Sponsored by..

Monday, 21 July 2014

Something evil on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic)

Here another bunch of Cushion Redirect sites closely related to this attack a few weeks ago but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the redirect in action in this URLquery report and VirusTotal has a clear indication of badness on this IP.

All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:

e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia


To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.


A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 188.120.198.1.

Recommended blocklist:
188.120.198.1
e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:

dfmgjne934eod8khquq1axg.elluse.com
280pfzhnb4usz3hajazvtlw.eaila.com
zefh96abfex1r32md0jdh7p.e-oman.me

Additional sites to block:
elluse.com
eaila.com
e-oman.me

UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.

4-cheap.co.uk
aandelenblog.be
apteka-erekcja.pl
arcadehaven.co.uk
bewegwijzeringborden.nl
bitfrog.co.uk
carpediemcosmetics.de
cewh-cesf.ca
charlie-lola.co.uk
check-email.org
cialis25.pl
cialis25.pl
clashofclanshackdownload.com
deepfryershop.co.uk
designwonen.be
dora-explorer.co.uk
eaila.com
elluse.com
e-meskiesprawy24.com.pl
e-meskiesprawy24.pl
e-oman.me

2 comments:

jorge catena said...

Who are you and when and how did you contacted us to say that we don't even bothered in answer your reports?

Conrad Longmore said...

@Jorge.

Support ticket #AAL-177-19100.

Thanks