Mastodawn

A couple weeks ago we had our own little solstice alignment in the Tervuren Forest where the sun shown perfectly down a pathway of trees towards a stone circle in the middle of the trail.

#dogsofmastadon #dogs #goldenhour #photography

Show thread

kravitz Aug 27, 2025

I ran these through Shodan and got zero results for 63 of 64 IP's except one (8.21.14.181) seems to be connected to a South Korean telecom (183.103.240.127) via BitTorrent as listed under DHT Nodes.

One other oddity I'm just seeing is out of six different class C subnets, all the addresses that crawled my S3 are in the range x.x.x.180 - x.x.x.190

Full IP's in last 24 hours

8.21.14.180
8.21.14.181
8.21.14.182
8.21.14.183
8.21.14.184
8.21.14.185
8.21.14.186
8.21.14.187
8.21.14.188
8.21.14.189
8.21.14.190

8.47.24.181
8.47.24.182
8.47.24.183
8.47.24.184
8.47.24.185
8.47.24.186
8.47.24.187
8.47.24.188
8.47.24.189
8.47.24.190

149.106.193.180
149.106.193.181
149.106.193.182
149.106.193.183
149.106.193.184
149.106.193.185
149.106.193.186
149.106.193.187
149.106.193.188
149.106.193.189
149.106.193.190

199.120.49.180
199.120.49.181
199.120.49.182
199.120.49.183
199.120.49.184
199.120.49.185
199.120.49.186
199.120.49.187
199.120.49.188
199.120.49.189
199.120.49.190

199.120.54.180
199.120.54.181
199.120.54.182
199.120.54.183
199.120.54.184
199.120.54.185
199.120.54.186
199.120.54.187
199.120.54.188
199.120.54.189

199.120.56.180
199.120.56.181
199.120.56.182
199.120.56.183
199.120.56.184
199.120.56.185
199.120.56.186
199.120.56.187
199.120.56.188
199.120.56.189
199.120.56.190

@briankrebs @404mediaco @jerry

kravitz Aug 27, 2025

Could be, but normally they should be using a known user agent and respecting robots.txt.

Curious too, the images on my server are more general photography not really something to do with roads or cars.

@GossiTheDog @jerry @briankrebs @404mediaco

Show thread

kravitz Aug 27, 2025

Thanks for doing some digging @briankrebs and for the additional insights.

I've also been getting excessive request attempts from UA "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" and a UA of just "-" which might be how S3 logging shows it but it comes through as something else.

The IP's for those two UA's are little less uniform and span a lot of ASN's. Might be a different group, but also quite persistent in their efforts.

@404mediaco @jerry

Show thread

kravitz Aug 27, 2025

Not a good time to run a server with millions of publicly facing images on it!

I was thinking it must be an AI crawler since they are going after images specifically, but if you look at IP rep like AbuseIPDB there is maybe some other stuff going on like L7 DDoS, which could also be a firehose of crawling.

@jerry @briankrebs @404mediaco

kravitz Aug 27, 2025

Either Tesla is running an anonymous AI crawler (like Perplexity got called out for) or they have a serious compromise of their servers that is running bad bots.

Either way, I've been getting a steady stream of millions of excessive unwanted attempted requests on the S3 bucket image server of my photography community website (Aminus3) from 60+ IP's all showing as owned by Tesla (AS394161)

The user agent is always "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"

Some Ip's include:
149.106.193.188
149.106.193.189
149.106.193.190
8.47.24.185
8.47.24.186
8.47.24.187
8.47.24.188
8.47.24.189
8.47.24.190
149.106.193.190
199.120.49.180
199.120.49.181
199.120.49.182
199.120.49.183
199.120.49.184
199.120.49.185
199.120.49.186
199.120.49.187