Sponsored by..

Showing posts with label Blackhole. Show all posts
Showing posts with label Blackhole. Show all posts

Monday, 1 July 2013

Pinterest spam / pinterest.com.reports0701.net

This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:

Date:      Mon, 1 Jul 2013 21:04:36 +0530
From:      "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To:      [redacted]
Subject:      Your password on Pinterest Successfully changed!

[redacted]
  
Yor password was reset. Request New Password.
   
See Password    
       
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].

Don?t want activity notifications? Change your email preferences.

�2013 Pinterest, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions
The link goes through a legitimate hacked site to end up on a malicious payload at [donotclick]pinterest.com.reports0701.net/news/pay-notices.php (report here and here) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:

   June Parker parker@mail.com
   740-456-7887 fax: 740-456-7844
   4427 Irving Road
   New Boston OH 45663
   us

The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)

Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
afabind.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
condalnuashyochetto.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
patrihotel.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com


Friday, 21 June 2013

"Unusual Visa card activity" spam / anygus.com

It's not usually like these guys to mess up so badly, but this FAIL of a Visa spam leads to malware on anygus.com. Note the bits in {braces} that should have content..

From:     Visa Anti-Fraud [upbringingve@visabusiness.com]
Date:     21 June 2013 17:36
Subject:     Unusual Visa card activity

we {l1} detected {l2} activity in your business visa account.

please click here to view {l4}
your case id is: {symbol}{dig}

look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.

this added security is to prevent any additional fraudulent charges from taking place on your account.


notice: this visa communication is furnished to you solely in your capacity as a customer of visa inc. (or its authorized agent) or a participant in the visa payments system. by accepting this visa communication, you acknowledge that the information contained herein (the "information") is confidential and subject to the confidentiality restrictions contained in visa's operating regulations, which limit your use of the information. you agree to keep the information confidential and not to use the information for any purpose other than in your capacity as a customer of visa inc. or a participant in the visa payments system. the information may only be disseminated within your organization on a need-to-know basis to enable your participation in the visa payments system.

please be advised that the information may constitute material nonpublic information under u.s. federal securities laws and that purchasing or selling securities of visa inc. while being aware of material nonpublic information would constitute a violation of applicable u.s. federal securities laws. this information may change from time to time. please contact your visa representative to verify current information. visa is not responsible for errors in this publication. the visa non-disclosure agreement can be obtained from your visa account manager or the nearest visa office.

this message was sent to you by visa, p.o. box 8999, san francisco, ca 94128. please click here to unsubscribe. 
Despite the errors in the email it still ends up going through a hacked legitimate site to a Blackhole Exploit kit at [donotclick]anygus.com/news/fewer_tedious_mentioning.php (report here) hosted on the following IPs:
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom, Pakistan)

Recommended blocklist:
193.254.231.51
202.147.169.211
anygus.com
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
dirvers.net
drivesr.com
eheranskietpj.ru
ehnihjrkenpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
profurnituree.com
reportingglan.com
reveck.com
rmacstolp.net
safe-browser.biz
sendkick.com
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
twintrade.net
widnows.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
www.condalinarad72234652.ru


Wednesday, 12 June 2013

Fedex spam / oxfordxtg.net

This fake FedEx spam leads to malware on oxfordxtg.net:

Date:      Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From:      FedEx [wringsn052@emc.fedex.com]
Subject:      Your Fedex invoice is ready to be paid now.

FedEx(R)     FedEx Billing Online - Ready for Payment

        fedex.com        
       
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.

The following ivoice(s) are to be paid now :

Invoice Number
 5135-13792

To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo

Thank you,
Revenue Services
FedEx


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg.net/news/absence_modern-doe_byte.php (report here) hosted on:

124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)

The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites as well.
124.42.68.12
190.93.23.10
biati.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
jetaqua.com
klosotro9.net
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oxfordxtg.net
oydahrenlitutskazata.ru
pnpnews.net
smartsecurityapp2013.com
trleaart.net
twintrade.net
usforclosedhomes.net


Tuesday, 11 June 2013

Something evil on 173.255.213.171

As a follow-up to this post, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of hijacked GoDaddy-registered domains that are serving an exploit kit [1] [2]. If you are unable to block 173.255.213.171 then I would recommend the following blocklist:

ccrtl.com
eaglebay5.com
eaglebay-eb5.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org

Thursday, 16 May 2013

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:     Wallmart.com [deviledm978@news.wallmart.com]
Date:     16 May 2013 14:02
Subject:     Thanks for your Walmart.com Order 3795695-976140

Walmart    
Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    
   

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
   

Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
       
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com


Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
   
©Walmart.com USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara  ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

Wednesday, 15 May 2013

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on  184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com


Thursday, 2 May 2013

LinkedIn spam / guessworkcontentprotect.biz

This fake LinkedIn email leads to malware on guessworkcontentprotect.biz:

From:     LinkedIn Invitations [giuseppeah5@mail.paypal.com]
Date:     2 May 2013 16:49
Subject:     LinkedIn inviation notificaltion.
   
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
   
On May 2, Lewis Padilla wrote:

> To: [redacted]
>
> I'd like to join you to my professional network on LinkedIn.
>
> Lewis Padilla    
   
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA. 
The malicious payload is at [donotclick]guessworkcontentprotect.biz/news/pattern-brother.php (report here) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)

Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net

Tuesday, 23 April 2013

Something evil on 173.246.104.104

173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon.com/news/pint_excluded.php (report here).

Both VirusTotal and  URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in  red  (which is most of them!). I recommend that you apply the following blocklist for the time being:

173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com


Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com




Monday, 22 April 2013

"Loss Avoidance Alerts" spam / tempandhost.com

I haven't seen this particular spam before. It leads to malware on tempandhost.com:

Date:      Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From:      personableop641@swacha.org
Subject:      4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet

Loss Avoidance Alert System

April 22, 2013
  
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available   on a secure website at:

www.lossavoidancealert.org

http://www.lossavoidancealert.org

Alerts:

CL0017279 – Sham Checks (ALL)

Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.


Thank you for your participation!
Loss Avoidance Alert System Administrator

This email is confidential and intended for the use of the individual to whom it is addressed.  Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource.   SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent.  Before taking action on any information contained
in this email, please consult legal counsel.   If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.



The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:

1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)

The WHOIS details indicate that this is the Amerika crew:

   Administrative Contact:
   clark, emily                twinetourt@aol.com
   38b butman st
   beverly, MA 01915
   US
   9784734033

Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net


Wednesday, 3 April 2013

Something evil on 151.248.123.170

151.248.123.170 (Reg.ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain.com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame.com/xlawr/next/requirements_anonymous_ordinary.php (report here but times out) which from the URL looks very much like a BlackHole Exploit kit.

This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach.

These are the domains I can see:
41y7kr.servehttp.com
96ztorwy89.serveblog.net
aehwmcqgx.myddns.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
b57idtwn.servehalflife.com
bjtujinsl.changeip.org
bu3l0d4s.serveftp.com
bunahyfba.dns04.com
c9c7gldpp.serveblog.net
cigtdye.changeip.org
cuhadjcnyl.myfw.us
d15txn.servepics.com
db0umfdoap.servegame.com
dzrdmz.youdontcare.com
fapqdfckws.serveusers.com
fdozwnqdb.4mydomain.com
fdqeeo.freeddns.com
fxtloji.serveusers.com
geiuut.itemdb.com
grtyxl.xxuz.com
gxodzugrgq.mypicture.info
hgibkcayvxc.myfw.us
hrxivk.ddns.us
hyjantahjuc.myfw.us
hzfkim.ns01.info
idapjl.port25.biz
igwvypnsne.ftpserver.biz
jghdbtvxgj.ns3.name
jjjpbhx.4pu.com
jziirhsxi.dns04.com
keuiawjhbb.itemdb.com
kptslcbrbg.dsmtp.com
lgjkvp.ddns.us
motxke.dns04.com
mzfpmox.mysecondarydns.com
ngt5lcgnp.3utilities.com
objdjjhjpw.port25.biz
ozcffpa.jetos.com
ppmvfcrlw.youdontcare.com
ptdvlxyn.dsmtp.com
qcoidxrbod.ns02.us
rpsbccts.jetos.com
simiawbsilu.myfw.us
smysfr.ddns.ms
sufgrgzpj.ns3.name
swsdsr.mypicture.info
tbrfrz.lflinkup.net
toqmibzken.dynamicdns.biz
uouxhr.serveusers.com
uv985f.no-ip.info
vnlvrwkat.port25.biz
voc0cjieh.servehttp.com
vvecozzd.ns3.name
w5zik4js.sytes.net
wenrtsjzbc.myfw.us
yupbgt.4pu.com
zenj6u.no-ip.org
zjbihpktdn.myfw.us

This is what I recommend that you block:
151.248.123.170
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
freeddns.com
ftpserver.biz
itemdb.com
jetos.com
lflinkup.net
myddns.com
myfw.us
mypicture.info
mysecondarydns.com
no-ip.info
no-ip.org
ns01.info
ns02.us
ns3.name
port25.biz
serveblog.net
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servepics.com
serveusers.com
sytes.net
xxuz.com
youdontcare.com

Wednesday, 20 February 2013

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .co.za and .cl domains.

The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in  red   have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP).

190.196.23.231 (clean)
sanjoselosandes.cl
liceomixto.cl
servicioseximia.cl
siitec.cl
sictral.cl
specialdetail.cl
sycabogados.cl

199.34.228.100 (clean)
delfinos.co.za

208.70.149.57 (clean)
cafehavana.co.za
destinationsunlimited.co.za
firearmlicence.co.za
dolceluce.co.za

firearmsafe.co.za
firearmlicense.co.za
familysuite.co.za
bolandparkhotel.co.za
gamesmodels.com
onthebeachjbay.com
disc-deals.com

The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report) and can be assumed to be malicious, and are hosted on 62.212.130.115:

google-statistic.in
libola.com
minizip.org
msdbug.com
msrst.com
nlsdl.org
ntdsapi.com
ntmsdba.com
pifmgr.org
piparse.com
spam-rep-service.in

This third group are almost definitely malicious and are on the same server:

garmonyoy.eu
harmonyoy.eu
kinyng.ru
ntimage.net
ntmsapi.net
ntmsmgr.net
pastaoyto.eu
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru

The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on)  62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too,

54fd8c9fa1abf2b5.firearmsafe.co.za
32464a746740345e.familysuite.co.za
fece86cc9b68c8761151711302121857a5da12fce1b0b.sanjoselosandes.cl
ba7562877f032c1d0160451302111347717339942fd25832980fc947bbaab6e.liceomixto.cl    104698f48570d66e01910213021108078ff41b00051a92fb8f.liceomixto.cl
897581b79c33cf2d016045130210212851378959885060ea5995f416222722b.liceomixto.cl
cd028570a864fb7a01402413021722022144552c318ce7cab9e09a0d2a6a8b5.cafehavana.co.za
23753bc716e345fd114110130218141121065128682695243c3a6e68eaa454c.destinationsunlimited.co.za
23753bc716e345fd119181130218123421084144fafd9a8a2ecee7c9e8a813d.destinationsunlimited.co.za
23753bc716e345fd.destinationsunlimited.co.za
fefd56cf7bfb28e501402413021916372140748bad59371eb615c227bcf6494.firearmlicence.co.za
fefd56cf7bfb28e50191851302191616816357255aa3a775d33e0e87031dabd.firearmlicence.co.za
efce974cba68e97601902413021819141134725bc512d95c3a3367364f60e7f.dolceluce.co.za
54fd8c9fa1abf2b50152021302192150218227543eacf3e65962cfa456e6742.firearmsafe.co.za
54fd8c9fa1abf2b50190551302192029115216056c76db44aa04bf200b3dd64.firearmsafe.co.za
54fd8c9fa1abf2b501511113021919479278009323500c592bf3b0a3e0e48b8.firearmsafe.co.za
54fd8c9fa1abf2b5115023130219202841813244c0634fe85c4f0d28b6001ac.firearmsafe.co.za
54fd8c9fa1abf2b511511113021920019153428450b973995f121f87d07597d.firearmsafe.co.za
54fd8c9fa1abf2b5019003130219205011588175e845eee9fba56981ef9762f.firearmsafe.co.za
54fd8c9fa1abf2b5019184130219200951610365d41a651918d996c2262265f.firearmsafe.co.za
1002a8108524d63a01411013021917377210805bc813254f0b52ddadc7a4fb6.firearmlicense.co.za
1002a8108524d63a0190861302191834518734754e1569db098dc04657268c7.firearmlicense.co.za
1002a8108524d63a015135130219171541448694b4a5ad611740bce908b41e9.firearmlicense.co.za
1002a8108524d63a01608613021918067148673452fc4f3b25e4a92991e388c.firearmlicense.co.za
32464a746740345e0140861302191352721746257b791a8cb29212692450169.familysuite.co.za
ab02b3809e94cd8a0141851302171831719273654b106add758c4d1ea448054.bolandparkhotel.co.za
fe3116d33bd768c9014185130217152321157054e238a5d15e6899e06b4a256.bolandparkhotel.co.za
ab02b3809e94cd8a014014130217181671594515d6908be7ac815a5c8aec9bd.bolandparkhotel.co.za
104648746540365e.familyholidayaccommodation.co.za
2375dba7f6b3a5ad01900313021810166108414bc5043b30fcbf6df10ac0d36.delfinos.co.za
2375dba7f6b3a5ad.delfinos.co.za
2375dba7f6b3a5ad1141101302181050617308286822211b6e41c16bae4a8ad.delfinos.co.za
104618a40570566e0190861302141716512521554e01e13647caa0d7585e0a2.servicioseximia.cl
104618a40570566e01608613021416261099221452fc4f3fddf44bf19ce67a3.servicioseximia.cl
cd46f5c4e810bb0e014029130214200431169736dd938489c7b1b51af4b6f74.servicioseximia.cl
cd46f5c4e810bb0e0142031302142008713472502551149f67b7bdb45a92f07.servicioseximia.cl
104618a40570566e019096130214190761242645133a051309afb24913257bb.servicioseximia.cl
104618a40570566e01900713021417086116022bad56157e487133b8039b0fb.servicioseximia.cl
104618a40570566e.servicioseximia.cl
dc8a5458498c1a92019024130215034191505755a15eef17404dfc7a914c407.siitec.cl
fe7596178bc3d8dd01515913021423367212073189eb0ffdcfd7bc050f5cc84.sictral.cl
fe7596178bc3d8dd01612913021501048032017adf505b4a51493df8d7e7e8b.sictral.cl
01ce199c04785766.specialdetail.cl
01ce199c047857661140151302151103607956789e2ef312e860b4529ed0fdc.specialdetail.cl
76fdbedfa36bf075014025130213175772228515fdfce25de6ebd91bd067892.sanjoselosandes.cl
23fdcb3fd68b859511416113021320291114120d5436e9454395fe51a4f8bd4.sanjoselosandes.cl
32fd2a6f37db64c501613813021307218103025988506029ed2c2b5c8df9915.sanjoselosandes.cl
5431bca3a167f27901604513021414306142650adf4cf112a9c89769565e055.sanjoselosandes.cl
45fdad0fb0abe3b5.sanjoselosandes.cl
54fdec0ff1cba2d5.sanjoselosandes.cl
23fdcb3fd68b859501612913021321298189883d812e2a7244210d47d2832e5.sanjoselosandes.cl
fece86cc9b68c876.sanjoselosandes.cl
dcceb41ca9a8fab6.sanjoselosandes.cl
98fd50bf4d1b1e05019086130212235552028805ddb0cd40d31dd927eda2037.sanjoselosandes.cl
76fdbedfa36bf07501916613021318165124581972ac37159baca15f93b3b48.sanjoselosandes.cl
23fdcb3fd68b859501916113021320155132506020b16ab30472c9a28008598.sanjoselosandes.cl
76fdbedfa36bf07501612913021318103106829d074104b45444a6bd90368bb.sanjoselosandes.cl
76fdbedfa36bf07501902413021317264126483b1287cb246f1c65418b6a03c.sanjoselosandes.cl
cd8a85e8984ccb5211409913021215378176886b2072dbee3d87f6b240713fd.sanjoselosandes.cl
ef46f7f4ea10b90e.sycabogados.cl
45b90ddb20ff73e1.disc-deals.com
89fd717f5c4b0f5511511113021922528294810b80d17e6193d54e6faa102d8.gamesmodels.com
89fd717f5c4b0f55014185130219223852203155b41df139190d76dfce35e2c.gamesmodels.com
89fd717f5c4b0f550151311302192250727293718c48e6c9eab856d51453cbe.gamesmodels.com
0102d920f434a72a.chinese.onthebeachjbay.com





Thursday, 14 February 2013

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Tuesday, 12 February 2013

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com
17.coloryourpatiowholesale.com
17.silvascape.com
17.dcnwire.com
17.canyonturf.com
17.kdebug.com
17.soldatnacapital.com
17.swvmail.com
17.drycanyon.com
17.wolfmountaingroup.com
17.designerbiochar.com
17.easygardencolor.com
17.devicelogics.com
17.springwoodventures.com
17.designersoils.com
17.drdos.com
17.wolfmountainproducts.com
17.soldatnainvestments.com
17.themulchpit.com
17.soleradevelopment.com
17.silvasport.com
17.scenicdesign.us
17.dailyexpress.us
17.canyonturf.net
17.southwesttelecom.net
17.wlfmtn.net
17.coloryourpatio.net
17.designersoils.net
17.scenicdesign.biz

Friday, 1 February 2013

Something evil on 50.116.40.194

50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans.org/read/walls_levels.php - report here) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:

14.goodstudentloans.org
14.mattresstoppersreviews.net

Tuesday, 22 January 2013

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox:  abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered


Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.



Friday, 14 December 2012

Something evil on 87.229.26.138

This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example).

There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.

The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com


The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com


If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:

krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in

quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu

anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu

Tuesday, 23 October 2012

President of French Polynesia (presidence.pf) hacked?

presidence.pf is the web site of the President of French Polynesia, it is hosted on 202.3.245.13 by the Tahitian ISP MANA (along with an alternative domain of presid.pf).

Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:

fidelocastroo.ru
secondhand4u.ru
windowonu.ru


There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..

Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.

Thursday, 11 October 2012

Blackhole sites to block 11/10/12

A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:

183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads.biz

The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.