Monday, October 15, 2007

Who the heck is 142.166.3.122 and 142.166.3.123 (radianrss-1.0)?

I've been perusing through my logs lately and found the user agent "radianrss-1.0" numerous times. I'd never heard of this program (maybe an RSS reader?), so I did a google search. The only commentary I found was this post speculating that 142.166.3.123 was possibly involved in the compromise of katester.net.

Interestingly enough, the rest of the search results are the traffic statistics pages of various Wordpress blogs around the Internet. There doesn't seem to be a clear answer for what "radianrss" is, or why 142.166.3.122-123 is constantly indexing all of my blog posts.



[evian]$ grep "142.166.3.123" access.log
142.166.3.123 - - [15/Oct/2007:01:02:23 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14022 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:01:52:14 -0700] "GET /feed/atom/ HTTP/1.1" 200 36826 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:03:36:42 -0700] "GET /feed/atom/ HTTP/1.1" 200 36826 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:04:02:18 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14023 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:06:23:53 -0700] "GET /2007/10/06/the-new-ubuntu-is-coming-already/ HTTP/1.1" 200 10915 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:07:00:07 -0700] "GET /2007/10/07/apt-get-does-have-an-option-for-automatic-security-updates/ HTTP/1.1" 200 12223 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:07:01:49 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14023 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:07:57:22 -0700] "GET /2007/10/08/use-mozilla-firefox-under-wine-to-reach-those-windows-only-sites/ HTTP/1.1" 200 13046 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:09:06:34 -0700] "GET /2007/10/12/rails-ruby-scriptconsole-has-tab-completion/ HTTP/1.1" 200 16010 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:09:17:26 -0700] "GET /feed/atom/ HTTP/1.1" 200 13032 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:09:27:21 -0700] "GET /feed/atom/ HTTP/1.1" 200 36826 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:10:02:07 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14022 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:10:17:18 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12895 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:12:46:43 -0700] "GET /2007/10/13/use-ps2pdf-to-create-pdfs-from-any-linux-application/ HTTP/1.1" 200 11739 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:13:01:23 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14022 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:13:03:56 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12882 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:14:32:48 -0700] "GET /feed/atom/ HTTP/1.1" 200 36826 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:15:08:14 -0700] "GET /feed/atom/ HTTP/1.1" 200 36825 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:15:08:21 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12894 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:15:08:26 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14014 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:16:01:29 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14023 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:16:03:03 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12882 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:18:29:20 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12901 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:18:29:21 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14008 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:18:47:46 -0700] "GET /feed/atom/ HTTP/1.1" 200 36826 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:19:01:27 -0700] "GET /2007/10/14/if-youre-not-already-start-using-dd-wrt/ HTTP/1.1" 200 14028 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:19:02:41 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704/ HTTP/1.1" 200 12896 "-" "radianrss-1.0"
142.166.3.123 - - [15/Oct/2007:19:49:08 -0700] "GET /feed/atom/ HTTP/1.1" 200 36818 "-" "radianrss-1.0"

This is traffic just from today - less than 24 hours! Looking back a little further I also found

142.166.3.123 - - [14/Oct/2007:17:35:13 -0700] "GET /2007/10/14/slow-ssh-logins-in-ubuntu-feisty-704 HTTP/1.1" 200 450 "-" "Java/1.5.0_11"

which has decided to use Java 1.5 as its user agent string.

I'm curious to know why this IP address is retrieving all of my (and others') Wordpress blog(s), and why so frequently. Its not like the page has changed between each retrieval. Have you found this IP address in your logs, the "radianrss-1.0" user agent string, or anything else of interest?

4 comments:

  1. Yes, I have seen that, however, it only appears in one blog for the moment, which is odd considering it shows up on the a small blog, one that isn't the main. I tried to IP block it, but I see that it's found its way back under a different IP.

    ReplyDelete
  2. [...] lot of people seem to be wondering who exactly is behind the radianrss identifier that some of us have been [...]

    ReplyDelete
  3. I have seen them on my site too and I've been wondering what the heck they want I just did a google search and found this post. I found this a few months back and I think it might be helpful: http://cleverhack.com/2007/12/16/radian6-monitors-you/

    *************

    Radian6 monitors you!
    Posted by joy

    New crawler in my logs from an outfit called Radian6. From the Web site, they look to be a social media monitoring service for the Google Alerts challenged, I guess much in the same way as those other pre-existing social media monitoring services.

    Host: 142.166.3.125
    *
    /feed/
    Http Code: 200 Date: Dec 16 16:52:32 Http Version: HTTP/1.1 Size in Bytes: 7365
    Referer: -
    Agent: R6FeedFetcher(www.radian6.com/crawler)

    **************

    ReplyDelete
  4. they're on my blog too... also if it is hosted on a my living room server. they hammer without an apparent reason the more recent 30 pages, and they do this 5 or more times a day.

    using a wordpress plugin to ban them.

    ReplyDelete