Safe BrowsingSome of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.
Diagnostic page for AS198252 (ELTAKABEL-AS)
What happened when Google visited sites hosted on this network?
Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
An investigation into what was lurking in this AS highlighted a problem block of 220.127.116.11/24 which contains very many bad sites, the WHOIS details for that block being..
inetnum: 18.104.22.168 - 22.214.171.124
descr: TXTV d.o.o. Tuzla
status: ALLOCATED PA
changed: email@example.com 20030807
changed: firstname.lastname@example.org 20040625
changed: email@example.com 20050719
changed: firstname.lastname@example.org 20081003
changed: email@example.com 20110804
changed: firstname.lastname@example.org 20140324
changed: email@example.com 20140325
org-name: TXTV d.o.o. Tuzla
address: TXTV d.o.o.
address: Admir Jaganjac
address: Focanska 1N
address: BOSNIA AND HERZEGOVINA
changed: firstname.lastname@example.org 20140324
person: Igor Krneta
address: Majora Drage Bajalovica 18
address: 78000 Banjaluka, BA
phone: +387 51 961 001
changed: email@example.com 20071126
descr: Inet subnet #1
changed: firstname.lastname@example.org 20061029
I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address email@example.com.
I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.