
<div dir="ltr">Has someone in the tools project (tools project is the owner of .167) been misbehaving?  Or is this a totally false alarm? <div><br></div><div><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>

From: <b class="gmail_sendername">DC</b> <span dir="ltr"><<a href="mailto:caudilldk@gmail.com">caudilldk@gmail.com</a>></span><br>Date: Fri, Sep 6, 2013 at 10:53 PM<br>Subject: Fwd: [Fail2Ban] apache-bots: banned 208.80.153.167<br>

To: <a href="mailto:abuse@wikimedia.org">abuse@wikimedia.org</a><br><br><br><div dir="ltr"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Greetings,</span></p>


<br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">


<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Please read the forwarded email for a log snippet of an attack coming from your network against our website, <a href="http://soldierx.com" target="_blank">soldierx.com</a>.  Please let us know as soon as possible what you can do about these attacks.  You can reach one of our technicians, Shawn Burrell, at <a href="tel:817-287-8705" value="+18172878705" target="_blank">817-287-8705</a>.</span></p>


<br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">


<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">We can provide detailed logs if needed.</span></p>


<br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">


<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Failure to reply may result in legal action as these attacks have been disrupting our business.  At this point in time, we are trying to work with companies in order to get them to cease.</span></p>


<br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">


<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Respectfully,</span></p><br>

<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal"></span><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">


<span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">David Caudill</span></p><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:15px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">Network Security and Operations, <a href="http://soldierx.com" target="_blank">soldierx.com</a></span><br>


<br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Fail2Ban</b> <span dir="ltr"><<a href="mailto:fail2ban@shinra.soldierx.com" target="_blank">fail2ban@shinra.soldierx.com</a>></span><br>


Date: Fri, Sep 6, 2013 at 6:19 AM<br>Subject: [Fail2Ban] apache-bots: banned 208.80.153.167<br>To: <a href="mailto:caudilldk@gmail.com" target="_blank">caudilldk@gmail.com</a><br><br><br>Hi,<br>

<br>

The IP 208.80.153.167 has just been banned by Fail2Ban after<br>

1 attempts against apache-bots.<br>

<br>

<br>

Here are more information about <a href="http://208.80.153.167" target="_blank">208.80.153.167</a>:<br>

<br>

<br>

#<br>

# ARIN WHOIS data and services are subject to the Terms of Use<br>

# available at: <a href="https://www.arin.net/whois_tou.html" target="_blank">https://www.arin.net/whois_tou.html</a><br>

#<br>

<br>

<br>

#<br>

# The following results may also be obtained via:<br>

# <a href="http://whois.arin.net/rest/nets;q=208.80.153.167?showDetails=true&showARIN=false&ext=netref2" target="_blank">http://whois.arin.net/rest/nets;q=208.80.153.167?showDetails=true&showARIN=false&ext=netref2</a><br>


#<br>

<br>

NetRange:       208.80.152.0 - 208.80.155.255<br>

CIDR:           <a href="http://208.80.152.0/22" target="_blank">208.80.152.0/22</a><br>

OriginAS:       AS14907<br>

NetName:        WIKIMEDIA<br>

NetHandle:      NET-<a href="tel:208-80-152-0-1" value="+12088015201" target="_blank">208-80-152-0-1</a><br>

Parent:         NET-208-0-0-0-0<br>

NetType:        Direct Assignment<br>

Comment:        <a href="http://www.wikimediafoundation.org" target="_blank">http://www.wikimediafoundation.org</a><br>

RegDate:        2007-07-23<br>

Updated:        2013-07-23<br>

Ref:            <a href="http://whois.arin.net/rest/net/NET-208-80-152-0-1" target="_blank">http://whois.arin.net/rest/net/NET-208-80-152-0-1</a><br>

<br>

OrgName:        Wikimedia Foundation Inc.<br>

OrgId:          WIKIM<br>

Address:        149 New Montgomery Street<br>

Address:        3rd Floor<br>

City:           San Francisco<br>

StateProv:      CA<br>

PostalCode:     94105<br>

Country:        US<br>

RegDate:        2006-05-30<br>

Updated:        2012-02-15<br>

Ref:            <a href="http://whois.arin.net/rest/org/WIKIM" target="_blank">http://whois.arin.net/rest/org/WIKIM</a><br>

<br>

OrgAbuseHandle: MBE96-ARIN<br>

OrgAbuseName:   Bergsma, Mark<br>

OrgAbusePhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

OrgAbuseEmail:  <a href="mailto:mark@wikimedia.org" target="_blank">mark@wikimedia.org</a><br>

OrgAbuseRef:    <a href="http://whois.arin.net/rest/poc/MBE96-ARIN" target="_blank">http://whois.arin.net/rest/poc/MBE96-ARIN</a><br>

<br>

OrgTechHandle: MBE96-ARIN<br>

OrgTechName:   Bergsma, Mark<br>

OrgTechPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

OrgTechEmail:  <a href="mailto:mark@wikimedia.org" target="_blank">mark@wikimedia.org</a><br>

OrgTechRef:    <a href="http://whois.arin.net/rest/poc/MBE96-ARIN" target="_blank">http://whois.arin.net/rest/poc/MBE96-ARIN</a><br>

<br>

OrgAbuseHandle: CARRL-ARIN<br>

OrgAbuseName:   Carr, Leslie<br>

OrgAbusePhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

OrgAbuseEmail:  <a href="mailto:lcarr@wikimedia.org" target="_blank">lcarr@wikimedia.org</a><br>

OrgAbuseRef:    <a href="http://whois.arin.net/rest/poc/CARRL-ARIN" target="_blank">http://whois.arin.net/rest/poc/CARRL-ARIN</a><br>

<br>

OrgTechHandle: CARRL-ARIN<br>

OrgTechName:   Carr, Leslie<br>

OrgTechPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

OrgTechEmail:  <a href="mailto:lcarr@wikimedia.org" target="_blank">lcarr@wikimedia.org</a><br>

OrgTechRef:    <a href="http://whois.arin.net/rest/poc/CARRL-ARIN" target="_blank">http://whois.arin.net/rest/poc/CARRL-ARIN</a><br>

<br>

RTechHandle: MBE96-ARIN<br>

RTechName:   Bergsma, Mark<br>

RTechPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RTechEmail:  <a href="mailto:mark@wikimedia.org" target="_blank">mark@wikimedia.org</a><br>

RTechRef:    <a href="http://whois.arin.net/rest/poc/MBE96-ARIN" target="_blank">http://whois.arin.net/rest/poc/MBE96-ARIN</a><br>

<br>

RAbuseHandle: MBE96-ARIN<br>

RAbuseName:   Bergsma, Mark<br>

RAbusePhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RAbuseEmail:  <a href="mailto:mark@wikimedia.org" target="_blank">mark@wikimedia.org</a><br>

RAbuseRef:    <a href="http://whois.arin.net/rest/poc/MBE96-ARIN" target="_blank">http://whois.arin.net/rest/poc/MBE96-ARIN</a><br>

<br>

RNOCHandle: MBE96-ARIN<br>

RNOCName:   Bergsma, Mark<br>

RNOCPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RNOCEmail:  <a href="mailto:mark@wikimedia.org" target="_blank">mark@wikimedia.org</a><br>

RNOCRef:    <a href="http://whois.arin.net/rest/poc/MBE96-ARIN" target="_blank">http://whois.arin.net/rest/poc/MBE96-ARIN</a><br>

<br>

RNOCHandle: CARRL-ARIN<br>

RNOCName:   Carr, Leslie<br>

RNOCPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RNOCEmail:  <a href="mailto:lcarr@wikimedia.org" target="_blank">lcarr@wikimedia.org</a><br>

RNOCRef:    <a href="http://whois.arin.net/rest/poc/CARRL-ARIN" target="_blank">http://whois.arin.net/rest/poc/CARRL-ARIN</a><br>

<br>

RAbuseHandle: CARRL-ARIN<br>

RAbuseName:   Carr, Leslie<br>

RAbusePhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RAbuseEmail:  <a href="mailto:lcarr@wikimedia.org" target="_blank">lcarr@wikimedia.org</a><br>

RAbuseRef:    <a href="http://whois.arin.net/rest/poc/CARRL-ARIN" target="_blank">http://whois.arin.net/rest/poc/CARRL-ARIN</a><br>

<br>

RTechHandle: CARRL-ARIN<br>

RTechName:   Carr, Leslie<br>

RTechPhone:  <a href="tel:%2B1-415-839-6885" value="+14158396885" target="_blank">+1-415-839-6885</a><br>

RTechEmail:  <a href="mailto:lcarr@wikimedia.org" target="_blank">lcarr@wikimedia.org</a><br>

RTechRef:    <a href="http://whois.arin.net/rest/poc/CARRL-ARIN" target="_blank">http://whois.arin.net/rest/poc/CARRL-ARIN</a><br>

<br>

<br>

#<br>

# ARIN WHOIS data and services are subject to the Terms of Use<br>

# available at: <a href="https://www.arin.net/whois_tou.html" target="_blank">https://www.arin.net/whois_tou.html</a><br>

#<br>

<br>

<br>

Lines containing IP:208.80.153.167 in /var/log/apache*/*access.log<br>

<br>

/var/log/apache2/soldierx-access.log:208.80.153.167 - - [06/Sep/2013:06:19:42 -0400] "GET /hdb/Mafia-Boy HTTP/1.1" 200 18709 "-" "LinkSaver/2.0"<br>

/var/log/apache2/soldierx-access.log:208.80.153.167 - - [06/Sep/2013:06:19:45 -0400] "HEAD /hdb/Mafia-Boy HTTP/1.1" 200 5168 "-" "LinkParser/2.0"<br>

/var/log/apache2/soldierx-access.log:208.80.153.167 - - [06/Sep/2013:06:19:49 -0400] "GET / HTTP/1.1" 200 30281 "-" "LinkSaver/2.0"<br>

/var/log/apache2/soldierx-access.log:208.80.153.167 - - [06/Sep/2013:06:19:53 -0400] "HEAD / HTTP/1.1" 200 5200 "-" "LinkParser/2.0"<br>

<br>

<br>

Regards,<br>

<br>

Fail2Ban<br>

</div><br></div>

</div><br><br clear="all"><div><br></div>-- <br>Leslie Carr<br>Wikimedia Foundation<br>AS 14907, 43821<br><a href="http://as14907.peeringdb.com/" target="_blank">http://as14907.peeringdb.com/</a>

</div></div>