egaffne Posted November 29, 2004 Share Posted November 29, 2004 I keep getting hits every day from unknown.sagonet.net, and it's always one of the most recent visitors in the log in awstats. The weird part is that the number of pages and the number of hits by this server are always equal. This is rarely the case as nearly every page on my site has several includes. So that tells me that this "unknown" server is looking for a particular file. Another VERY strange thing is that, eventhough the server has made 386 hits to 386 pages, the accrued bandwidth is zero. Does this mean that sagonet is not finding the file they are trying to hit? If so, I should think I would see something peculiar in my error log, but I only see errors from me when I'm doing development on my site or when I just have a bad link. I've tried searching these forums for anything containing "sagonet", but only found this: http://www.totalchoicehosting.com/forums/i...0824&hl=sagonet which is an unrelated topic. unknown.sagonet.net appears in the mess of code if you use your browser's Find function. So then I Googled sagonet and found the following: http://www.wilderssecurity.com/showthread....ghlight=sagonet which is also not exactly related, as it talks about an actual connection to unknown.sagonet.net from the users home PC. However, it does describe this as a malicious connection, but I can't really get through all the technical mumbo-jumbo. Does anyone know anything about this? Also, I got an email at my "answer all" account on my domain the other day from WebRescuer saying my site was down. I visited their website and it seems official enough, but was still untrusting of its service, as I've never signed up for it. And while I was just checking my Last Visitors log (not in awstats), trying to find the sagonet ip, the following showed up: Host: 207.150.160.200 Http Code: 200 Date: Nov 29 03:14:20 Http Version: HTTP/1.0 Size in Bytes: 0 Referer: - Agent: WebRescuer v0.2.4 The WebRescuer "agent" would also explain the unknown browser that keeps popping up in awstats as well... Is WebRescuer a service offered in association with TCH? Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted November 29, 2004 Share Posted November 29, 2004 I dont have the answer but I made a google search on "unknown.sagonet.net" and it turned out that this unkown thing is a pretty busy "thing". Quote Link to comment Share on other sites More sharing options...
egaffne Posted November 29, 2004 Author Share Posted November 29, 2004 Thomas! Good to hear from you again. After further Googling I found out that unknown.sagonet.net is a bot that is a "guestbook harvester" according to: http://www.kloth.net/internet/badbots.php So I used the IP Deny Manager and blocked the ips listed there. Further investigation on Google shows that it is in fact a guestbook harvester, as some of the Google hits link to guestbooks with entries like: Date: Sunday, August 08 at 06:52 AM Host: 202.175.95.47 Name: Keii Chii From: Macau I give MACAU mint sets.... (etc., actual post) Date: Tuesday, May 11 at 04:13 PM Host: 206.165.8.98 Name: 0 From: 0 0 Date: Tuesday, May 11 at 07:40 AM Host: unknown.sagonet.net Name: 0 From: 0 0 The last two are (apparently) bot-generated posts. So I've blocked those suggested ips, but is there any way in CPanel that I can block a resolved address? It would be nice to be able to block anything identifying itself as "uknown.sagonet.net". Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted November 29, 2004 Share Posted November 29, 2004 I dont know if you can do that. In cpanels IP deny manager it says: This feature will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you. So if I understand it correct, you can try to enter unknown.sagonet.net instead of ip-adress and see if it works. I tried the IP deny manager once but have never really had use for it so I dont know how to fix this. Quote Link to comment Share on other sites More sharing options...
egaffne Posted November 29, 2004 Author Share Posted November 29, 2004 I tried entering the domain in the IP Deny Manager, but it said it could not resolve the name to an ip... So that was a no go. Anybody got any ideas about WebRescuer? Quote Link to comment Share on other sites More sharing options...
jnull Posted November 29, 2004 Share Posted November 29, 2004 (edited) Perhaps if you talk support at http://www.sagonet.net you can get them to do something. Can always try. Edited November 29, 2004 by TCH-Dick Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted November 29, 2004 Share Posted November 29, 2004 You´re magic jnull. I tried to visit sagonet.net earlier today, but there was no site configured at that adress I was told. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted November 29, 2004 Share Posted November 29, 2004 (edited) The WebRescuer "agent" would also explain the unknown browser that keeps popping up in awstats as well... Is WebRescuer a service offered in association with TCH? I've received emails from WebRescuer before. They are looking for business. They also offer a free monitoring service but you have to place a link on your site to use it. They have no association with TCH as far as I am aware. Edited November 29, 2004 by TCH-Bruce Quote Link to comment Share on other sites More sharing options...
egaffne Posted November 29, 2004 Author Share Posted November 29, 2004 Jim, that's not a bad idea. Worth a shot at least. I'll try to get in touch with them now and we'll see what happens. And Bruce, thanks for the confirmation that WebRescuer is a legitimate site. I'll go ahead and decline their offer for now. With TCH I don't think I have to worry too much about downtime! Quote Link to comment Share on other sites More sharing options...
frenchie Posted December 24, 2004 Share Posted December 24, 2004 About Webrescuer I believe I do have the magic recipe to get ride of Web Rescuer with Unix System. I managed to find the code to get error 403, and just want to give you the code that really works: 207.150.160.200 - - [23/Dec/2004:20:44:16 -0500] "HEAD / HTTP/1.0" 403 0 "-" "WebRescuer v0.2.4" The difficult part in scripting it is the "-" before "WebRescuer v0.2.4" That monitoring service was trying every hours before. As soon as they were unable to hit my website, I got an email from alert@mail1.webrescuer.com saying : Error Alert Your Web Site is not responding. They said in their e-mail that I was registered with them, but I never did. The scam is probably a company that did registry for our web site without our permission for a Free Monitoring Service with WebRescuer, and that company had a password... If Webrescuer was the one hitting the web site, it should have been Webrescuer web site IP address but it was not the case, it was Sagonet.com with Whois: 207.150.160.200 CustName: DIMITRY RUSAIKIN Address: 67 Gertsena Str. City: Tomsk StateProv: -1 PostalCode: 634021 Country: RU RegDate: 2004-06-25 Updated: 2004-06-25 NetRange: 207.150.160.200 - 207.150.160.209 CIDR: 207.150.160.200/29, 207.150.160.208/31 NetName: SAGO-207-150-160-200 NetHandle: NET-207-150-160-200-1 Parent: NET-207-150-160-0-1 NetType: Reassigned Comment: NOCWorx SWIP Interface v1.5 - http://interworx.info RegDate: 2004-06-25 Updated: 2004-06-25 AbuseHandle: ABUSE32-ARIN AbuseName: Abuse Team AbusePhone: +1-866-510-4000 AbuseEmail: abuse@sagonet.com OrgTechHandle: TECHN20-ARIN OrgTechName: Technical Support OrgTechPhone: +1-866-510-4000 OrgTechEmail: support@sagonet.com # ARIN WHOIS database, last updated 2004-12-23 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. //////////// Understand I did see unknown.sagonet.net, would it be them that did registry at our place, I cannot tell. I know for a fact they were not helpful after my email. About the codes to remove them once for all : Copy and Paste the following in htaccess.txt, transfer it in ascii using FTP software, then rename it .htaccess : Options +FollowSymlinks RewriteEngine on RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^WebRescuer\ v0\.2\.4 RewriteRule ^.* - [F] Hope that this will help you all. For your info, Frenchie Web Site Design Ottawa Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.