CGSpace Notes

Documenting day-to-day work on the CGSpace repository.

April, 2025

in  Notes

2025-04-05

  • I noticed a bunch of IPs using a weird user agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
  • Firefox 72.0 was released in 2014 so it’s suspicious
  • I found a few dozen IPs from Oracle cloud, for example:
    • 151.106.160.158
    • 151.106.162.8
    • 151.106.164.53
    • 151.106.169.76
    • 151.106.184.192
    • 151.106.166.243
    • 151.106.162.30
    • 151.106.165.204
    • 151.106.191.138
    • 151.106.160.247
    • 151.106.166.201
    • 151.106.167.56
    • 151.106.163.240
    • 151.106.163.149
    • 151.106.177.184
    • 151.106.181.25
    • 151.106.180.26
  • These are all AS31898, which I hadn’t seen before so I will add it to my list of data center ISPs
  • Sheesh, I just found some other client from another Oracle data center doing stupid stuff:
# grepcidr '139.87.104.0/22' /var/log/nginx/api-access.log | awk '{print $1}' | sort | uniq -c | sort -n
  39305 139.87.104.123
  • This is AS6142 (SUN-JAVA) but AbuseIPDB calls it Oracle Public Cloud