|\| ( ax=0) [CN] \| 1 X_Forward= [159.226.43.56 ] Check Cookies ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko /20100101 Firefox /11.0
157.55.35.79 (1 times) msnbot157553579.search.msn.com	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) Custom: ax=0 dif=[1353548121] \|\| ( ax=0) [US] \| 1 X_Forward= [157.55.35.79 ] Check Cookies ( 404=1 ) check host msnbot-157-55-35-79.search.msn.com check address 157.55.35.79 ; ( 0 ) Mozilla /5.0 .compatible; bingbot /2.0; +http: / /www.bing.com /bingbot.htm)
142.0.35.133 (1 times)	Opinion (Suspected): ; Suspected hacktool (UA-142). Suspected hacktool (UA-142). ; VOLUMEDRIVE : VOLUM-2. Not ISP. INSTA-BAN. You have been instantly banned! \|-\| \|:\| Begin custom: ax=0 \|\| ( ax=0) [US] \| 1 X_Forward= [142.0.35.133 ] Check Cookies ; ( 0 ) Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
125.78.207.84 (1 times) 84.207.78.125.broad.pt.fj.dynamic.163data.com.cn	Opinion (Suspected): ; Do not exist at my site. INSTA-BAN. You have been instantly banned! \|-\| (1: /– / ) (404) Fingerprint, scrape or hack behavior. (2: .php ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [CN] \| 1 X_Forward= [125.78.207.84 ] ( 404=1 ) ; ( 0 ) Opera /9.80 (Windows NT 6.1; WOW64; U; ru) Presto /2.10.289 Version /12.00
125.78.204.161 (1 times) 161.204.78.125.broad.pt.fj.dynamic.163data.com.cn	Opinion (Suspected): ; SEO, referrer -, marketing bots, scraper, or dedicated /mystery hosts. INSTA-BAN. You have been instantly banned! \|-\| (1: 163data.com.cn ) Do not exist at my site. INSTA-BAN. (2: /forum / ) ; bad cookie:(whosonlineid,); INSTA-BAN. (404) Fingerprint, scrape or hack behavior. Mozilla/ 5.0 (Windows NT 5.1) AppleWebKit/ 535.7 (KHTML, like Gecko) Chrome/ 16.0.912.77 Safari/ 535.7 u01-2
124.169.115.94 (1 times) 12416911594.dyn.iinet.net.au	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /sevillafc.noticia.es /user /JessicaIhm /history"><a href="">real estate valuers< /a>< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
124.125.91.223 (2 times)	Opinion (Suspected): Suspected -tool mail.ru agent (UA-0135). Indian -s – 192K address netblock is bad (IP-048). Opera /9.80 (Windows NT 6.1; U; MRA 6.0 (build 5711); ru) Presto /2.10.289 Version /12.00
124.124.68.58 (5 times)	Opinion (Suspected): Indian -s – 192K address netblock is bad (IP-048). Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)
123.11.44.151 (1 times) hn.kd.ny.adsl	Opinion (Suspected): Fake tld. INSTA-BAN. You have been instantly banned! \|-\| ; Suspected hacktool (UA-142). \|\| ( ax=1) [CN] ; ( 0 ) Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
118.70.129.101 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /5.0 <a href="http: / /www.jeuxdevoiture.fr /2012 /">jeux voiture action< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
118.192.193.1 (2 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
116.68.198.206 (1 times)	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /howcanicureayeastinfection.com /">home remedies for yeast infection< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
115.75.10.75 (2 times) adsl.viettel.vn	Opinion (Suspected): ; Visit to login from [VN]. Possible hack. \|:\| Begin custom: ax=0 \|\| ( ax=0) [VN] \| 1 X_Forward= [115.75.10.75 ] Check Cookies ; ( 0 ) Mozilla /5.0 (Windows NT 6.1; rv:12.0) Gecko /20100101 Firefox /12.0
114.35.136.98 (2 times) 1143513698.hinetip.hinet.net	Opinion (Suspected): Question mark at end of query. Badly formed query, must not have 2 question marks in a row (QU-104). Badly formed query, must not have 3 question marks in a row even with escaping (QU-105). RFI (http) (QU-107). Path hack (QU-206). Nesting attack (QU-219). Taiwanese ISP with a history of uncontrolled Mozilla/ 5.0
113.6.247.150 (2 times)	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|:\| Begin custom: ax=0 dif=[6] , useragent match=[yes ] \|\| ( ax=0) [CN] \| 1 X_Forward= [113.6.247.150 ] Check Cookies ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 6.2; WOW64) AppleWebKit /536.5 (KHTML, like Gecko) Chrome /19.0.1084.56 Safari /536.5
111.235.138.156 (2 times) mercury.gsc.gr	Opinion (Suspected): login hack attempt (QU-094). Mozilla /5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6
111.161.71.26 (1 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
111.161.71.25 (1 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
110.86.187.33 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI
110.85.51.50 (3 times) 50.51.85.110.broad.fz.fj.dynamic.163data.com.cn	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
110.238.0.7 (1 times) ruby.voice.net.au	Opinion (Suspected): ; Suspected hack attempt INSTA-BAN. You have been instantly banned! \|-\| (1: / /wp- ) uploadify hack . INSTA-BAN. (2: /upload.php ) (404) Fingerprint, scrape or hack behavior. (3: wp-content /plugin ) INSTA-BAN. Custom: ax=0 dif=[1353550091] \|\| ( ax=0) [AU] \| 1 X_Forward= [1 Mozilla/ 5.0 (Windows NT 5.1; rv:11.0) Gecko/ 20100101 Firefox/ 11.0
110.143.115.79 (1 times) kirkpa9.lnk.telstra.net	Opinion (Suspected): hacktool word. INSTA-BAN (UA-0017). Fuck you!!
109.95.42.32 (1 times)	Opinion (Suspected): Suspected hacktool (UA-0142.1). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.164 Safari /535.19 YE
109.195.3.116 (1 times) headhost.ru	Opinion (Suspected): Command injection (QU-030). Command injection (QU-031). Command injection (QU-038). General CMS /RFI attack (QU-069). Globvar hack (QU-136). Heavy hit. INSTA-BAN.
109.104.199.56 (1 times) 56.199.104.109.bergon.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Opera /9.80 <a href="http: / /howcanicureayeastinfection.com /yeast-infection-home-remedy-8 /">home remedy for yeast infection< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
108.62.33.114 (3 times) 108.62.33.114.rdns.ubiquity.io	Opinion (Suspected): Suspected hacktool (UA-0142.1). Nobis AS15003 NB29. Nobis AS15003 NB44. Mozilla/ 5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 535.19 (KHTML, like Gecko) Chrome/ 18.0.1025.1634 Safari/ 535.19 YE
108.171.253.226 (3 times) unassigned.psychz.net	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 5.1) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.165 Safari /535.19 YI
108.171.251.114 (2 times) subdir.flytolove.in	Opinion (Suspected): ; (404) Fingerprint, scrape or hack behavior. (1: .php ) \|:\| Begin custom: ax=0 \|\| ( ax=0) [US] \| 1 X_Forward= [108.171.251.114 ] Check Cookies ( 404=1 ) ; ( 0 ) Mozilla /5.0 (Windows NT 5.1) AppleWebKit /536.6 (KHTML, like Gecko) Chrome /20.0.1096.1 Safari /536.6
107203388 (1 times) ec2107203388compute1amazonawscom	Opinion (Suspected): Amazon Web Services– Not an ISP– Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ)– Checked for bypass – Mozilla /5–0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534–30 (KHTML, like Gecko) Chrome /12–0–742–91 Safari /534–30
107.5.207.6 (2 times) c10752076.hsd1.mi.comcast.net	Opinion (Suspected): http url injection (UAB-006). Anchor hack (UAB-026). Anchor hack (UAB-027). Mozilla /4.0 <a href="http: / /www.digiresults.com /aff /1473 /13878">Digiresults.Com< /a> (Windows NT 5.1; U; en) Presto /2.10.229 Version /11.60
107.22.20.107 (2 times) ec21072220107.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
107.22.18.158 (3 times) ec21072218158.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-209). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. MetaURI API /2.0 +metauri.com
107.22.132.0 (3 times) ec2107221320.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. Mozilla/ 5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/ 20100115 Firefox/ 3.6 (FlipboardProxy/ 1.1; +http:/ / flipboard.com/ browserproxy)
107.22.130.212 (1 times) ec210722130212.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ 20100101 Firefox/ 16.0 SmartLinksAddon
107.22.102.186 (2 times) ec210722102186.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. Mozilla /4.0 .compatible; MSIE 6.0; Windows NT 5.1; SV1)
107.21.132.52 (1 times) ec21072113252.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko /20100115 Firefox /3.6 (FlipboardProxy /1.1; +http: / /flipboard.com /browserproxy)
107.21.132.167 (5 times) ec210721132167.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. MetaURI API /2.0 +metauri.com
107.21.129.200 (1 times) ec210721129200.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass -Amazon Web Services Non-Reversible IP lookup block. AWS-02. Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
107.20.92.25 (1 times) ec2107209225.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
107.20.82.21 (1 times) ec2107208221.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
107.20.33.88 (4 times) ec2107203388.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
107.20.200.84 (3 times) ec21072020084.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
107.20.131.32 (3 times) ec21072013132.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit /534.30 (KHTML, like Gecko) Chrome /12.0.742.91 Safari /534.30
107.20.123.7 (1 times) ec2107201237.compute1.amazonaws.com	Opinion (Suspected): Possibly hostile scraper /harvester (SPD-167). Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla/ 5.0 .compatible; proximic; +http:/ / www.proximic.com/ info/ spider.php)
107.20.103.12 (1 times) ec21072010312.compute1.amazonaws.com	Opinion (Suspected): Amazon Web Services. Not an ISP. Used by -s, Keyword -ming SEO bots, and other unsavories (CLD-AMZ). Checked for bypass – Mozilla /5.0 (X11; U; Linux x86_64; en-US) AppleWebKit /534.3 (KHTML, like Gecko) Ubuntu /10.04 Chromium /6.0.472.53 Chrome /6.0.472.53 Safari /534.3
1.192.127.132 (3 times)	Opinion (Suspected): Suspected hacktool (UA-0142). Mozilla /5.0 (Windows NT 6.1; WOW64) AppleWebKit /535.19 (KHTML, like Gecko) Chrome /18.0.1025.1634 Safari /535.19 YI

The list above is compiled from ban records at drawn from a variety of domains. Information provided is

IP : This is the IP left by the visitor.
Host: This is the host associated with the visitors IP.
User Agent: This is the User Agent supplied by the visitors. Note that User Agents can be spoofed.
Reason Banned: This is the explanation a domain administrator or Bad Behavior associated with the rule violation that resulted in the IP being banned. The domain owner’s assessement of the domain, user agent or any other features may not be an accurate representation. Individual domain owners ban based on their own opinion and judgement based on their own research.

43 thoughts on “How Constant are Hacking Attempts?”

MrE says:

November 27, 2012 at 1:44 pm

That 192.168.0.200 at 12 times is private IP space, so it is a device within your servers local network, and so that one is stands out as different from the others. Other private space is defined in RFC 1918 if you want to block them permanently. However, maybe there is valid a reason for this one.
lucia says:

November 27, 2012 at 2:08 pm

MrE:
Shoot! I fished those out without sorting for it being my blog only. No wonder it was so many!
I looked and I know what those are. Those are the developer at ZBblock running his own tests for the module to snif for hacks inside file uploads. He’s got that out as experimental for people– I’m not using it.
Roughly 1/2 of these are me.
Brandon Shollenberger says:

November 27, 2012 at 2:11 pm

MrE, it says it is from “zaphodunit3.” Zaphod is the guy behind ZBlock so I assume it is desired traffic. I’m not sure why it would be getting caught though.

Edit: Nevermind.
lucia says:

November 27, 2012 at 2:18 pm

Brandon–
I was puzzled when MrE wrote that. But it was my mistake. I need to write a module to let me filter when I create the nice printouts. So… that includes Zap!
FergalR says:

November 27, 2012 at 2:35 pm

If it helps: I got a “blocked ‘cos you’re probably a screen scraper”- type message a couple of days ago but I refreshed and it was fine.
lucia says:

November 27, 2012 at 2:45 pm

Fergal–
When I’m actively updating blocks, I will make a change, then load the blog. Sometimes… due to typo…. I will discover I goofed and some error will be thrown. I fix the typo and then go look in the killed_log.txt to see if it “got” anyone. Sometimes… it has. So, I unblock.

If it happened in the last week, this is actually quite likely.

Here’s an example. (The IT people will likely understand the typo right way. It was a combination bad cut and paste/ bad proof-reading. But fixed within 2 minutes.)

I wanted this rule because this private server IS hacking:

$ax += (iprange($address,”151.248.7.0″,”151.248.7.63″,”; InternetBolaget customer Swedish-privacy, seo, hosting. Not ISP INSTA-BAN. “));
This rule will block every IP between 151.248.7.0 and 151.248.7.63.

Because this is a “template”, I copied an old rule. Then, I was slopy cut and pasting and accidently saved this:

$ax += (iprange($address,”151.248.7.0″,”151.248.7.635“,”; InternetBolaget customer Swedish-privacy, seo, hosting. Not ISP INSTA-BAN. “));

See the 635? The function call “iprange’ has to make a range out of 151.248.7.635 and it’s not robust to really truly screwy input, when I went to load the page I banned myself. So…. I quickly edited. Then I unbanned myself. Then I saw another person was banned. They would have been told “InternetBolaget customer Swedish-privacy, seo, hosting. Not ISP INSTA-BAN.” which they would have found very confusing because they aren’t using a Swedish-privacy, seo, hosting service.

That said… it might have been a bot. But quite likely it was a person who was presented the ‘scary’ message but did not contact me. In this instance, that worked well because I found that one immediately and fixed it.

I usually do try to proof-read before changing. But… sometimes I goof. So, that could have happened to you. But usually, it’s best to click that link and email me. (It’s a weird email address. That’s to protect me from spam. I’ve gotten all sorts of offers from people who want to write “guest posts” on weird things from that email box!)
Brandon Shollenberger says:

November 27, 2012 at 3:50 pm

lucia, do you ever test your rules by just logging what they’d catch before implementing them? I’ve always found that useful (though not always practical due to time constraints).

I’ve even gone beyond that at times, attaching a warning message to people’s displayed page and giving them a link to contact me. If nobody contacts me through it after a couple days, I assume the rule is fine and fully implement it.

It’s more work, but it can be worthwhile at times.
lucia says:

November 27, 2012 at 4:27 pm

Brandon

lucia, do you ever test your rules by just logging what theyâ€™d catch before implementing them? Iâ€™ve always found that useful (though not always practical due to time constraints).

I’ve never done it– except to the extent that I monitor everything that hits robots.txt and I monitor some hits to the php script that shows the cat . To log and figure out, I would still be left with ambiguity. For example: I’m banning TOR. Is every connection from TOR spammy or hacky? No. But lots are and those people have other options. Similar things happen with many of the ‘anonymous proxy’ services in Sweden. I know some of those are people who legitimately (or merely paranoically) worry about being tracked. But I already know lots of those things result in private hack attempts. The hackers/spammers/crackers who pay for those anonymity services know precisely what they are doing: They are using a legitimate anonymity service and they hope that I and others will not ban that service because the various services spend lots of time explaining how important anonymity is to freedom of speech and so on.

(For those wondering, the argument would be something like “Sure, you can ban a couple ‘jerks’ by blocking ipredator.se, but you might also prevent the modern day Solzhenitsyn from freely airing his views. So you should come up with some other way to block the ‘jerks’. ” But of course, it’s not just a ‘couple of jerks’ using anonymity services, it’s an entire industry. )

So, I could have tested that rule and I would have learned what I knew even before implementing it.

But, in principle, I might learn a little by pretesting some rules. But — with respect to some rules, I can’t fully learn what I want to learn by testing without doing a real block. I really don’t know if the connection would have caught a human unless a human complains. If a university and/or a company vpn, a human who is blocked might email me. For all the zillions of connections from 15 euro a month ipredator.se I have blocked, I have never heard a peep. What I did see is when I started blocking that, connections from the 34 euro a month anonine. started appearing. I’m seeing a pricier class of anonymous connections– that’s for sure!

And as far as I’m concerned, all these people can progress to 1,000 euro a month exclusive connections to mask their ISP. Or… if they want to spend less, they or can just connect using the IP their ISP provides them.

So… all in all… I don’t think pre-testing would solve the problem that I can’t entirely be sure a rule won’t block a human. (Plus… there is the problem that some individual IPs at universities will always get blocked. There is a huge population called “students” and some are going to do….uhmm… things…. Also, some “researchers” do things that don’t look good on this end. )
lucia says:

November 27, 2012 at 4:36 pm

Brandon–
Also, I should point out that some of the rules are designed to give very few false positives.

Example of a “catch”:

#: 114685 @: Tue, 27 Nov 2012 13:18:14 -0800 Running: 0.4.10a1
Host: 116.16.168.204
IP: 116.16.168.204
Score: 1
Violation count: 1
Why blocked: ; (404) Fingerprint, scrape or hack behavior. (1: .php ) |:| Begin custom: ax=0 || ( ax=0) [CN] | 1 X_Forward= [116.16.168.204 ] Check Cookies ( 404=1 ) ; ( 0 )
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
Reconstructed URL: http:// rankexploits.com /musings/signup.php

Note:
1) (404) means something hit a page that does not exist. That by itself never bans anyone, I just log that fact.
2) The page that doesn’t exist was the “signup.php” form. Uhmm… What are they trying to signup for?

What’s going on here is a bot (or human) is guessing the possible existence of some sort of login page and it’s going to try to “sign in” to the admin side of whatever cms it things might be here. That IP is supposedly out of China. (See the [CN]. That is not a valued blog reader/commenter or whatever.

The main “obnoxious” problem with ZBblock is on the admin side of WordPress. WordPress writer do write some calls that look like RFI or SSH attacks. So, Zeke often got banned. I sometimes got banned– Paul has been banned. Obviously, I just unbann myself. But it’s a real PITA for Zeke.

I’d go write a work around that permits things provided someone is in wp-admin and so on. Then WordPress would update, do something differently, and they had new and different looking calls…. which looked like different potential RFI attacks.

But testing those first really doesn’t help because quite often, the spate of bans happens when WordPress updates. They didn’t happen with the previous version of WordPress.
Brandon Shollenberger says:

November 27, 2012 at 5:13 pm

If a rule works the way I want it to, pretesting (usually) doesn’t matter. The reason I use it is rules: don’t always work as expected/intended. A typo or stupid mistake can result in problems pretesting can catch.

Of course, part of the reason I do it is I’m not the only one involved in the networks so anything I screw up affects more than just me. That makes screw ups more problematic.
lucia says:

November 27, 2012 at 5:30 pm

Brandon–

A typo or stupid mistake can result in problems pretesting can catch.

Yep. But I would also need to write a pretest module, figure out how/when to mainline etc.

The most problematic rules have been ones that Zap wrote that work as planned but conflict with ideas WordPress revisions writers dream up.

Oh… some rules are set up inside this:

if( inmatch($thishost,”bannasties”,””) ){

Whatever new rule that might have some nasty effects on people.

}

I tested the rule on speed for comments posting and a few others that way. I’m testing one to catch a nasty crawler that way. It’s crawling over there anyway.
Brandon Shollenberger says:

November 27, 2012 at 5:55 pm

It’s definitely more work. I’m just curious how many people do it.

As for WordPress… that’s the curse of using other people’s software. In this case you could examine the changes to the code, but that’s a lot of work.
lucia says:

November 27, 2012 at 6:47 pm

In this case you could examine the changes to the code, but thatâ€™s a lot of work.

If the goal is to examine the code to figure out how any of the hundreds of “rules” that look like RFI/ SSH attacks and so on might interact with the modifications in WordPress it’s a great deal of work.
Brandon Shollenberger says:

November 27, 2012 at 7:04 pm

Are the updates worth the trouble?
lucia says:

November 27, 2012 at 7:11 pm

Are the updates worth the trouble?

Yes and no. If you don’t update sufficiently often, plugin hooks change, and things start to get incompatible. If you wait a really long time, the database can become incompatible with some update– and then updating gets really bad.

They seem to have had a “pause” in updates. A while back they seemed to be having them every two months– or so. But… it seems a while now.
Brandon Shollenberger says:

November 27, 2012 at 8:19 pm

So the main reason to update isn’t better functionality or new features, but to avoid having things break? That seems lame.
lucia says:

November 27, 2012 at 9:38 pm

Oh…. things change. It’s just that they rarely add features I value. There seem to be periodic changes to the layout on the ‘inside’. There have been useful changes too. But sometimes, there are simply too many releases too quickly.

Some updates are due to security breaches that were discovered and fixed. (Fortunately, ZBblock protects against many of those breaches prior to discovery!)
Brandon Shollenberger says:

November 28, 2012 at 12:20 am

I get that. I just think it’s poor form to make people update when they don’t get anything from the update. Sometimes it is unavoidable, but usually, it’s just bad design. Even worse, it’s often accompanied by bloat that consumes resources/creates new risks.

I don’t know if WordPress is that way though. I find their code base too painful to spend much time on.
Steveta_uk says:

November 28, 2012 at 2:22 am

Lucia, given that astonishing amount of work that you appear to be putting into blog security measures, I have a couple fo questions for you.

a. Is this effort being fed into some common pool of knowledge that might improve overall security for the web?

b. Do you have a day job?

-Steve
bugs says:

November 28, 2012 at 3:42 am

I don’t believe this is a hacking attempt, but an insider trying to free the data.
lucia says:

November 28, 2012 at 6:56 am

Steveta_uk
(a) In principle yes. In practice, I don’t know that anyone knows the info is available.
(b) Part time.
MrE says:

November 28, 2012 at 12:08 pm

Stackoverflow.com is also a good resource for getting help with many IT type problems. They usually have good answers and discussions.

For example
http://stackoverflow.com/questions/930028/identifying-hostile-web-crawlers also see related questions on the right of that page.
lucia says:

November 28, 2012 at 12:50 pm

MrE
The question at your link is long. His main concerns were duplicate content. Thta’s a big concern for people who are writing blogs to tweak their SEO and are worried someone else will copy and “steal” their SEO. Quite honestly: Google has figured out my content is original and those who copy /quoted etc have copied and quoted.

So, duplicate content is not my main concern. My main concerns are:
1) seo and other info scrapers hogging up huge amounts of cpu,
2) things trying to hack in,
3) stupid copyright bots visiting and potentially sending me stoooopid form claiming I have infringed copyright.
4) spammers and comment trolls.
(Number 3 has happened. The claim was a legal zero, but it was still very annoying. I want those bots gone so stupid people don’t “identify” violations and send me letters. Number 4 is way down in priority.)

The solutions at that stack overflow page are insufficient to address my concerns. (Heck, they are insufficient for the questioners. But since 2009, Google has gotten better at figuring out who wrote what first.)

With respect to the solutions:

My solution would be to make a trap. Put some pages on your site where access are banned by robots.txt. Make a link on you page, but hide it with CSS, then ip ban anybody who goes to that page.

This will force the offender to obey robots.txt, which means that you can put important information or services permanently away from him, which will make his carbon-copy clone useless.

In reality, nothing can really force a anything to obey robots.txt.

That said: I have lots of hidden traps on my site. I use “nofollow” instead of banning visits in robots.txt. This catches a very small fraction of the scrapers and spammers, but the traps catch some scrapers every day.

Here’s another suggestion.

Don’t try and recognize by IP and timing or intervals–use the data you send to the crawler to trace them.

Create a whitelist of known good crawlers–you’ll serve them your content normally. For the rest, serve pages with an extra bit of unique content that only you will know how to look for. Use that signature to later identify who has been copying your content and block them.

I have no idea what the person giving the answer means by “use the data you send to the crawler to trace them”. What data should you send to the crawler? And how should that particular data be used to trace them?

I already whitelist certain crawlers. I don’t give other crawlers an “extra bit of unique content”. If I can detect they are not-white-listed crawlers and they are crawling, I ban them by user agent or IP. That’s a lot more time efficient than writing a script that gives them a modified unique text, spending even more time writing my own crawler to find that unique text, (and getting my own crawler banned when I send it out), writing someone asking them to take down my material after I found it and possibly trying to get the law involved.

Anyway, I have no idea how this person giving this advice thinks one is going to “Use that signature to later identify who has been copying your content and block them.” I mean, how does the signature help you identify who copied the content in a way that provides you sufficient information to ban that particular scraper/content thief? (Are they hiding the IP of the visitor in the content so they know to ban that IP? What?)

But anyway, with respect to the ideas at some of these places: I do them. In terms of the nuts and bolts of how to implement them — well notice there are no nuts-and-bolts descriptions of how to implement the conceptual idea of how to catch an scraper.

Notice that the person asking the question wanted to know “What else can I do? Are there any algorithms, or even systems designed for quick on-the-fly analysis of historical data?”. None of the answers pointed to algorithms or quick on the fly analysis systems.

Anyway…. at “blog.bannasties.com” I’ve got quite a cookie system going. I ginned it up the first cut last week sometime– between loads of laundry and such. But I could see some “crawlers” in the logs and I really want to “get” those automatically. So, I ginned something up yesterday afternoon, watched for “issues”, fixed those and it’s running now. I think it’s ok. But I need to wait for the particular crawler to come back. (It’s a known guilty crawler on lots of lists. I could hand-ban it. But that’s pointless. I need a way to ban it automatically so that I can continue to ban it when it comes back. It’s hard to auto-ban because
a) it’s not idiotically-stoooopid.
b) it’s crawling fairly slowly
c) it’s on an ISP– and a normally clean one.
d) It’s not hacking— just crawling through every post on that blog. (There are only 10.)
e) it comes back every 2 days and looks at the exact same posts over and over and over. (And actually looking at every possible address. So, it reads the exact same content– but sometimes under “tags”, sometimes as the posts and so on.)
f) It does not visit robots.txt. (It wouldn’t get banned there– but it would be told not to crawl. But I could try to do some special interrogations there.)

It’s the combination of (e) and (f) that make me want to ban it. So I set up a few experiments to see what’s up with the thing. When it comes back I’ll see if it accepts cookies. Whether it does or not, I’ll ban it. I have two paths.

The method may end up implemented here if it is human-safe and effective.
MrE says:

November 29, 2012 at 12:49 pm

Have you ever tried an RSS feed for your site? Maybe it would alleviate some of the scrapers. Also, I think tripwire, and intrusion detection systems, operate in a similar way. They scan your files to look for changes and then preforms a notification or action if it does find something.
lucia says:

November 29, 2012 at 12:57 pm

MrE–
Could you elaborate? Specifically:

Have you ever tried an RSS feed for your site? Maybe it would alleviate some of the scrapers.

I have an RSS feed. Why do you think having one might alleviate scraping?

Also, I think tripwire, and intrusion detection systems, operate in a similar way.

These operate in a similar way to what? The feed?

They scan your files to look for changes and then preforms a notification or action if it does find something.

I do scan files to and directories to look for changes. That finds damage after it occurs. It doesn’t reduce the cpu, memory or bandwidth used by bots while they are trying to accomplish whatever goal the bot is programmed to accomplish. (That is scraping/spamming etc.)
Duke C. says:

November 29, 2012 at 7:16 pm

173.51.134.227 (1 times)
pool17351134227.lsanca.dslw.verizon.net

That IP looks like Verizon mobile in the Los Angeles area. If one Verizon user is misbehaving, does it ban all Verizon users? That would seem to be an unnecessarily wide net.
MrE says:

November 29, 2012 at 8:30 pm

I thought in a previous post a few months ago you said something about them using it instead of Rss so I must of misunderstood or just mistaken. My thought was if you didn’t summarize with RSS then perhaps some were scapping to get the same info. Tripwire works similar to your one description in that it scans files(your own though) every so often and looks for changes to detect intrusions or unexplained changes which can help find unwanted access.

Duke’s entry looks like DSL not mobile. It would be surprising if any of them are from mobile devices.
MrE says:

November 29, 2012 at 8:33 pm

Pandastats .net looks like they likely scrape for data. They even put a sale value and advertising earnings estimate on sites like the Blackboard.
lucia says:

November 29, 2012 at 8:46 pm

MrE–
RSS is and has always been available. That doesn’t mean that scrapers will decide to get info from RSS.

If one Verizon user is misbehaving, does it ban all Verizon users? That would seem to be an unnecessarily wide net.

I don’t ban all of Verizon for 1 Verizon user misbehaving. That would be unnecessarily wide.
Duke C. says:

November 29, 2012 at 9:52 pm

MrE (Comment #107065)

“It would be surprising if any of them are from mobile devices.”

I use Sprint mobile (pools.spcsdns.net) almost exclusively, and get the scary 403 page two-three times a month (among other oddities- blank screens on the main page, charming little messages from Cloudflare, etc.). Sprint mobile IP numbers are usually in the 67.###, 68.### range. Easy fix, though. Just disconnect-reconnect until the connection flips to another IP# used/owned by Sprint. I would attribute this to lower-level kiddie scriptor types of abuse.
lucia says:

November 29, 2012 at 10:33 pm

Duke–
I’d be grateful if you would click the link and email me information when you are blocked. That way I might learn more about which blocks are hitting you. It might be that you share with a script kiddie– or it might be something else. It could also be that more mobile IPs get banned at cloudflare. (I can think of all sorts of reasons why this could happen. After all…on a mobile device, it’s easy to get yourself a new IP. It’s easy for spammers/ hackers to get them too!)

Still, if people don’t give me details about the blocks, I can’t tell it hit a real person from the logs. So if one of the rules is bad, I can’t learn that.
ferd berple says:

November 30, 2012 at 8:11 am

your anti-hacking tool has gone crazy. I tried to make a second post, it banned me, then asked me to create an I’d so I could log on and send and email to request unblocking.

If I disconnect from my ISP for 2 minutes they give me a different IP when I reconnect, but this anti-hacking tool really isn’t working correctly. It is giving false positives.
lucia says:

November 30, 2012 at 9:11 am

fred–

your anti-hacking tool has gone crazy. I tried to make a second post, it banned me,

When did you try to make a second post? Today? Yesterday?

Yesterday, I instituted a new rule to ban people on a particularly spammy ISP in the former soviet union. It banned a commenter– but I could tell it was a human because the kill log reported a part of the comment which included the clearly on topic word “mosher”. But that person was not you. (I eliminated the rule. )

I would be happy to look into your false positive if you would provide specific information.

then asked me to create an Iâ€™d so I could log on and send and email to request unblocking.

If you hit the 403 page, error message should not ask you to create an ID so you can send an email. It provides clickable link. If you click that link it will opens an email form. All you need to do is click that link to open up an email with title that (and often contents) that are very informative for me and then hit “send”.
(If you get the cloudflare page, you might see something else. But filling out that form will help me.)

With respect to your issue: It is particularly difficult for me to guess what your particular problem was.

I notice you switch IPs from time to time– and not just by specific number, but by company/country. One range happens to correspond to an ISP that is sending lots of scrapers. (It’s a large company– but there are many IPs on that company actively scraping right now.

It is possible that you hit an IP that I have blacklisted for that reason. Or not. I can’t guess because I can’t even narrow down the ISP or hosting company you use and you didn’t click the link to send me a message.

If you know the IP, date, time etc, I might be able to figure out what “got” you and help you out. But… right now… I need info.
lucia says:

November 30, 2012 at 9:25 am

Fred–

To show I am motivated to try to sort out what got you banned, I’m looking for the ‘kills’ for things banned locally. (If you were banned at cloudflare, that might be because your ISP is “dirty” generally, and/or I banned that IP for previous bad behavior. As I mentioned: On of the IPs you used is in a range that does show frequent scraping.)

Now, since you didn’t give details on why you were banned, I’m looking in the kill logs. In reverse order, these are the two most recent kills today:

#: 115491 @: Thu, 29 Nov 2012 22:32:34 -0800 Running: 0.4.10a1
Host: 78.134.253.96-dsl.net.metronet.hr
IP: 78.134.253.96
Score: 5
Violation count: 1 INSTA-BANNED
Why blocked: comment with bad referrer : end 1 ; bad cookie:(expires,path,domain,); INSTA-BAN. You have been instantly banned! |-| INSTA-BAN. INSTA-BAN. |:| Begin custom: ax=0 || ( ax=0) the comment: This is the best web blog I have read The Blackboa ] [HR] | 2 X_Forward= [193.142.113.141,78.134.253.96 ] Check Cookies; FORWARDED_FOR=[193.142.113.141,78.134.253.96] left over cookies:(0, names=[] ) ; ( 0 )
Query:
Referer: http://rankexploits.com
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Reconstructed URL: http:// rankexploits.com /musings/wp-comments-post.php

This comment supposedly came from Bahrain. They have their browser set to spoof referrers. It was blocked for that reason. (They are also forwarding from Poland.) The comment began “This is the best web blog I have read The Blackboa”

Here’s is the next one earlier one:

#: 115478 @: Thu, 29 Nov 2012 21:33:11 -0800 Running: 0.4.10a1
Host: host-41.238.61.207.tedata.net
IP: 41.238.61.207
Score: 5
Violation count: 1 INSTA-BANNED
Why blocked: comment with bad referrer : end 1 ; bad cookie:(expires,path,domain,); INSTA-BAN. You have been instantly banned! |-| INSTA-BAN. INSTA-BAN. |:| Begin custom: ax=0 || ( ax=0) the comment: This is the best web blog I have read The Blackboa ] [EG] | 2 X_Forward= [193.142.113.141,41.238.61.207 ] Check Cookies; FORWARDED_FOR=[193.142.113.141,41.238.61.207] left over cookies:(0, names=[] ) ; ( 0 )
Query:
Referer: http://rankexploits.com
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Reconstructed URL: http:// rankexploits.com /musings/wp-comments-post.php

It supposedly came from Egypt (and was also forwarded from Poland). It also wanted to tell me ” This is the best web blog I have read The Blackboa” and was also banned for referrer spoofing when commenting. (As a bonus, it left bad cookies.)

Except for the kill I recognized as a false positive– all other local kills since yesterday at 7 am are similar. They all start by telling me : “This is the best web blog I have read The Blackboa”.

I assume these were not you. If you got banned for a different reason, you need to give me details. As I said: Because you use a variety of ISPs, I can’t guess which kill might be yours unless you inform me.
lucia says:

November 30, 2012 at 9:48 am

Fred– I hunted around. I found a comment banned Thu, 29 Nov 2012 07:21:53 -0800, (Yesterday morning.) This was a false positive that occurred when I edited a rule (and I edited the record out of the killed log too). I saw this and corrected it within 15 minutes. Sorry it hit you.
Duke C. says:

November 30, 2012 at 10:16 am

@lucia (Comment #107069)

Got the blank white screen last night, should be in your log-

IP- xxxxxxx
UA- Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
9:49PM PST
lucia says:

November 30, 2012 at 11:35 am

DukeC–
Sorry. Thanks for letting me know!

Blank white screens are different. They aren’t errors– they have to do with timing. If I have *just* uploaded a change in any page that is called by wordpress, blank white screens happen for about 5 seconds afterwards. That’s true for nearly any chage– ZBblock, plugin, edit to template or what have you. So will appear to happen more or less randomly and during periods when I am editing things. It’s ban software specific only to the extent that I edit that more than any other thing– and that software is shared between three blogs.

I am editing it on and off doing cookie things that I am testing out on the other site.

The rules are in an “if” block. They are catching scrapers over there. The ‘bannasties.com’ pages are particularly delicious to scrapers. In contrast this site is more delicious to hackers. Oddly — or possibly not so oddly– both often take out services on the same hosting companies. The ‘attractive’ features of those companies is often a) inexpensive, b) tolerate of their customers doing ‘whatever’, c) provides a lot of ‘privacy’ for their clients etc.

The fall out here is some “white screens”. When you get “The Scary Page”, you’ll know.

I’m going to delete your IP above.
lucia says:

November 30, 2012 at 1:30 pm

There were 5 false positives before I noticed a typo. I noticed because the typo triggered by a false positive by me. ( I had the “123.456.78.9 ” with a blank before the close of the “”. I fixed it to “123.456.78.9 “. All were fished out. If you wondered why I thought you were in China…. well… it was a typo. I think 1 or 2 of those false positives were people. The others weren’t. (At least two were perfectly friendly ‘bot collecting a feed. Some bots are ok. )

For those wondering… I was banning Chinese ranges. I used to just ban them all at Cloudflare but it turns out Cloudflare thinks a few Austrlians are in China. So, now I’m just watching for the Chinese ranges that hack and adding rules as I find them. I was doing that this morning. I plan to drop this next week, but I added a bunch of things this week. The banning with cookies is working great and has not yet triggered a false positive.

Oh… I banned my mom over at the moribund knitting blog. That was a knitting blog specific issue with the comment form included in a non-conventional way in that theme. Of course she emailed so I got her unbanned. 🙂
ferd berple says:

December 1, 2012 at 9:56 am

lucia (Comment #107073)
November 30th, 2012 at 9:11 am
fredâ€“
I notice you switch IPs from time to timeâ€“ and not just by specific number, but by company/country.
=========
Set a proxy IP in your browser’s connection options and your own IP is no longer visible. Depending on where the proxy is located, that is the country you are now surfing from.
lucia says:

December 1, 2012 at 10:13 am

Fred–
I know how people use proxies. However:
1) If you use a proxy and you also don’t give me specific details about how/why/or even what date your IP received a “ban” report, it is nearly impossible for me to determine why you were banned and
2) If you use proxies, you have a higher than normal probability of occasionally using an IP that is banned.

The reason for (1) is obvious. I was trying to communicate this to you as the reason why it would be (and was) quite time consuming for me to figure out why you were banned. If I have no information about (time/date/IP/reason for the ban/ ban number) and I can’t begin to guess the IP you might have been using have no way to figure out which of the ‘bans’ might be yours and I can’t diagnose whether the “rule” was a false positive nor can I diagnose which “rule” got you. That means I will not be able to edit it if it is a bad rule.

The reason for (2) is that even though perfectly well behaved individuals wish to use proxies, a disproportionate number of connections that use proxies tend to be spammy/hacky or otherwise badly behaved. Consquently, many proxy IPs get banned for bad behavior. Moreover, because many scrapers use special software to scrape (or hack) using mulitple proxy IPs in parallel, I often block entire ranges associated with companies who rent out proxy IPs.

This means that if you use proxies, the IP you are currently used ay have been banned because someone else sharing the proxy IP did something bad.

Quite honestly, even if some people on proxies get banned from time to time– owing to the fact that they are sharing a proxy IP with a spammer/hacker/scraper etc. I consider that ok with me. If you are going to use proxies — particularly ones you share with many other people who just want to be anonymous– you are going to get banned. Your “solution” is for you to hunt for a clean proxy IP until you can connect.

That’s is to say: If you want this degree of privacy, you are going to have to deal with a certain measure of inconvenience. To maintain a modicum of security for my site, I block many proxy IPs– generally because scraping/hacking have been associated with that IP.
Dan Hughes says:

December 1, 2012 at 11:11 am

Off topic, but might be of interest.

The constructal theory model of the climate has been updated:

Climate change, in the framework of the Constructal Law

The new model updates those given in:

Bejan, A. and Reis, A.H. (2005) â€˜Thermodynamic optimization of global circulation and climateâ€™, International Journal of Energy Research, Vol. 29, pp.303â€“316.

Reis, A.H. and Bejan, A. (2006) â€˜Constructal theory of global circulation and climateâ€™, International Journal of Heat and Mass Transfer, Vol. 49, pp.1857â€“1875.
Duke C. says:

December 11, 2012 at 8:58 am

Fatal error: Call to undefined function checkthehost() in /home/xxxxx/zbblock/vault/customsig_rules.php on line 1132
lucia says:

December 11, 2012 at 12:58 pm

DukeC–
Thanks! (ZBblock just came out with an update. I’ve been adding in all my modifications. I didn’t realize error reporting was not off by default. Actually, you found a bug I would have never found!)

Comments are closed.

The Blackboard

How Constant are Hacking Attempts?

43 thoughts on “How Constant are Hacking Attempts?”

Where we talk about news. :)