Multiple Hits From Unknown Server

[egaffne]

I keep getting hits every day from unknown.sagonet.net, and it's always one of the most recent visitors in the log in awstats. The weird part is that the number of pages and the number of hits by this server are always equal. This is rarely the case as nearly every page on my site has several includes. So that tells me that this "unknown" server is looking for a particular file.

 

Another VERY strange thing is that, eventhough the server has made 386 hits to 386 pages, the accrued bandwidth is zero. Does this mean that sagonet is not finding the file they are trying to hit? If so, I should think I would see something peculiar in my error log, but I only see errors from me when I'm doing development on my site or when I just have a bad link.

 

I've tried searching these forums for anything containing "sagonet", but only found this:

 

http://www.totalchoicehosting.com/forums/i...0824&hl=sagonet

 

which is an unrelated topic. unknown.sagonet.net appears in the mess of code if you use your browser's Find function. So then I Googled sagonet and found the following:

 

http://www.wilderssecurity.com/showthread....ghlight=sagonet

 

which is also not exactly related, as it talks about an actual connection to unknown.sagonet.net from the users home PC. However, it does describe this as a malicious connection, but I can't really get through all the technical mumbo-jumbo.

 

Does anyone know anything about this?

 

Also, I got an email at my "answer all" account on my domain the other day from WebRescuer saying my site was down. I visited their website and it seems official enough, but was still untrusting of its service, as I've never signed up for it. And while I was just checking my Last Visitors log (not in awstats), trying to find the sagonet ip, the following showed up:

 

Host: 207.150.160.200

Http Code: 200

Date: Nov 29 03:14:20

Http Version: HTTP/1.0

Size in Bytes: 0

Referer: -

Agent: WebRescuer v0.2.4

 

The WebRescuer "agent" would also explain the unknown browser that keeps popping up in awstats as well... Is WebRescuer a service offered in association with TCH?

[TCH-Thomas]

I dont have the answer but I made a google search on "unknown.sagonet.net" and it turned out that this unkown thing is a pretty busy "thing".

[egaffne]

Thomas! Good to hear from you again.

 

After further Googling I found out that unknown.sagonet.net is a bot that is a "guestbook harvester" according to:

 

http://www.kloth.net/internet/badbots.php

 

So I used the IP Deny Manager and blocked the ips listed there. Further investigation on Google shows that it is in fact a guestbook harvester, as some of the Google hits link to guestbooks with entries like:

 

Date: Sunday, August 08 at 06:52 AM

Host: 202.175.95.47

Name: Keii Chii

From: Macau

I give MACAU mint sets.... (etc., actual post)

 

Date: Tuesday, May 11 at 04:13 PM

Host: 206.165.8.98

Name: 0

From: 0

0

 

Date: Tuesday, May 11 at 07:40 AM

Host: unknown.sagonet.net

Name: 0

From: 0

0

 

The last two are (apparently) bot-generated posts. So I've blocked those suggested ips, but is there any way in CPanel that I can block a resolved address? It would be nice to be able to block anything identifying itself as "uknown.sagonet.net".

[TCH-Thomas]

I dont know if you can do that.

 

In cpanels IP deny manager it says:

This feature will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you.

 

So if I understand it correct, you can try to enter unknown.sagonet.net instead of ip-adress and see if it works.

 

I tried the IP deny manager once but have never really had use for it so I dont know how to fix this.

[egaffne]

I tried entering the domain in the IP Deny Manager, but it said it could not resolve the name to an ip... So that was a no go.

 

Anybody got any ideas about WebRescuer?

[jnull]

Perhaps if you talk support at http://www.sagonet.net you can get them to do something. Can always try.

Edited November 29, 2004 by TCH-Dick

[TCH-Thomas]

You´re magic jnull.

I tried to visit sagonet.net earlier today, but there was no site configured at that adress I was told.

[TCH-Bruce]

The WebRescuer "agent" would also explain the unknown browser that keeps popping up in awstats as well...  Is WebRescuer a service offered in association with TCH?

I've received emails from WebRescuer before. They are looking for business. They also offer a free monitoring service but you have to place a link on your site to use it.

 

They have no association with TCH as far as I am aware.

Edited November 29, 2004 by TCH-Bruce

[egaffne]

Jim, that's not a bad idea. Worth a shot at least. I'll try to get in touch with them now and we'll see what happens.

 

And Bruce, thanks for the confirmation that WebRescuer is a legitimate site. I'll go ahead and decline their offer for now. With TCH I don't think I have to worry too much about downtime!

[frenchie]

About Webrescuer

 

I believe I do have the magic recipe to get ride of Web Rescuer with Unix System.

 

I managed to find the code to get error 403, and just want to give you the code that really works:

 

207.150.160.200 - - [23/Dec/2004:20:44:16 -0500] "HEAD / HTTP/1.0" 403 0 "-" "WebRescuer v0.2.4"

 

The difficult part in scripting it is the "-" before "WebRescuer v0.2.4"

 

That monitoring service was trying every hours before. As soon as they were unable to hit my website, I got an email from alert@mail1.webrescuer.com saying : Error Alert Your Web Site is not responding. They said in their e-mail that I was registered with them, but I never did. The scam is probably a company that did registry for our web site without our permission for a Free Monitoring Service with WebRescuer, and that company had a password...

 

If Webrescuer was the one hitting the web site, it should have been Webrescuer web site IP address but it was not the case, it was Sagonet.com with Whois:

 

207.150.160.200

 

CustName: DIMITRY RUSAIKIN

Address: 67 Gertsena Str.

City: Tomsk

StateProv: -1

PostalCode: 634021

Country: RU

RegDate: 2004-06-25

Updated: 2004-06-25

 

NetRange: 207.150.160.200 - 207.150.160.209

CIDR: 207.150.160.200/29, 207.150.160.208/31

NetName: SAGO-207-150-160-200

NetHandle: NET-207-150-160-200-1

Parent: NET-207-150-160-0-1

NetType: Reassigned

Comment: NOCWorx SWIP Interface v1.5 - http://interworx.info

RegDate: 2004-06-25

Updated: 2004-06-25

 

AbuseHandle: ABUSE32-ARIN

AbuseName: Abuse Team

AbusePhone: +1-866-510-4000

AbuseEmail: abuse@sagonet.com

 

OrgTechHandle: TECHN20-ARIN

OrgTechName: Technical Support

OrgTechPhone: +1-866-510-4000

OrgTechEmail: support@sagonet.com

 

# ARIN WHOIS database, last updated 2004-12-23 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

 

 

////////////

 

Understand I did see unknown.sagonet.net, would it be them that did registry at our place, I cannot tell. I know for a fact they were not helpful after my email.

 

About the codes to remove them once for all :

 

Copy and Paste the following in htaccess.txt, transfer it in ascii using FTP software, then rename it

.htaccess :

 

 

 

Options +FollowSymlinks

RewriteEngine on

RewriteBase /

 

RewriteCond %{HTTP_USER_AGENT} ^WebRescuer\ v0\.2\.4

RewriteRule ^.* - [F]

 

 

 

Hope that this will help you all.

 

For your info,

 

Frenchie

 

Web Site Design Ottawa