Vadixbot – Look Out!

Jaime noticed heavy traffic on America’s Debate tonight, so I did some digging. It turns out we were being spidered by a bot called “vladixbot.”

Who the hell are these Vadixbot people?

In just under 7 minutes, these jerks grabbed precisely 845 of our pages, averaging about two pages per second and wasting around 10 megabytes. As far as I can tell, they had been at it for several hours, if not more.

Here’s a sample of the latest visitor entry:

Host: 70.112.211.26

* /forums/index.php?s=9feb85cf271657f5d2d05b1d8f3f71bb&showuser=386
Http Code: 200 – Date: Jun 06 08:26:09 – Http Version: HTTP/1.1 – Size in Bytes: 12474
Referer: -
Agent: VadixBot

Here’s the WhoIs record on the IP:

Whois Record
IP Information 70.112.211.26
Record Type: IP Address
IP Location: United States United States – Texas – Austin – Road Runner Holdco Llc
Reverse DNS: cpe-70-112-211-26.austin.res.rr.com
Blacklist Status: Currently Listed (history)
Whois Record

OrgName: Road Runner HoldCo LLC
OrgID: RRSW
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 70.112.0.0 – 70.127.255.255
CIDR: 70.112.0.0/12
NetName: RRSW
NetHandle: NET-70-112-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS5.RR.COM
NameServer: DNS6.RR.COM
Comment:
RegDate: 2004-09-17
Updated: 2006-06-06

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.com

OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com

Yeah, I know it says Virginia, but the IP is most likely out of Texas:

IP address: 70.112.211.26
Reverse DNS: cpe-70-112-211-26.austin.res.rr.com.
Reverse DNS authenticity: [Verified]
ASN: 11427
ASN Name: SCRR-11427
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 70.96.0.0 to 70.127.255.255
Country fraud profile: Normal
City (per outside source): Austin, Texas
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 70.112.211.26

My recommendation? Block them. These jerks didn’t read my robots.txt, and were hammering my site. They aren’t welcome back as a result. :)

25 thoughts on “Vadixbot – Look Out!

  1. VadixBot crawled me, too. A quick search doesn’t turn up really any information about them. Maybe someone is trying to become the next Google…

  2. They hit me too, fast enough to exhaust memory and cpu, effectively a denial of service attack. I had to reboot.

    I can tell you one thing as I live in Austin and know how Roadrunner labels their IPs: It’s a residential cable modem. I’ve sent my logs to RoadRunner. Hopefully they will shut these guys down hard.

  3. I have been trying to track down why my apache has been dieing recently. It went down two days ago while I was on vacation. Then the system was really sluggish last night. And I’ve noticed a ton of guests online above 1,000 – I just figured google was extra busy or something.. lol – But then this evening my apache locked up again so I had to dig through the logs. I found

    70.112.211.26 – - [22/Jun/2007:17:48:19 -0500] “GET /requests/index.php?s=232498a5dc5341c2ab792bde0b37b527&showuser=1891 HTTP/1.1″ 200 9569 “-” “VadixBot”

    this resolves to cpe-70-112-211-26.austin.res.rr.com

    I found this blog because I was searching for what the hell a vadixbot was! I was surprised to see it was hitting my friend Mike as well. This is the same IP! What must we do to get this ISP to stop this guy? Isn’t this a felony in texas? This guy shut me down for two days and nearly caused me to pull my hair out. Let’s all get together and do something about this!?

  4. I have some newly extracted statistics for how VadixBot crawled my site.

    They started on June 3rd, and I blocked them on June 14th.

    In that 11 day timeframe, they crawled 290,560 pages from my site.

    At their peak, they were downloading about 180 pages per minute from my site. Yes, that’s right– 3 pages per second!

    In one day, they downloaded 156,488 pages!

    In total, it looks like they wasted 3,607,184 KB. Yes, about 3.5 Gigabytes! I’ll be paying an overage this month as a result.

    Block VadixBot as soon as you can! I have sent this information to my host, and have recommended that they block the IP at the server-level.

    Mike

  5. I’ve just noticed a log entery for VadixBot in my logfiles… but only grabbed two pages. Maybe because I’m on a smallish site, but they only visited my home page and did that twice… I’ve not noticed any trouble yet.

    I’ll block them anyways… thanks for a good article – first match on google and helped me out!

  6. Just found a listing in my stats of

    #reqs %bytes host
    3604 hits from nyc.res.rr.com
    1908 hits from sw.biz.rr.com
    1818 hits from sw.biz.rr.com

    Browsers by the number of requests for pages
    5500 hits from VadixBot

    Put up an .htaccess file, reported it to abuse@rr.com and to my ISP. 16 gigs of podcast in one day…

    Onwards!

  7. Maybe you could right a script that would throttle the bandwith of connection from a host to normal average users for those nasty bots that don’t read robots.txt

  8. VadixBot seams to be doing the rounds and no not knows what it is or who by the looks

    After a little investigation myself my findings are:

    Visiting IP: 67.78.34.170

    Whois IP:

    OrgName: Road Runner HoldCo LLC
    OrgID: RCSW
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    Now i guessed there site would be Vadix.com which then leads me to this

    Domain Name whois: ( ;0) )

    Registry Data
    ICANN Registrar: NETWORK SOLUTIONS, LLC.
    Created: 2000-05-15
    Expires: 2009-05-15
    Registrar Status: clientTransferProhibited
    Name Server: NS8.SAN.YAHOO.COM
    Name Server: NS9.SAN.YAHOO.COM
    Whois Server: whois.networksolutions.com

    Server Data
    Server Type: Apache/1.3.37 (Unix)
    IP Address: 66.218.89.111 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
    IP Location United States – California – Sunnyvale – Yahoo!
    Response Code: 200
    Blacklist Status: Clear
    Domain Status: Registered And Active Website

    http://whois.domaintools.com/vadix.com

    Could this be a yahoo project i wonder?? lol

  9. Vadixbot spidered one of my newer, much less publicised websites just a moment ago. I’ve never seen it before and I have a main website that’s been really going up in the Google Rankings recently (because of my blogs about Nokia N95 User Agents). So I’m recently confused as to how it arrived at this brand-spanking new little site.

    67.78.34.166 – - [20/Nov/2007:22:13:13 +0000] “GET /filthish/robots.txt HTTP/1.1″ 200 23 “-” “VadixBot”

    It did read the robots.txt but as it’s currently set to allow all I dont know if it would’ve actually obeyed it. Has anyone ever seen it obey the robots.txt?

  10. Hi,
    I have seen it, too. It asked for the robots.txt and crawled only one page. I will DISALLOW the whole site for this bot until I have more information about what it wants.

  11. Update: Ok, VadixBot disobeys a

    User-agent: VadixBot
    Disallow: /

    in robots.txt. It asked for robots.txt before it spidered my site.

  12. Does somebody have new information about the VadixBot? I am from Germany, he has visited me, a smaller side and he spidered only 5 sides. Disallow or not?

  13. I am now disallowing VadixBot. It started crawling my site the 23rd.

    In the last three days (2007-12-23 18:10:11 to 2007-12-26 01:08:07), it has crawled 395 pages, and it crawled robots.txt twice: 2007-12-23 18:10:11 (the first file it fetched) and 22:50:30 the same day.

    Merry Christmas / Merry Yuletide.

  14. Weird. VadixBot only loaded two files off my server on 15 Dec 2007, but not since then, yet others are getting hammered. Does it look for things and then decide who to target, and if so, what?

    67.78.34.174 http://www.varusonline.com – [15/Dec/2007:15:59:32 +0000] “GET /robots.txt HTTP/1.1″ 200 491 “-” “VadixBot”
    67.78.34.166 http://www.varusonline.com – [15/Dec/2007:15:59:32 +0000] “GET / HTTP/1.1″ 200 4844 “-” “VadixBot”

  15. Today this bot crawled my server.
    Really weird behaviour, it asked for the robots.txt This file I deleted months ago and was for 1 day on my site. And there was only one sentence in it, to look in one open dir (this was a small google project to test google) This robots.txt was only read by google in history (by a short add website I gave at there website). The Vadixbot knew the opendir. So it doesn’t only work with the robots.txt. It uses Googles results too.

    On this server and IP, I’ll host a couple of different domains, all these domains were seperatly scanned at the same time (seconds/minute) by the Vladixbot, apperently it wanted everything hosted on my IP adress.

    Luckily my sites doesn’t contains, lots of pictures movies or mp3′s otherwise it would be down.
    It downloaded everything, from movies till text files till even the thumbs.db what was in a map.

    Who/what is the owner/purphose???? If someone can post that here, please….

    Greetings from Holland!!

  16. Anything and everything from Herndon, VA is the CIA, even the manager at Arbys. lol!

  17. btw the vadix bot (if its a bot) crawled all pages of my website in 6 turns in a period of 2 days. What does it want ?

  18. Well luckily you could detect it in time so you do not re-invade the host

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>