internetserviceteam.com

[AnthonyCea]

89-149-226-153.internetserviceteam.com

All webmasters should be aware of a major content scraper operation called InternetServiceTeam.com since these guys are professional hackers, content scrapers, comment and referral log spammers and have a vast IP range.

http://www.robtex.com/ip/217.20.112.72.html

[AnthonyCea]

12:22 AM Guest Viewing Forum
The Forum Circuit 89.149.209.117 89-149-209-117.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

12:21 AM Guest Viewing Index
Forum Posters Union 212.62.97.20
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

[AnthonyCea]

The operator of Internetserviceteam.com paid this thread a visit a few minutes ago.

05:37 PM Guest Viewing Thread internetserviceteam.com
89-149-230-28.internetserviceteam.com
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.12) Gecko/20070718 Fedora/1.5.0.12-4.fc6 Firefox/1.

Great guy indeed

[AnthonyCea]

09:07 AM Guest Registering 89.149.244.190 89-149-244-190.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

[AnthonyCea]

Internetserviceteam.com and their content scraper bots were back again tonight.

89-149-241-189.internetserviceteam.com
User-Agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

[AnthonyCea]

Internetserviceteam the content scraper bot run by hackers was trolling the forum tonight and their IP was banned.

84-16-224-112.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)

[AnthonyCea]

89.149.253.61 89-149-253-61.internetserviceteam.com
Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1- .NET CLR 1.1.4322

10:17 PM Guest Logging In 89.149.254.13 89-149-254-13.internetserviceteam.com
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9

[AnthonyCea]

Internetserviceteam the spam bot net operation hit us with a new assortment of IP addresses, some from dedicated hosts and others from blacklisted open proxy spam source IP's.

09:55 AM Guest Viewing Index
Forum Posters Union 89.149.253.61 89-149-253-61.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050222 Firefox/1.0.1

09:53 AM Guest Viewing Index
Forum Posters Union 219.25.100.28 softbank219025100028.bbtec.net
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050222 Firefox/1.0.1

09:52 AM Guest Viewing Index
Forum Posters Union 202.105.182.87
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050222 Firefox/1.0.1

09:52 AM Guest Viewing Index
Forum Posters Union 202.84.17.42
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050222 Firefox/1.0.1

[AnthonyCea]

Spam botnet operation Internetserviceteam.com was back again today, this is a referral log spammer, content scraper, spam harvesting and mail server operation.

89.149.253.61 89-149-253-61.internetserviceteam.com
Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)

[AnthonyCea]

Spam botnet internetserviceteam was back once again with a new IP and user agent.

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031016 K-Meleon/0.8.2

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

[AnthonyCea]

Internetserviceteam the automated spam botnet was back again today with a new user agent to get by .htacess bans.

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4

[AnthonyCea]

It looks like Internetserviceteam.com has a new IP range for their referral and comment spam botnet.

02:21 PM Guest Registering 217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)

Notice the user agent change after banning the IP above:

02:29 PM Guest Viewing Index
Forum Posters Union 217.20.115.118
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20041122 Firefox/0.5.6+

[AnthonyCea]

Today's bot activity and user agent from automated spam botnet Internetserviceteam.com.

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]

[AnthonyCea]

More fake user agents from Internetserviceteam

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020921 Netscape/7.0

[AnthonyCea]

Today's Internetserviceteam.com IP and phony user agent.

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/3.0 (x86 [en] Windows NT 5.1; Sun)

[AnthonyCea]

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET

[AnthonyCea]

More IP's and user agents from Internetserviceteam.com that accessed our server today.

89.149.236.176 89-149-236-176.internetserviceteam.com
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703 Epiphany/0.8.4

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

[AnthonyCea]

217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6 (build 01425))

[AnthonyCea]

Today's Internetserviceteam activity IP and user agents hitting the forum.

89.149.253.220 89-149-253-220.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10

[AnthonyCea]

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128

89.149.253.20 89-149-253-20.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT) ::ELNSB50::000061100320025802a00111000000000507000 900

89-149-241-111.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01

[AnthonyCea]

89-149-253-20.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060612 Minefield/3.0a1

89-149-253-20.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322)

89-149-227-193.internetserviceteam.com
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6

[AnthonyCea]

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.5 (compatible; OmniWeb/4.2.1-v435.9; Mac_PowerPC)

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6

[AnthonyCea]

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060319 Firefox/2.0a1

[AnthonyCea]

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

[AnthonyCea]

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1- .NET CLR 1.1.4322

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/5.0 (X11; Linux i386; U) Opera 7.60 [en-GB]

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 StumbleUpon/1.9

[AnthonyCea]

89.149.253.20 89-149-253-20.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030504 Mozilla Firebird/0.5+

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

89.149.241.229 89-149-241-229.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)

[AnthonyCea]

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]

[outtaluck]

I just started getting hits from these guys today. I did a search, and this forum popped up. Reading into this a little deeper, and reading into *nix documentation, it seems there is a logical way to disable these critters from your site. Since Apache isn't run through tcpwrappers in *nix, I had to go about it a different way. In your httpd.conf file, and ssl.conf file, if you run ssl, you need to put the following:

Code:

<Directory "/full/path/to/www/directory">
          Options deny,allow
          Deny from internetserviceteam.com
          Allow from others
</Directory>

Tested it out on my LAN using my own domains, as a work of art. Worked like a charm.
I'm not sure the 'Others' is correct, but worked on my install of Apache 2.2.4

[AnthonyCea]

Yes, they are dirt bags of a spamming type, but the problem you face is the fact that they also use many blacklisted open proxy IP's, so if you block the host name they will hit you with other rogue IP's.

I think you will save a lot of bandwidth with your solution as these guys most likely are conducting every form of automated comment spamming, content scraping, mail serving, referral log spamming, hacking, dictionary attacks, virus link dropping and spyware downloading trick in the book.

Thanks for the solution, I'm sure many webmasters will appreciate your efforts on their behalf.

Look at the following example of Internetserviceteam registering under a new host name using a dedicated host just yesterday.

03:24 PM Guest Registering 217.20.122.154 main75.vserver4free.de
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0

217.20.122.0-217.20.122.255 NETDIRECT-NET netdirekt e.K.
<<217.20.122.153 217-20-122-153.internetserviceteam.com >>217.20.122.155 colpaert.biz
217.20.112.0/20 netdirect Frankfurt, DE
AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE
217.20.122.0-217.20.122.255 NETDIRECT-NET netdirekt e.K.
217.20.122.154 main75.vserver4free.de PTR A

These guys are using dedicated hosts all over the world in addition to hijacked zombie PC's and their respective IP addresses in addition to blacklisted open proxy IP's.

One thing you learn about automated professional spammers is the fact that they never give up and keep attacking the IP network 24/7/365 and you as a server administrator must always remain vigilant and mindful of the fact that spam botnets are going to take you down unless you keep an eye on the traffic hitting your server.

All the spam botnets attacking you at once will certainly equal a DDoS unless you ban their networks.

[outtaluck]

The other thing I did was add in .de to the deny list. I'm now seeing them hit me, but I have been able to effectively give them 403 - Forbidden errors. There are issues with this, as I'm sure you know, but it's an immediate quick fix until I figure out something else. It seems that although that these guys are a botnet/spamnet/data stealing net, that they still use German IP blocks, which reverse to essentially either '*.internetserviceteam.com' or '*.de' Is there anything else other than being eternally vigilant in firewalling these guy's IP addresses?

[AnthonyCea]

When you find their new IP ranges, publish them here, that will help.

Problem is you have to block by IP range because they are changing host names by using proxy IP's, they also change user agents non-stop.

See below that just hit here a few minutes ago:

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KKman2.0)

217.20.113.0-217.20.116.255 NETDIRECT-NET netdirekt e. K.
<<217.20.115.117 derlambertz.de >>217.20.115.119 217-20-115-119.internetserviceteam.com
217.20.112.0/20 netdirect Frankfurt, DE
AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE
217.20.113.0-217.20.116.255 NETDIRECT-NET netdirekt e. K.
217.20.115.118 217-20-115-118.internetserviceteam.com PTR A


Internetserviceteam is just one of many major highly automated spam botnets, these guys are involved in automated referral log spamming and just about every other form of hacking and spamming in existence.

Yes, more webmasters are waking up and watching the bots hitting their servers and that is all you can do unless you install ProjectHoneyPot.org code on your site.

More botnets you should be aware of are the following:

SVservers

Keymachine.de

Read the other threads in this forum for more data on all types of automated botnets.

If you are interested in automated tools to stop bad bots and spam botnets read the sticky threads in our Spiders and bots forum.

[outtaluck]

Thanks for the info on the other botnets. I've thought about setting up a honeypot before, although right now, I don't have the machines available to do a proper set up (set up on it's own subnet, firewalled against the rest). I'm working on setting up something like that. I've also taken to firewalling a larger amount of IP's, which seems to block most of the more persistent offenders.

As far as internetserviceteam.com, I'm only logging hits from the previously mentioned 89/8 and 217/8 block so far, although I'm watching very closely, and have a script set up to email me when those logs appear. They are all getting 403 - Forbidden errors though, which is a good thing, I guess, hehe. Thanks again for the info on the botnets, I'll be sure to keep checking around here.

[AnthonyCea]

The great thing is the fact that you are proactive on this issue, many webmasters just put their heads in the sand and buy more Bandwidth and hosting firepower, but when you take the combined effect of large spam botnets hitting your server, it does amount to a DDoS, spam botnets are responsible for the majority of DDoS problems server administrators face today.

I know of web hosting companies that were taken down by spam botnets forcing them to invest in professional tools and software to stop the attacks.

The ironic part of this is the fact that large web hosts sell these spam botnets firepower to attack the IP network and to hijack PC's from average users converting their computers into zombie machines and using their respective IP's to conduct further attacks.

Until new laws are passed forcing ISP's and data centers to ban and jail professional spammers this situation will only get worse.

[AnthonyCea]

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041002 Firefox/0.10

217.20.115.118 217-20-115-118.internetserviceteam.com
Opera/7.54 (Windows NT 5.1; U) [pl]

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; BCD2000)

217-20-115-118.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041002 Firefox/0.10.1

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Mnenhy/0.6.0.103

217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC

89.149.253.208 89-149-253-208.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041002 Firefox/0.10.1

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)

78.159.96.109 78-159-96-109.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)

78.159.96.0-78.159.103.255 NETDIRECT-NET netdirekt e.K.
<<78.159.96.108 78-159-96-108.internetserviceteam.com >>78.159.96.110 78-159-96-110.internetserviceteam.com
78.159.96.0/19 ORG nA8 RIPE
AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE
78.159.96.0-78.159.103.255 NETDIRECT-NET netdirekt e.K.
78.159.96.109 78-159-96-109.internetserviceteam.com PTR 217.20.112.72
`````````````````````````````````````````````````` ``````````````
89.149.236.53 89-149-236-53.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.3 (build 01218); .NET CLR 1.1.4322)

89.149.197.204 89-149-197-204.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

[AnthonyCea]

89.149.236.53 89-149-236-53.internetserviceteam.com
Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; APC; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET C

[kingfreeze]

Quote:

Originally Posted by AnthonyCea

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]

hit with this today, I am a new forum administrator

89-149-253-220.internetserviceteam.com

[AnthonyCea]

Well, you will become a server administrator also soon if you start watching these professional botnet operators, they are professional hackers/spam botnet operators who engage in all types of automated comment spamming, virus link planting, spyware hacking, dictionary attacks, referral log spamming, server hacking and so on.

Many of these professional spam botnet operations are looking to hijack the PC's of the average user to zombify their computers and add them to their botnet and use their IP's to further spam the the IP network we call the Internet, to these guys it is the Wild Wild West and they are shooting anyone they can with spam.

Welcome to the forum, thanks for posting the IP data on Internetserviceteam.

[kingfreeze]

Thanks for the info. I will be reading the forum, and thanks for organizing this forum.

[AnthonyCea]

Internetserviceteam spam bot network is still trolling with their vast IP range.

89.149.236.53 89-149-236-53.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

[AnthonyCea]

89-149-236-53.internetserviceteam.com
Mozilla/4.0 WebTV/2.8 (compatible; MSIE 4.0)

217.20.115.118 217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)