Thread: The TechNutopia Fullsize Hostiles List for BearShare and LimeWire
View Single Post
  #80 (permalink)  
Old August 9th, 2017
Lord of the Rings's Avatar
Lord of the Rings Lord of the Rings is offline
ContraBanned
  
Join Date: June 30th, 2004
Location: Middle of the ocean apparently (middle earth)
Posts: 622
Lord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputationLord of the Rings has a distinguished reputation
Default Download BOTs
I'm one of those rare people that keeps an eye on their uploads (& network as a whole.) Last night whilst using WireShare I was surprised to see my upload window full before noticing the pseudo-name SmilingPig beside many of them and with different identifying addresses.

One alarm bell was that the host was identifying itself as LimeZilla/1.8 (if it really was LimeZilla), but this version is ancient. LimeZilla is up to using version 4 nowadays. Two of the uploads SmilingPig was downloading/queued to download were the same two files; thus 4 upload/queue slots for two files. Surprised it was not sapping the entire upload bandwidth made available to WireShare however.

ISP: NFOrce Entertainment B.V. Netherlands; Netname: Amsterdam_Residential_Television_and_Internet_Netw ork. Services: Network sharing device or proxy server.

IP addresses blocked:
212.92.108.24
212.92.108.34
212.92.108.44
212.92.108.84
212.92.108.224
212.92.111.192
212.92.112.81
212.92.112.101
212.92.112.181
212.92.114.178
212.92.115.67
212.92.117.65
212.92.117.155
212.92.119.143
212.92.121.97
212.92.123.116
212.92.124.91
212.92.124.211
212.92.124.221

Upload window: (WireShare's display of total upload bandwidth had not yet caught up at the moment of this snapshot)
The TechNutopia Fullsize Hostiles List for BearShare and LimeWire-download-bots-2017-08-10.png
After blocking several, more showed up:
The TechNutopia Fullsize Hostiles List for BearShare and LimeWire-download-bots-2017-08-10-b.png

Then another attack a day later with 16 fresh addresses within the same sub-ranges. It also browsed me.
212.92.104.85
212.92.105.147
212.92.108.54
212.92.109.34
212.92.115.77
212.92.115.107
212.92.116.246
212.92.117.75
212.92.118.94
212.92.120.208
212.92.120.218
212.92.121.167
212.92.122.136
212.92.122.206
212.92.123.65
212.92.123.75

If you look carefully among the two lists you will notice the same sub-ranges using the same last number. Example: all those in the 212.92.115.* range use 7 as the last number, all those in the .108.* range using 4 as the last number, etc. Although the .123.* range shows a variance.

Edit 2018-04-29: Discovered this from a GWebCache:
212.92.122.146:50903 (u:23:18:29) 2018-01-04.
212.92.123.162:50903 (u:23:18:05) 2018-01-04.
Host using WireShare or identifies itself as WireShare. Not sure this WireShare host could be trusted.
Last edited by Lord of the Rings; April 28th, 2018 at 07:38 PM. Reason: Added new finding at bottom of post.
Reply With Quote