2025-04-05
- I noticed a bunch of IPs using a weird user agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
- Firefox 72.0 was released in 2014 so it’s suspicious
- I found a few dozen IPs from Oracle cloud, for example:
- 151.106.160.158
- 151.106.162.8
- 151.106.164.53
- 151.106.169.76
- 151.106.184.192
- 151.106.166.243
- 151.106.162.30
- 151.106.165.204
- 151.106.191.138
- 151.106.160.247
- 151.106.166.201
- 151.106.167.56
- 151.106.163.240
- 151.106.163.149
- 151.106.177.184
- 151.106.181.25
- 151.106.180.26
- These are all AS31898, which I hadn’t seen before so I will add it to my list of data center ISPs
- Sheesh, I just found some other client from another Oracle data center doing stupid stuff:
# grepcidr '139.87.104.0/22' /var/log/nginx/api-access.log | awk '{print $1}' | sort | uniq -c | sort -n
39305 139.87.104.123
- This is AS6142 (SUN-JAVA) but AbuseIPDB calls it Oracle Public Cloud