Friday, December 22, 2006

PhotoCart Attack Takes a Holiday

So far I've gotten 3 or 4 sites shut down or cleaned up where the botnet of PhotoCart attackers have been storing their include files. Been quiet for a couple of days now since the last one was cleaned up so I'm wondering if, who am I kidding, WHEN the attacks will start up again with a file referenced from yet another new location.

I didn't even bother posting about the last attack and domain they used as I got it cleaned up pretty quick and the source of the attack was pretty much the same.

So you PhotoCart hacking clowns, ready for me to shut down your next site or should we go after your botnet instead?

Come on, make my day...

First Look - SMBot 1.0 Crawls via Amazon Web Services

Maybe this is how Amazon responded to my tongue-in-cheek request to set the user agent on their crawler.

I have no clue why SpecificMedia would be attempting to crawl my site, or why they are coming from an Amazon IP address. Maybe it's possible when you hire the AWS for a specific task they just plug in the customer name as the UA. Perhaps Amazon just auctioned off the user agent to the highest bidder for some viral marketing thing, who knows.

Anyway, here's the IP's and the user agent seen crawling:

216.182.231.65
[domU-12-31-33-00-03-EB.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.225.220
[domU-12-31-33-00-03-92.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.59
[domU-12-31-33-00-03-ED.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.228.145
[domU-12-31-33-00-02-53.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.230.236
[domU-12-31-33-00-03-26.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.225.180
[domU-12-31-33-00-03-02.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.86
[domU-12-31-33-00-03-D8.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.93
[domU-12-31-33-00-03-CF.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.228.139
[domU-12-31-33-00-02-55.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.230.163
[domU-12-31-33-00-03-6D.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"

216.182.231.20
[domU-12-31-33-00-04-16.usma1.compute.amazonaws.com.]
"SMBot/1.1 (www.specificmedia.com)"
Just what we need, more crap crawling the web.

Joy.

Blog Pimps and Web Whores

When you have a new product or service and can't get anyone to write about it, what do you do?

You go to a Blog Pimp for help, that's what you do!

The Pimp will hook your ass up with some blogging Web Whore that will review your shit for a fee ranging from $40-$500. Let's get serious now people, if you have a really worthwhile opinion you can make a heck of a lot more than 40 freaking dollars. The most common amount on the high end seems to be around $100 which isn't bad if you can knock out several paid reviews a day.

Here's the only problem I see with this scenario is that many people may get annoyed and stop reading your blog if every post, or every other post, becomes some paid fluff piece.

If you're a serious blogger and have spent a substantial amount of time building up your brand so that you can attract traditional advertisers then why in hell would you risk polluting your brand with paid posts?

The next thing you know the advertisers paying for the posts will insist on the comments for those posts being censored, or the blogger will censor them by default just in the hopes of appeasing the advertiser and getting more paid post work in the future.

That's the problem with being a paid Web Whore is that you start down that slippery slope of selling your soul to the highest bidder and your blog suddenly really isn't your blog anymore and you'll feel stifled in your own creation.

Good luck with those paid posts and let me know how selling out works for you all.

P.S. Just for giggles I browsed some of the blogs listed and this site ranked as high as some of the sites asking for $100 per review, which is really sad. Caveat Emptor.

Wednesday, December 20, 2006

SEM Nightmare - Yahoo Thinks I'm a Typo

UPDATE: Thanks to help from Danny Sullivan getting in touch with Tim Mayer over at Yahoo, this has been fixed.

Here's a recent and strange twist in the ever changing Yahoo landscape, I'm a typo.

That's right, this must've happened just recently too, searching for INCREDIBILL shows results for INCREDIBLE instead of what I actually typed, but I still show up in #10. Those poor folks at Incredibill.com, the billing company, aren't even in the top 100. Now change the search to use quotes and search for "INCREDIBILL" and you get the results that I expected in the first place, and that billing company shows up #6.

I have to ask WTF is up with this shit?

Did I accidentally piss in someone's cornflakes at Yahoo and get a handjob in the search engine to make sure people can't find my tirades that may occasionally point out some flaws in Yahoo?

Maybe they just decided they know best about what you wanted to find regardless of what you typed and decided to give us all a big corporate dose of "WE'RE SMARTER SO FUCK YOU!" with the search results.

Now the SEM implications here are huge as brand names are never dictionary words and Yahoo making assumptions about what you MIGHT want based on the nearest actual word in the dictionary is a potentially nasty turn of events.

Anyone else notice any obviously bizarre results lately for certain searches?

Let's compare notes...

Tuesday, December 19, 2006

Heads Up! Here comes Attributor

There's something new on the horizon in the rash of copyright protection services called Attributor that announced major VC funding yesterday. The WSJ ran a piece about how Attributor will scan the web for violations, and noted the founders are ex-Yahooligans.

Did a quick look at Attributor and they seem to be on the Yahoo backbone which is interesing.

host attributor.com
attributor.com has address 68.142.234.103
attributor.com has address 68.142.234.104
attributor.com has address 68.142.234.105
attributor.com has address 68.142.234.106
attributor.com has address 68.142.234.76
attributor.com has address 68.142.234.77

host 68.142.234.103
103.234.142.68.in-addr.arpa domain name pointer p3w10.geo.re2.yahoo.com.

host 68.142.234.104
104.234.142.68.in-addr.arpa domain name pointer p3w11.geo.re2.yahoo.com.

host 68.142.234.77
77.234.142.68.in-addr.arpa domain name pointer p3w9.geo.re2.yahoo.com.

whois 68.142.234.77

OrgName: Inktomi Corporation
OrgID: INKT
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 68.142.192.0 - 68.142.255.255
Didn't notice anything obvious crawling from that range in my blocked bots log but it's possible I let them slide because they are within the Yahoo/Inktomi range, will need to check that out.

However, the WSJ article did mention that they have "...begun testing a system to scan the billions of pages on the Web..." and that "The company says it will have over 10 billion Web pages in its index before the end of this month." which I find hard to believe they crawled on their own completely unnoticed unless they are sharing Yahoo's cache.

No clue at the moment, but keep an eye out for whatever this is.

Let the Yahoo IP address hysteria start in 5... 4... 3... 2....

Blog Tag - 5 Things You Don't Want To Know About IncrediBILL

I got tagged by SpamHuntress and Skore in the ongoing game of blog tag, maybe others tagged me, who knows.

Anyway, here goes with 5 things you don't know about me:

  1. Once upon a time I was a budding musician that played both soprano and bass clarinet in the St Joseph, MO Municipal Band playing Big Band music and Show Tunes. Also played a fair amount of classical in the Missouri Western State University's college symphony. However, I threw in the towel on tooting a horn when the computer bug bit me hard and it turned into a full-time career.
  2. After taking 4 whole years of French in high school, 15 years later spent 3 whole days in Paris. Now the irony is I didn't take typing in HS and took French instead, yet now spend all day every day typing at the computer and rarely ever speak French.
  3. Paintball is one of my favorite hobbies and I will shoot your ass where you stand and giggle with glee at your new found pain.
  4. I roller skate! Even backwards and sideways! We're talking about the REAL 4 wheel skates, none of that pansy ass inline skating crap.
  5. I love playing cards on Pogo.com and you can often catch me there as "IncrediBILL_" playing Spades, Hearts, Gin, Canasta, Cribbage, etc.. Bring your A-game if you look me up for a game or two as I'm a fierce competitor in cards, just ask my wife who I frequently trounce ;)
Now let's tag 5 people that might be interesting like Martinibuster, John Andrews, Willmacc, Phil Maher and Aaron Pratt.

Something Squirrelly Tried to Grab-My-Site

Caught something attempting to speed through my site with downloading on the agenda:

209.253.35.226 [bscop.bluesquirrel.com.] requested 340 pages as "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1.)"
Went to Blue Squirrel's site to see what they were and big surprise they have some website downloading tools like Grab-a-site and WebWhacker.

Here's my favorite part where the Grab-a-site software's options default to stealth mode:
User Agent - Lets you set how Grab-a-Site reports itself to the web servers. By default, it sends "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1.)" which makes it look like an Internet Explorer version 6.0.
This product may be responsible for some of the stealth activity we see in our log files and it's obviously trying to hide from webmasters otherwise the default UA would be the name of the product and not MSIE 6.0.