Sponsored by..

Wednesday 25 August 2010

Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.
There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info

3 comments:

Photoshop Clipping Path said...
This comment has been removed by a blog administrator.
Dixie said...

Hi Dynamoo!

I stumbled over your blog post when I was googling for Sagade LTD. I'm helping out a small group with their website and discovered today that several pages have been hijacked and redirected to a page owned by Sagade.

Can you give me some guidance here? How does this occur? Where is the breakdown in security? Is it with the website, the webhost or somewhere else? The site is being completely revamped and recoded by a different person than who wrote it originally and currently the only way to find the hijacked pages is via a google site search. Will simply deleting them from the server and putting the fresh pages in place be enough to keep the site secure? Any guidance you can offer would be appreciated.

Conrad Longmore said...

Typically these injections are done through a software vulnerability - WordPress and PHP are two common pieces of software that are attacked. Making sure that the server software is up to date at all times is very important (usually your web host does this). Also make sure that passwords are very secure, preferably mixing upper and lowercase letters, numbers and symbols.