: Is this really GoogleBot, or is this a spammer? I found this IP in my access log posting repeatedly thousands of times. Is this really GoogleBot, or is it a spammer? I hesitate to block it.

@Martha676

I used to get a lot of attacks from them on my servers. I blocked them via CSF firewall. If you want to block their range put this in your deny file for CSF (without the spaces):

185.11.144.0/22 # do not delete hosted-by.blazingfast.io

185.11.145.0/24 # do not delete hosted-by.blazingfast.io

185.11.146.0/24 # do not delete hosted-by.blazingfast.io

185.11.147.0/24 # do not delete hosted-by.blazingfast.io

185.61.136.0/22 # do not delete hosted-by.blazingfast.io

185.62.188.0/23 # do not delete hosted-by.blazingfast.io

185.62.188.0/24 # do not delete hosted-by.blazingfast.io

185.62.189.0/24 # do not delete hosted-by.blazingfast.io

185.62.190.0/23 # do not delete hosted-by.blazingfast.io

185.62.190.0/24 # do not delete hosted-by.blazingfast.io

185.62.191.0/24 # do not delete hosted-by.blazingfast.io

188.209.48.0/23 # do not delete hosted-by.blazingfast.io

188.209.48.0/24 # do not delete hosted-by.blazingfast.io

188.209.49.0/24 # do not delete hosted-by.blazingfast.io

188.209.50.0/23 # do not delete hosted-by.blazingfast.io

188.209.52.0/23 # do not delete hosted-by.blazingfast.io

188.209.52.0/24 # do not delete hosted-by.blazingfast.io

188.209.53.0/24 # do not delete hosted-by.blazingfast.io

Vote Up Vote Down

@Annie201

I can agree that it definitely is NOT google at all.

This webpage www.whois.com/whois/185.62.188.98 tells me its from a system out in ukraine called blazingfast.

Before downright blocking the IP, you have to figure out what types of people you want to welcome to your site.

It's quite possible that someone on that network simply has a hijacked computer and if you run a site with ads and that poor user behind the hijacked computer wanted to click the ad and you block them out, then you lost a chance at revenue.

Now if you know for sure that your website is never meant for the ukraine region, then you can go ahead and block them out.

You could even pull this off in PHP if your whole web application is written in it. Just insert this code right after the opening php tag at all entry php files (such as index.php)

if ($_SERVER['REMOTE_ADDR']=="185.62.188.98"){
echo "Access denied";
exit();
}


It just basically checks for the IP address and if it matches the one you inquired on, then it prints only "access denied" to the screen.

Vote Up Vote Down

@Alves908

No. It is not Google.

Google would not POST /xmlrpc.php. This may be a vulnerability probe or an attack against an existing vulnerability that may or may not exist on your site.

185.62.188.98 is hosted-by.blazingfast.io. When you see something like hosted-by as a sub-domain, it is a webhost, obviously, but also an anonymous address block where the server is protected through a semi-bogus PTR DNS record. It is not uncommon for hosted systems domain names not to match the PTR record, but generic sub-domains such as this one are more than lazy and indicate a permissive hosting company (in my book anyway). They are sometimes used by people that are up to no good. Not an indictment, just common. I have a ton of these types of sub-domains in my abuse database.

Block by IP Address:

Apache .htaccess File

RewriteCond %{REMOTE_ADDR} ^185.62.188.98$ [NC]
RewriteRule .* - [F,L]


Cisco Firewall

access-list deny-185-62-188-98-32 deny ip 185.62.188.98 any
permit ip any any


Nginx

Edit nginx.conf and insert include blockips.conf; if it does not exist. Edit blockips.conf and add the following:

deny 185.62.188.98;


Microsoft IIS Web Server

<rule name="abort ip address 185.62.188.98/32" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^185.62.188.98$" />
</conditions>
<action type="AbortRequest" />
</rule>


Windows netsh ADVFirewall Firewall

netsh advfirewall firewall add rule name="block-ip-185-62-188-98-32" dir=in interface=any action=block remoteip=185.62.188.98/32

Vote Up Vote Down