Jump to content

Wikipedia:WikiProject on open proxies/Requests/Archives/36

From Wikipedia, the free encyclopedia

185.97.92.116/29

– This proxy check request is closed and will soon be archived by a bot.

185.97.92.116/29 · contribs · block · log · stalk · Robtex · whois · Google

Used by a pretty determined editor (who uses others as well, including 185.104.253.51 ) and keeps on including unverified information/data without explanation. See for instance disruption at Religion in Lebanon. Drmies (talk) 16:25, 9 June 2019 (UTC)

 Completed: Checked IPs at abuseat.org and it appears to be a botnet using the Special:Contribs/185.97.92.113/28 range (C2 domain: mtmdj33s0.ru). Please block for a year (incl. logged in users) using block reason {{zombie proxy}}: <!-- botnet -->. MrClog (talk) 19:11, 7 September 2019 (UTC)
@MrClog: I've put this on hold pending something a bit stronger. Lebanon is one of those countries where almost every IP is going to end up on a blacklist at some point. From what I can see, the edits are geo-appropriate, and combine exclusively with other dynamic IPs from the same region. Maybe I've missed something, But I don't think there's enough for a zombie block here. -- zzuuzz (talk) 19:38, 7 September 2019 (UTC)
@Zzuuzz: The IPs were all logged as part of the same botnet yesterday by abuseat.org. Besides that, there was one thing I noticed, which is that the IP is registered to Mazraa-Barbrour-STAR CENTER in Beirut, yet I wasn't able to find anything with this name. I am not sure what that would indicate. --MrClog (talk) 19:51, 7 September 2019 (UTC)
As I mentioned above, this seems geo-appropriate, and in a country with limited IPs and lots of proxies, not every IP is going to be perfect. I don't see sufficient for a proxy block here. If abuse starts hammering in, let's reconsider. -- zzuuzz (talk) 17:32, 3 October 2019 (UTC)

202.80.213.234

– This proxy check request is closed and will soon be archived by a bot.

202.80.213.234 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
49.146.2.201 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Suspicious edits & address is listed at Composite Blocking List (abuseat.org). GetIPIntel returns p=0.985. Further context at this COIN thread. More IPs are listed there as well. - ☆ Bri (talk) 04:15, 18 September 2019 (UTC)

Added second IP from the COIN case, also with GetIPIntel p=0.985 ☆ Bri (talk) 04:45, 18 September 2019 (UTC)

 Unlikely IP is an open proxy - Looking at these, it appears both while on the CBL, haven't been active in days for one, and weeks for the other. I can't find any technical evidence of either ip being a current open proxy. SQLQuery me! 03:41, 28 September 2019 (UTC)

85.90.247.215

– This proxy check request is closed and will soon be archived by a bot.

85.90.247.215 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Another Linode host used by Shingling334. IamNotU (talk) 17:37, 26 September 2019 (UTC)

Blocked the range for 2 years. SQLQuery me! 03:35, 28 September 2019 (UTC)

37.58.158.114

– This proxy check request is closed and will soon be archived by a bot.

37.58.158.114 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Adista cloud hosting/vpn company. Used for disruptive editing. IamNotU (talk) 21:02, 30 September 2019 (UTC)

Yep, that's a webhost. Blocked the range, will look at the rest of the ISP. SQLQuery me! 21:20, 30 September 2019 (UTC)

43.251.158.212

– This proxy check request is closed and will soon be archived by a bot.

43.251.158.212 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: I have blocked this IP three days for personal attacks, due to losing their temper in an WP:ARBMAC dispute. Details may be seen here: User talk:43.251.158.212. The same IP was blocked three months by User:Materialscientist in April 2019 as a proxy. I am hoping someone can check that this IP is still active as a proxy, in which case a longer block will be justified. Judging from their web page, it is possible that IPTelecom-Global is a web hosting company. If correct, this would justify a webhost block. EdJohnston (talk) 16:40, 3 October 2019 (UTC)

It's listed on this page, in particular in this image, from about two weeks ago. This seems credible. See also http://43.251.158.140. Two years for the /24? -- zzuuzz (talk) 17:12, 3 October 2019 (UTC)
On second thoughts, I'll block them individually. -- zzuuzz (talk) 17:18, 3 October 2019 (UTC)

2400::/12 (range)

– This proxy check request is closed and will soon be archived by a bot.

2400::/12 · contribs · block · log · stalk · Robtex · whois · Google

This seems to be some sort of proxy or webhosting service. IPv6 range is too large for MediaWiki. There is one user making continuous empty edit requests on the page Talk:TikTok. Whois of one provider shows that it belongs to some provider in Asia. Awesome Aasim 16:27, 4 October 2019 (UTC)

I don't think that this is an open proxy, or a webhost. Looking at the IP's from that talkpage history, they are all from Reliance Jio Infocomm Limited, an indian cellular / fiber optic provider see: Jio. It's very likely that clients on this provider get very short lived dhcp leases. I'll leave this open, and see if anyone else has a differing opinion. SQLQuery me! 00:07, 5 October 2019 (UTC)
Consider semiprotecting Talk:TikTok for a month. EdJohnston (talk) 02:14, 6 October 2019 (UTC)
Not currently an open proxy This network is a highly dynamic, very large and very busy, regular ISP. -- zzuuzz (talk) 03:12, 7 October 2019 (UTC)

216.52.165.1

– This proxy check request is closed and will soon be archived by a bot.

216.52.165.1 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
UTRS appeal #27000--v/r - TP 16:19, 5 October 2019 (UTC)
I think we're going to have to ping @TonyBallioni:. Due to their wide range of uses, I rarely find the terms 'data center', 'colo' or 'cloud' to be that helpful (which is what this network is). For example they can be mandatory (and legitimate) in all sorts of corporate settings. A lot will depend on the nature of the unblock request (and the nature of any abuse). -- zzuuzz (talk) 03:09, 7 October 2019 (UTC)
Yeah, it's a cloud hosting provider. Many of them are used as backbones for commercial VPNs, which is why we have been blocking them. There are a few cases where corporations use them for mandatory VPNs, etc. but in those cases, when there is an established user, we can always grant IPBE. The UTRS case linked above appears to be for an account created for the specific purposes of requesting an unblock of the IP while at work. I don't see that as a good reason to undo the range block, but I'll also ping SQL on it since he's also been blocking these ranges. TonyBallioni (talk) 03:16, 7 October 2019 (UTC)
@TonyBallioni and Zzuuzz:, I've left comments on this request @ UTRS. SQLQuery me! 03:34, 7 October 2019 (UTC)
My block, but as SQL has commented in UTRS, I'm going ahead and closing this. TonyBallioni (talk) 02:01, 10 October 2019 (UTC)

125.212.128.0/17

I can't find the proper template, but can someone check this range? Thanks! Drmies (talk) 20:57, 15 October 2019 (UTC)

Drmies, That's a tricky one. Viettel is a mobile provider, but resolving some of the /24's in that /17. I'm seeing a lot of websites and mailservers mixed in. That being said, I start seeing ADSL ranges around 125.212.136.0-ish. If this is specifically about 125.212.220.48 - yes, that does appear to be either a proxy, or a compromised host of some sort. SQLQuery me! 21:34, 15 October 2019 (UTC)
User:SQL, thank you--is there anything you think I need to do more than I already did? Thanks, Drmies (talk) 01:26, 16 October 2019 (UTC)