Tuesday, 20 September 2016
Evil network: 18.104.22.168/28 et al (evolution-host.com, customer of OVH)
A list of the domains associated with those IPs can be found here [pastebin].
OVH have allocated the IP range to this customer:
org-name: Jason Reily
address: 32 Oldfarm Road
address: GB21DB London
There is no such address in London, the postcode is obviously invalid and the telephone number appears to be an Irish mobile phone. Checking the evolution-host.com domain reveals something similar:
Registrant Name: OWEN PHILLIPSON
Registrant Organization: EVOLUTION HOST
Registrant Street: 24 OLDFARM ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: SW19 3RQ
Registrant Country: GB
Registrant Phone: +353.851833708
Registrant Phone Ext:
Registrant Fax: +44.7479012225
Registrant Fax Ext:
Registrant Email: firstname.lastname@example.org
Registry Admin ID:
Again, an invalid address with a different street number from before and an Irish telephone number. We can look at evolutionhost.co.uk too..
UK Sole Trader
24 Oldfarm Road
Nominet was able to match the registrant's name and address against a 3rd party data
source on 09-Feb-2014
Obviously Nominet's validation process isn't worth rat shit. The Evolution Host website appears to have no contact details at all.
RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block all of them:
A contact says that IP listed at the beginning of the post are the Neutrino Exploit Kit.