Sponsored by..

Monday, 11 October 2010

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com

1 comment:

Maxence Rousseau said...

Hello,

This block has been reaffected to a new user.

So it's now a false positive to block it...

Please remove your filter !