General

Referrer Spam? Hah Hah

Note: This entry has been restored from old archives.

Something’s playing with me…

       Client IP                                       GET URL     REFERRER STRING
 --------------- --------------------------------------------- -------------------
   66.49.223.233                                     /2006/12/ http://www.rxtq.com
    70.87.208.34                         /Entries/Tech/General http://www.jyor.com
 216.185.128.200               /Entries/Tech/General/index.rss http://www.jyor.com
 216.185.128.200 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.jyor.com
 216.185.128.200                         /Entries/Tech/General http://www.nucx.com
    70.87.208.34               /Entries/Tech/General/index.rss http://www.nucx.com
    70.87.208.34 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.nucx.com
   66.49.223.233                         /Entries/Tech/General http://www.cjrz.com
    70.87.208.34               /Entries/Tech/General/index.rss http://www.cjrz.com
     74.208.16.4 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.cjrz.com
     74.208.16.4                         /Entries/Tech/General http://www.qwye.com
   66.49.223.233               /Entries/Tech/General/index.rss http://www.qwye.com
     74.208.16.4 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.qwye.com
     74.208.16.4                         /Entries/Tech/General http://www.kzby.com
   66.49.223.233               /Entries/Tech/General/index.rss http://www.kzby.com
    70.87.208.34 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.kzby.com
 216.185.128.200               /Entries/Tech/General/index.rss http://www.ovqk.com
    70.87.208.34 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.ovqk.com
 216.185.128.200               /Entries/Tech/General/index.rss http://www.bgxr.com
    70.87.208.34 /Entries/Tech/General/Referrer_Spam_Worm.html http://www.bgxr.com

This started earlier this month and coincidentally it’s hitting a post about a potential referrer spam worm. Targeted silly-buggers or chance? Chance I’d guess — possibly thanks to an amusing search string choice? The user-agent is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)” in all cases.

Note that visiting those IPs hits CPanel entrances in two instances but just default/dead account pages in the other cases. I’m guessing these are owned server systems – or just host XSSed junkcode of some sort.

I guess I’d better report them.

In other news I was horribly sick last week (well, about as sick as I ever get: head feeling like a sack of wet cats had taken up residence, throat like I’d been swallowing crushed glass and all-over body pain rubber-hose style). Also, we now have a 27U rack in the study. And I thought my days of living with racks had ended with EvilHouse (domain name now seemingly defunct – I guess we’ve all left those “evil” days behind us then).

*sigh* So it’ll be good to get back on track with some work tomorrow, things are moving again.