ec2-3-233-215-231.compute-1.amazonaws.com | ToothyWiki | ToothyWikiInternals | RecentChanges | Login | Webcomic
This, when I feel like it, will be updated with IP addresses of machines doing various sorts of scans on the webserver.
This will mostly be useless, since a lot of them are dynamic; it might be interesting, though.
Unregulated robot at 184.108.40.206 started crawling our website about 11:24am. It ignored the robots.txt file and crawled through the wiki history and search namespaces, at the rate of several dozen hits per second, effectively DOSing the wiki. Requests from that IP address are now blocked.
cust-479.adsl.bestweb.net - looks static
220.127.116.11 - doesn't resolve
People looking for somewhere to forward spam through
pool-141-150-114-101.mad.east.verizon.net - bleh. Dialup pool. Can't do much with that.
- Sure you can, you can block verizon.net. Along with *bt* and *aol* You'll cut down on problems significantly then.
host57-142.pool80181.interbusiness.it tried to get the webserver to proxy a connection to the FTP port on 18.104.22.168. Why would someone want to do that?
To hide their tracks? Presumably the logs on the ftp site would show access from your machine rather than the originating machine (which may well not be host57-142... but a machine using that one as a proxy, etc.) - Kazuhiko
We've been royally scanned (source IP 22.214.171.124). This is the most comprehensive scan the webserver's had yet - does anyone recognise the tool used?
- (PeterTaylor) Don't recognise the tool per se, but I recognise the scan. Someone tried that on my server a while back, and they hold the record for the most aggressive scan, though not the fastest. Took them over two minutes to perform 506 requests.
- Hm. The machine in question is an open proxy, as Google: %22195%2E65%2E2%2E18%22 reveals. A good list of IP addresses to block there, methinks..
I'll add my (not very current) list of idiots:
126.96.36.199 09:59:55 "GET /cgi-bin/formmail.pl HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-"
Hm. Why is the word "TOOTHYCAT" in capitals? Where can they have picked that up from?
188.8.131.52 09:59:56 "GET /cgi-bin/formmail.cgi HTTP/1.0" 404 "http://www.TOOTHYCAT.net/" "-"
184.108.40.206 12:13:34 "\x04\x01" 501 - "-"
WTH is that meant to be..?
220.127.116.11 12:13:55 "\x05\x01\x02" 501 - "-"