Saturday, 22 February 2014

On the trail of 3NT Solutions LLP

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..


It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..


Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.



LLP DESIGNATED MEMBER:
DARL IMPEX LTD


Appointed:
01/04/2011


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
35 NEW ROAD



BELIZE



BELIZE



NA










LLP DESIGNATED MEMBER:
LEGRANT TRADING LTD.


Appointed:
19/03/2013


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL



CORNER EYRE&HUTSON STREETS



BELIZE CITY



BELIZE



NA





Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox:  abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered


Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
 46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

5 comments:

Ari said...

Don't know if You already have noticed that they have much more IP's

for example
130.0.232.0 - 130.0.239.255
37.1.216.0 - 37.1.223.255

And if You check behind this link, there's a lot of websites, quite many in Russia

http://myip.ms/view/ip_owners/20670/3Nt_Solutions_Llp.html

Conrad Longmore said...
This comment has been removed by the author.
Conrad Longmore said...

@Ari: those are..
37.1.216.0/21
130.0.232.0/21

They have strong Russian and Ukranian connections as well as Serbia. Ukrainian hosts often serve as black-hat hosts for Russian criminals. Serbia and Russia also have close ties.. thanks for that other link.

Onedevteam com said...

Look's like it's same guy as "hostkey".

http://myip.ms/view/web_hosting/112538/Hostkey_B_v.html

Onedevteam com said...

Look's like it's same guy as "hostkey"...

http://myip.ms/view/web_hosting/112538/Hostkey_B_v.html