Vadixbot - Look Out!
Jaime noticed heavy traffic on America’s Debate tonight, so I did some digging. It turns out we were being spidered by a bot called “vladixbot.”
Who the hell are these Vadixbot people?
In just under 7 minutes, these jerks grabbed precisely 845 of our pages, averaging about two pages per second and wasting around 10 megabytes. As far as I can tell, they had been at it for several hours, if not more.
Here’s a sample of the latest visitor entry:
Host: 70.112.211.26
* /forums/index.php?s=9feb85cf271657f5d2d05b1d8f3f71bb&showuser=386
Http Code: 200 - Date: Jun 06 08:26:09 - Http Version: HTTP/1.1 - Size in Bytes: 12474
Referer: -
Agent: VadixBot
Here’s the WhoIs record on the IP:
Whois Record
IP Information 70.112.211.26
Record Type: IP Address
IP Location: United States United States - Texas - Austin - Road Runner Holdco Llc
Reverse DNS: cpe-70-112-211-26.austin.res.rr.com
Blacklist Status: Currently Listed (history)
Whois RecordOrgName: Road Runner HoldCo LLC
OrgID: RRSW
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: USReferralServer: rwhois://ipmt.rr.com:4321
NetRange: 70.112.0.0 - 70.127.255.255
CIDR: 70.112.0.0/12
NetName: RRSW
NetHandle: NET-70-112-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS5.RR.COM
NameServer: DNS6.RR.COM
Comment:
RegDate: 2004-09-17
Updated: 2006-06-06OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.comOrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
Yeah, I know it says Virginia, but the IP is most likely out of Texas:
IP address: 70.112.211.26
Reverse DNS: cpe-70-112-211-26.austin.res.rr.com.
Reverse DNS authenticity: [Verified]
ASN: 11427
ASN Name: SCRR-11427
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 70.96.0.0 to 70.127.255.255
Country fraud profile: Normal
City (per outside source): Austin, Texas
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 70.112.211.26
My recommendation? Block them. These jerks didn’t read my robots.txt, and were hammering my site. They aren’t welcome back as a result. 
June 16th, 2007 at 6:45 pm
VadixBot crawled me, too. A quick search doesn’t turn up really any information about them. Maybe someone is trying to become the next Google…
June 22nd, 2007 at 10:12 am
They hit me too, fast enough to exhaust memory and cpu, effectively a denial of service attack. I had to reboot.
I can tell you one thing as I live in Austin and know how Roadrunner labels their IPs: It’s a residential cable modem. I’ve sent my logs to RoadRunner. Hopefully they will shut these guys down hard.
June 22nd, 2007 at 7:13 pm
I have been trying to track down why my apache has been dieing recently. It went down two days ago while I was on vacation. Then the system was really sluggish last night. And I’ve noticed a ton of guests online above 1,000 - I just figured google was extra busy or something.. lol - But then this evening my apache locked up again so I had to dig through the logs. I found
70.112.211.26 - - [22/Jun/2007:17:48:19 -0500] “GET /requests/index.php?s=232498a5dc5341c2ab792bde0b37b527&showuser=1891 HTTP/1.1″ 200 9569 “-” “VadixBot”
this resolves to cpe-70-112-211-26.austin.res.rr.com
I found this blog because I was searching for what the hell a vadixbot was! I was surprised to see it was hitting my friend Mike as well. This is the same IP! What must we do to get this ISP to stop this guy? Isn’t this a felony in texas? This guy shut me down for two days and nearly caused me to pull my hair out. Let’s all get together and do something about this!?
June 25th, 2007 at 9:01 am
I have some newly extracted statistics for how VadixBot crawled my site.
They started on June 3rd, and I blocked them on June 14th.
In that 11 day timeframe, they crawled 290,560 pages from my site.
At their peak, they were downloading about 180 pages per minute from my site. Yes, that’s right– 3 pages per second!
In one day, they downloaded 156,488 pages!
In total, it looks like they wasted 3,607,184 KB. Yes, about 3.5 Gigabytes! I’ll be paying an overage this month as a result.
Block VadixBot as soon as you can! I have sent this information to my host, and have recommended that they block the IP at the server-level.
Mike
July 22nd, 2007 at 11:41 am
http://biz.yahoo.com/ic/99/99815.html
July 22nd, 2007 at 11:43 am
I forgot to add ‘these are the big guys’.
August 2nd, 2007 at 2:30 pm
I’ve just noticed a log entery for VadixBot in my logfiles… but only grabbed two pages. Maybe because I’m on a smallish site, but they only visited my home page and did that twice… I’ve not noticed any trouble yet.
I’ll block them anyways… thanks for a good article - first match on google and helped me out!
August 22nd, 2007 at 4:00 am
VadixBot crawled me, too…555555555
August 22nd, 2007 at 4:01 am
but i can’t find any more information about it…
September 20th, 2007 at 9:15 am
Just found a listing in my stats of
#reqs %bytes host
3604 hits from nyc.res.rr.com
1908 hits from sw.biz.rr.com
1818 hits from sw.biz.rr.com
Browsers by the number of requests for pages
5500 hits from VadixBot
Put up an .htaccess file, reported it to abuse@rr.com and to my ISP. 16 gigs of podcast in one day…
Onwards!
September 26th, 2007 at 12:14 pm
Maybe you could right a script that would throttle the bandwith of connection from a host to normal average users for those nasty bots that don’t read robots.txt
November 1st, 2007 at 10:13 am
VadixBot seams to be doing the rounds and no not knows what it is or who by the looks
After a little investigation myself my findings are:
Visiting IP: 67.78.34.170
Whois IP:
OrgName: Road Runner HoldCo LLC
OrgID: RCSW
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
Now i guessed there site would be Vadix.com which then leads me to this
Domain Name whois: ( ;0) )
Registry Data
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created: 2000-05-15
Expires: 2009-05-15
Registrar Status: clientTransferProhibited
Name Server: NS8.SAN.YAHOO.COM
Name Server: NS9.SAN.YAHOO.COM
Whois Server: whois.networksolutions.com
Server Data
Server Type: Apache/1.3.37 (Unix)
IP Address: 66.218.89.111 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
IP Location United States - California - Sunnyvale - Yahoo!
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And Active Website
http://whois.domaintools.com/vadix.com
Could this be a yahoo project i wonder?? lol
November 6th, 2007 at 11:49 am
67.78.34.174
67.78.34.166
67.78.34.170
they downloaded something like 26GB @ 4am.
November 20th, 2007 at 5:35 pm
Vadixbot spidered one of my newer, much less publicised websites just a moment ago. I’ve never seen it before and I have a main website that’s been really going up in the Google Rankings recently (because of my blogs about Nokia N95 User Agents). So I’m recently confused as to how it arrived at this brand-spanking new little site.
It did read the robots.txt but as it’s currently set to allow all I dont know if it would’ve actually obeyed it. Has anyone ever seen it obey the robots.txt?
November 21st, 2007 at 6:51 am
Hi,
I have seen it, too. It asked for the robots.txt and crawled only one page. I will DISALLOW the whole site for this bot until I have more information about what it wants.
December 1st, 2007 at 6:23 am
Update: Ok, VadixBot disobeys a
User-agent: VadixBot
Disallow: /
in robots.txt. It asked for robots.txt before it spidered my site.
December 9th, 2007 at 4:41 pm
Its either CIA or department of homeland security!
December 19th, 2007 at 8:35 pm
Does somebody have new information about the VadixBot? I am from Germany, he has visited me, a smaller side and he spidered only 5 sides. Disallow or not?
December 25th, 2007 at 8:21 pm
I am now disallowing VadixBot. It started crawling my site the 23rd.
In the last three days (2007-12-23 18:10:11 to 2007-12-26 01:08:07), it has crawled 395 pages, and it crawled robots.txt twice: 2007-12-23 18:10:11 (the first file it fetched) and 22:50:30 the same day.
Merry Christmas / Merry Yuletide.
December 25th, 2007 at 9:23 pm
Weird. VadixBot only loaded two files off my server on 15 Dec 2007, but not since then, yet others are getting hammered. Does it look for things and then decide who to target, and if so, what?
67.78.34.174 http://www.varusonline.com - [15/Dec/2007:15:59:32 +0000] “GET /robots.txt HTTP/1.1″ 200 491 “-” “VadixBot”
67.78.34.166 http://www.varusonline.com - [15/Dec/2007:15:59:32 +0000] “GET / HTTP/1.1″ 200 4844 “-” “VadixBot”
February 18th, 2008 at 2:30 am
Today this bot crawled my server.
Really weird behaviour, it asked for the robots.txt This file I deleted months ago and was for 1 day on my site. And there was only one sentence in it, to look in one open dir (this was a small google project to test google) This robots.txt was only read by google in history (by a short add website I gave at there website). The Vadixbot knew the opendir. So it doesn’t only work with the robots.txt. It uses Googles results too.
On this server and IP, I’ll host a couple of different domains, all these domains were seperatly scanned at the same time (seconds/minute) by the Vladixbot, apperently it wanted everything hosted on my IP adress.
Luckily my sites doesn’t contains, lots of pictures movies or mp3’s otherwise it would be down.
It downloaded everything, from movies till text files till even the thumbs.db what was in a map.
Who/what is the owner/purphose???? If someone can post that here, please….
Greetings from Holland!!