Latest TweetsGreat post about the latest power grab: www.eff.org/deeplinks/2018/09/…
Perishable Press

Latest Blacklist Entries

Recently cleared several megabytes of log files, detecting patterns, recording anomalies, and blacklisting gross offenders. Gonna break it down into three sections:

User Agents

User-agents come and go, and are easily spoofed, but it’s worth a few lines of htaccess to block the more persistent bots that repeatedly scan your site with malicious requests.

# Nov 2010 User Agents
SetEnvIfNoCase User-Agent "MaMa " keep_out
SetEnvIfNoCase User-Agent "choppy" keep_out
SetEnvIfNoCase User-Agent "heritrix" keep_out
SetEnvIfNoCase User-Agent "Purebot" keep_out
SetEnvIfNoCase User-Agent "PostRank" keep_out
SetEnvIfNoCase User-Agent "archive.org_bot" keep_out
SetEnvIfNoCase User-Agent "msnbot.htm)._" keep_out

<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from env=keep_out
</Limit>

The first line blocks any user-agent containing “MaMa ”. If that scares you, then replace that line with these two:

SetEnvIfNoCase User-Agent "MaMa CyBer" keep_out
SetEnvIfNoCase User-Agent "MaMa Xirio" keep_out

The other lines block the latest batch of “loser-agents,” which may completely disappear overnight. My current strategy is to block for a few months and then start fresh. Stuff like heritrix, Purebot, and PostRank have made the list numerous times.

Character Strings

There must be some exciting new vulnerability, because suddenly I’m seeing TONS of requests for the following resources in just about every virtual directory imaginable:

fpw.php
xmlpc.php
pingserver.php
test00.comze.com

What’s the best way to deal with endless requests for non-existent resources? I prefer to respond with 403 Forbidden and call it done:

# Nov 2010 Char Strings
<IfModule mod_alias.c>
 RedirectMatch 403 fpw.php
 RedirectMatch 403 xmlpc.php
 RedirectMatch 403 pingserver.php
 RedirectMatch 403 test00.comze.com
</IfModule>

Of course, make sure you aren’t actually using any of these files anywhere on your site before using this code.

IP Addresses

Last but not least, here’s the latest batch of nefarious IP addresses. There’s no reason to block random botnet IPs, so only the most rogue static addresses make the list:

# Nov 2010 IPs
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 65.55.3.211
 Deny from 72.229.57.27
 Deny from 77.93.2.81
 Deny from 77.221.130.18 
 Deny from 91.205.96.13
 Deny from 94.75.229.132
 Deny from 95.108.157.252
 Deny from 99.22.93.95
 Deny from 173.193.219.168
 Deny from 174.133.177.66
 Deny from 178.234.154.230
 Deny from 178.33.3.23
 Deny from 190.174.198.86
 Deny from 203.89.212.187
 Deny from 207.241.228.166
 Deny from 213.55.76.224
 Deny from 216.171.98.77
</Limit>

As with the user-agents, I like to block IPs for a month or so at a time. Implement (or not) as you see fit.

Bonus IPs! – Looking for more bad IPs to block? Check out Vladimir’s post in the comments.

Just one fix..

Don’t take my word for it. Check your own logs and see what shouldn’t be there. “Know thy enemy,” as they say ;)

For more help on blocking stuff with .htaccess, check out Eight Ways to Redirect with Apache’s mod_rewrite.

Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
24 responses
  1. Hi Jeff,

    I would like to contribute some more IP addresses (they are taken mainly from virbl.dnsbl.com) if you don’t mind:

    182.208.57.207
    112.151.70.2
    190.20.205.72
    70.62.191.33
    60.249.252.214
    61.47.226.229
    186.113.137.236
    124.199.48.53
    67.77.210.16
    112.146.178.48
    60.240.2.154
    190.143.51.225
    217.115.203.154
    60.191.89.186
    193.23.143.117
    180.193.18.206
    115.161.108.145
    121.212.231.55
    201.212.57.248
    183.9.73.77
    83.218.173.191
    80.127.213.243
    218.209.63.19
    89.184.188.83
    213.206.88.42
    111.172.114.125
    199.203.84.67
    123.18.196.241
    58.185.107.18
    64.234.80.113
    212.83.70.180
    121.237.153.123
    24.112.67.92
    91.75.179.18
    77.248.175.127
    81.136.243.94
    213.189.4.102
    86.174.38.2
    220.87.72.250
    110.136.39.90
    61.8.226.95
    208.43.146.84
    88.208.236.71
    78.40.142.69

  2. Jeff Starr

    Thanks, Vladimir – I updated the post with a link to your comment.

    Cheers :)

  3. Thanks Jeff for this effort you put, i never had an idea about some stuff here, so your posts were an eye opener for me.

  4. Good post Jeff. I like the user agent block.

  5. I’m looking for a website keeping an updated list we could download and paste into .htaccess

    Here I see this post with a few entries but is there a static link that point to a list that is updated from time to time?

    Thanks

  6. Hello Jeff,

    This is my first message on your website.

    Just few words from France to tell you how grateful I am. I’m really pleased you share so many useful and valuable information.

    I’m more into Joomla than WordPress but many articles are suitable for any CMS. Not to say any website…

    I also (and most of all) appreciate the awesome quality of your work. Everything falls into place and is extremely well designed. I like the way you take care about every details.

    You’re a great source of inspiration to me, even if I’m far from having the same skills.

    As you say in USA : “keep up the ggod work”.

    Yours,

    Ben

  7. I am always doubtful whether it is a good idea to block IP-adresses, as many of these adresses are shared IPs and so other websites are blocked

    this happened to me with a german shared IP Adress very often on US websites

    please consider this

  8. Michael Clark November 10, 2010 @ 6:20 am

    Why are you blocking the Archive.org bot? They follow robots.txt.

    The only character string I’ve had hits for is pingserver.php.

    Most of the IP addresses you list haven’t hit my server, although a few of them have hundreds of hits in brief amounts of time.

    I guess this really does show you really need to know what is happening on your server, as attacks are coming from so many different places and in so many different methods. And you really need to understand what these type of blacklist rules will do.

  9. Amazing!! Thanks for sharing the result of many hours of work!

  10. Jeff Starr

    @Daniel: Here is a current IP Blacklist: https://perishablepress.com/blacklists/blacklist_ip.txt

    @Ben Gun: Thank you for the kind words – they are greatly appreciated.

    @Connie: Good point, and I would suggest that if you don’t feel comfortable blocking malicious IPs, then you shouldn’t do it. As for me, I have found that temporary blocking some of the worst IPs is an effective security measure.

    @Michael Clark: The archive.org bot is one of the WORST, according to my data. They consume miles of bandwidth and never return any traffic. Plus, 90% of the requests I get from that terrible bot are malicious scans for non-existent resources. For my sites, it’s just not worth it.

  11. thanks for the list Jeff…

    looking forward the UA BlackList :-)

  12. HI i am, using your 2010 user agent blacklist at the moment and i wanted to know if i can paste the directive from this site under yours. i am not asking whether their code works or not just whether htaccess will allow it and function okay.

    http://www.spanishseo.org/block-spam-bots-scrapers

[ Comments are closed for this post ]