Sponsored by..

Showing posts with label Bosnia. Show all posts
Showing posts with label Bosnia. Show all posts

Friday, 22 May 2015

Malware spam: "This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc." / "Australian Taxation Office"

This spam doesn't seem to know if it's from Lloyds Bank or the Australian Tax Office.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    22 May 2015 at 10:31
Subject:    Remittance Advisory Email


Monday 22 May 2014

This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.

Please review the details of the payment here.


Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
The link in the email goes to a download page at sharefile.com and leads to an archive file FAX_82APL932UN_772.zip containing a malicious executable FAX_82APL932UN_772.scr which has a date stamp of 01/01/2002 (presumably to make it harder to spot).

This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] show that it downloads another file from:

relianceproducts.com/js/p2105us77.exe

This is renamed to csrss_15.exe and has a detection rate of 3/54. It is most likely a component of the Dyre banking trojan.

In addition, this Hybrid Analysis report shows traffic to:

209.15.197.235 (Peer 1, Canada) [relianceproducts.com]
217.23.194.237 (BLICNET, Bosnia and Herzegovina)

Recommended blocklist:
209.15.197.235
217.23.194.237

MD5s:
eb26a6c56b7f85b3257980d0c273c3cf
178a4e3dfa0feea04079592d3113bd2e


Wednesday, 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




Thursday, 9 September 2010

Evil network: MAXHOSTING Services, kfppp.com and the BBC Radio 3 compromise

MAXHOSTING are a fairly prolific evil network that I profiled last month, so it isn't a huge surprise to see that the evilness continues as normal.

But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC's website, as reported by The Register.  Google have labelled the BBC's Radio 3 subsite as being potentially dangerous:

Safe Browsing
Diagnostic page for bbc.co.uk/radio3

What is the current listing status for bbc.co.uk/radio3?

    Site is listed as suspicious - visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 15 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-09, and the last time suspicious content was found on this site was on 2010-09-09.

    Malicious software is hosted on 1 domain(s), including kfppp.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including z145235.infobox.ru/.

    This site was hosted on 1 network(s) including AS2818 (BBC).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, bbc.co.uk/radio3 did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

So, what do we know about kfppp.com? Well, it was registered one day ago via black hat domain registrar BIZCN to a fake recipient, and is hosted on a server at 77.78.240.253, which is in Maxhosting's range.. so obviously this is nothing good.

The trouble is that the BBC site seems clean and it is not apparent where the infection is coming from, but the BBC site does carry ad banners for non-UK visitors, and it seems possible that a malvertisement somewhere is to blame. Although Google does sometimes make false positives, this particular report is very specific and I tend to believe that the BBC Radio 3 site is (or was) compromised with malicious code.

A full breakdown of current sites, IP addresses and MyWOT reputations can be downloaded from here.

The best advice is to completely block traffic to 77.78.239.x and 77.78.240.x (or better still, the 77.78.224.0/19 parent block), or block traffic to the domains below.

Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Indep29.com
Investbabaika.com
Janoodle6.net
Levelin29-online.com
Levelin29-web.com
Levelin29.biz
Levelin29.com
Levelin29.net
Levelin29.org
Levelin29.us
Secsslup.com
Trazi.in
Zabil.in
Search-static.org
Vostokgear.org
The-funny-world.info
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Gvist.org
Gvistello.net
Dottasink.net
Nowisisdudescars.com
Vancouvererrorsonfile.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Traxbax.com
Gumile.in
Pro100-soft.net
Geerht.com
Ruslan7777.com
Hyporesist.com
Installs.tv
Thefriends-place.info
Thefunny-world.info
Easy-answers.info
Theeasy-answers.info
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Ciougmxehgjesk.com
Kingdol.com
Pcf-osow.com
Pw2.info
Reservus.com
Server90.org
Homesiteuk.com
Narmedic.org
Pp24.biz
403403.net
Firmar.org
Cebere.net
Cebere.org
Ceberz.net
Ceberz.org
Ceterz.biz
Eccinput.com
Faststat.biz
Mainstatserver.com
Bestviewbar.net
Thestatserver.com
Angelx.info
Deltav.info
Fantasyv.info
Fantasyx.info
Francisx.info
Freel.info
Freev.info
Jeffreyl.info
Lmailing.info
Millionsincomingfrom.biz
Weaponx.info
Xcorps.info
Checkege.ru
Otvetege.ru
Sdalege.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
Atringroup.com
Awejkgf.com
Winterleaf.org
Free-pac.net
Tsbd1984.com
Fornaticumlili.biz
Dwnld0020.com
Spmfb2299.com
Thephotos-galleries.info
Hosting-backup.org
Darksiti.net
Asmatrin.com
Mvk.net.ru
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Nvk.net.ru
Rsite.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Vkhost.net.ru
Webvk.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Google-stat.org
Auto-russo-trah.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
Activateoursoft.com
Graymageds.com
Orangeosol.com
Yellowaven.com
3423254353446.org
Myteen2011.com
Onrpg-cdn.com
Sed-machinery.com
Helpsupport.biz
Connectionsupport.org
Cansbass.com
Cheni.in
Coani.in
Decdo.in
Jaddf.com
Baffyko.com
Ddret.com
Fgtre.com
Gddff.com
Kkrrn.com
Poiiu.com
Rtyyv.com
Ssadf.com
Ssweq.com
Yyeed.com
Yyutr.com
Ghdre.com
Kvxxr.com
Rchjj.com
Krnnt.com
Kvccg.com
Rcggu.com
Rcsss.com
Wrrrt.com
1host4me.ru
Fun-gsm.ru

Friday, 6 August 2010

Evil network: MAXHOSTING Services / GlobalNET Bosnia (AS42560 / 77.78.239.0/23)

Back in May they were called Maximus Hosting Services but I guess it's always embarrassing  when you're not number on in Google for your own name.. so now this outfit from Russia appears to be calling itself MAXHOSTING SERVICES. Note that it looks like there are several Russian businesses of a very similar name, presumably most of which are legitimate.

inetnum:        77.78.239.0 - 77.78.240.255
netname:        MAXHOSTING-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com  ###
descr:          MAXHOSTING-SERVICES
country:        MD
admin-c:        VM3351-RIPE
tech-c:         VM3351-RIPE
status:         ASSIGNED PA
mnt-by:         BA-GLOBALNET
source:         RIPE # Filtered

person:         Vadim Makarenko
address:        Leningradskaya 28 kv 26, Bendery, Moldova
e-mail:         godaccs@gmail.com
phone:          +373-680-45324
nic-hdl:        VM3351-RIPE
source:         RIPE # Filtered

route:          77.78.192.0/18
descr:          GlobalNET Bosnia
origin:         AS42560
mnt-by:         BA-GLOBALNET
source:         RIPE # Filtered

It looks like it is working closely with GlobalNET Bosnia.. which is kind of weird because Russia doesn't exactly have a shortage of dodgy web hosts. GlobalNET operate AS42560 77.78.192.0/18, MAXHOSTING appear to have rented out half of that to give 77.78.224.0/19 i.e. 77.78.224.0 - 77.78.255.255. The other half of the GlobalNET range is mostly legitimate apart from an apparent Stelivo phishing site on 77.78.192.140 called justadultchat.co.uk

Anway,  77.78.224.0/19 is a real sewer consisting of fake job sites, phishing, hacking sites, fake escrow sites, illegal downloads, malware and other nasty stuff. According to ratings from the WOT API it is mostly toxic rubbish, and even the sites with "good" rankings are involved in something illegal.

77.78.224.0/19 is certainly worth blocking, and/or the domains listed below. If you want the IP addresses and the WOT ratings in a handy form then you can download them from here, else there's a list of the currently dodgy domains below:

Clairvoyantcss.info
Honstrategy.info
2iii.org
Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Janoodle6.net
Zabil.in
King-invest.org
Search-static.org
Vostokgear.org
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Dottasink.net
Nowisisdudescars.com
Onlineisdudescars.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Kalashmalash.org
Pro100-soft.net
Ruslan7777.com
Hyporesist.com
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Kingdol.com
Pcf-osow.com
Utorrentde.com
Homesiteuk.com
Firmar.org
Sabadel4444z.org
Superlayout.org
Ceberm.com
Ceberm.net
Ceberm.org
Ceberz.net
Ceberz.org
Ceterz.biz
Bestviewbar.net
Thestatserver.com
Donservers.ru
Checkege.ru
Friendsparty.org
Otvetege.ru
Sdalege.ru
1host4me.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
222-abbb.com
Caucasus-a.com
Altdmnfrsh.com
Suphazgdman.com
Free-pac.net
Ebay-sc.com
Albums-onlinenow.info
Albums-onlines.info
Albums-photo.info
Dwnld0020.com
Fotodownloads.info
Myfotoalbums.info
Photo-downloadsonline.info
Photo-downloadssite.info
Spmfb2299.com
Thefotoalbums.info
Thefotodownloads.info
Videophotodownloads.info
Hosting-backup.org
Darksiti.net
Ditdum.com
Onlinejbanking.com
Asmatrin.com
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Statistics-of-world.org
Google-stat.org
Auto-russo-trah.com
Sed-machinery.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
18trucero.org
29topiccat.org
42bubbletag.org
52chatshare.org
53cogilith.org
59trilia.org
62pixonoodle.org
70eanu.org
7jetdrive.org
81wordfly.org
84chatterworks.org
90snapset.org
92dynalith.org
94brainworks.org
96chatterfeed.org
Divambee35.org
Eagen85.org
Edgepath61.org
Leenoodle20.org
Linkbuzz76.org
Myjam19.org
Myzoom84.org
Photopath49.org
Pixomia65.org
Shuffleshots22.org
Toppulse32.org
Wikimbo94.org
Yonu9.org
Zalith76.org
Zoodeo10.org
Gerero.info
Adrevbillst.com
Ellennommists.com
Hasterulits.com
Hellopattern.com
Jungle-team.com
Letstrywithme.com
Newbraga.cn
Newporto.cn
Quarittle.com
Rettinasl.com
Signnowonline.net
Thecargotime.com
Theleoideas.com
Thewrongroad.com
Topshowcar.com
Tryfindithere.com
Eiueuiuewi.com
Connectionsupport.org
Helpsupport.biz
Belgrad-noc.org
Avalonassistants.com
Bettertasks.com
Blogsonline.info
Bongblogs.net
Bonglove.net
Eblognow.info
Freeeblog.info
Freespeechblog.info
Freetravelblog.info
Freeymail.info
Kmails.info
Love4net.net
Mailsblog.info
Mailsstore.info
Myeblog.info
Newblogs.info
Sendingmail.info
Smails.info
Smileonline.info
Themails.info
Theymail.info
Adjustedresults.com
Resultscache.com
Deutschenoote.com
Pootervom.com
Gl-transport.com
N-transport.com
Hilary-blog.net
Jacksonstatue.com
Allhdmovies.com
Office-direct.org
Office-exchange.biz
Office-exchange.info
Mybisiness.org
Onlinerentalparadise.com
Kernet.name
Lizazebrova.name
Mksdjhfu.com
Mlhsgdhh.com
Myasjhaa.com
Escrow-ento.com
Shop-n-ship.net
Arbeit-vitrea.com
Careers-at-lexor.com
Careers-at-stendal.com
Careers-at-vitrea.com
Careers-stendal.com
Europe-stendal.com
Hallway-careers.com
Hallway-group-careers.com
Hallway-group-jobs.com
Hallway-jobs.com
Hallway-news.com
Hallway-today.com
Immobilie-vitrea.com
Jobs-at-hallway-group.com
Jobs-at-lexor.com
Jobs-at-stendal.com
Jobs-at-stendalgroup.com
Jobs-lexor.com
Jobs-stendal.com
Karrieren-immobilie-vitrea.com
Karrieren-vitrea.com
Lexor-careers.com
Lexor-consulting.com
Lexor-jobs.com
Lexorsl.com
Lexor-sl.com
Lexor-sl-careers.com
Lexor-sl-consulting.com
News-stendal.com
Stendal-applications.com
Stendalcareers.com
Stendal-careers-now.com
Stendal-careers-today.com
Stendal-consulting.com
Stendal-consulting-group.com
Stendaljobs.com
Stendal-news.com
Stendaltoday.com
Stendal-today.com
Vitrea-arbeit.com
Vitrea-deutchland.eu
Vitrea-estate.eu
Vitreaestate-agent.com
Vitrea-estate-agents.com
Vitreaestatecareers.com
Vitreaestate-europe.com
Vitrea-immobilie.com
Vitrea-immobilie-karrieren.com
Vitreajobs.com
Vitrea-karrieren.com
Vitreanews.com
Vitrea-today.com
Vitrea-uk.com
Careers-at-duolux.com
Careers-at-feonix.com
Careers-at-trilane.com
Careers-kivox.com
Careers-tekset.com
Careers-trilane.com
Duoluxcareers.com
Duolux-careers.com
Duoluxconsulting.com
Duolux-consulting.com
Duoluxjobs.com
Duolux-jobs.com
Feonixcareers.com
Feonix-careers.com
Feonixconsulting.com
Feonix-consulting.com
Feonixjob.com
Feonixjobs.com
Feonix-jobs.com
Job-at-duolux.com
Job-at-feonix.com
Jobs-at-trilane.com
Jobs-kivox.com
Jobs-tekset.com
Jobstrilane.com
Kivox-careers.com
Kivox-company.com
Kivox-consulting.com
Kivox-jobs.com
Kivox-today.com
Tekset-careers.com
Tekset-consulting.com
Tekset-jobs.com
Tekset-news.com
Trilanecareers.com
Trilane-careers.com
Trilaneconsulting.com
Trilane-consulting.com
Trilane-jobs.com
Work-at-duolux.com
Work-at-tekset.com
Cancun-rx.com
Ebaysquaretrade.com
Com-id82115326.net
Dragporno.ru
Megaru.com
Nafani.net
Pop-banner.ru
Watchporno.ru
Xlivetv.ru
Qzzb.ru
Best-freemovie.com
Best-freemovies.com
Dasoundservices.com
Datingprivates.com
Datingteen.net
Datingteenonline.net
Datingwork.com
Freemoviebest.com
Free-moviebest.com
Fremoviesbest.com
Moviebest-free.com
Moviefree-best.com
Moviesbest-free.com
Moviesfree-best.com
Myalternativedating.com
Naebalova.net
Releaseadultsex.com
Releaseating.com
Thefreedating.com
Webalternativedating.com
Webfreeadultsexnet.com
Darkode.com

Tuesday, 25 May 2010

Evil Network: Maximus Hosting Services, Bosnia 77.78.239.0 - 77.78.240.255

A bunch of sites in the IP range 77.78.239.0 - 77.78.240.255 look all evil and appear to be serving up bad PDFs and other nastiness. IPs are allocated to Maximus Hosting Services, Bosnia and honestly I cannot see a single domain that looks legitimate.. I would suggest that you block the entire range.

1iii.org
2iii.org
Poteriapoter.com
Dwnld0020.com
Hyporesist.com
Newsbosnia.org
Search-static.org
Spmfb2299.com
Spmfb3309.com
Crowledarmor.com
Statxonline.com
Xsbot.net
Exfxreporting.com
Planopetroleumteam.com
Acunetxweb.net
Macuysinstall.net
1-aa.com
Caucasus-a.com
Pa-2.net
G000ggle.com
Zettapetta.net
Google-server14.info
Top-teen-porn.info
Google-server11.info
Kalashmalash.org
Ruslan7777.com
Bazavaza233.net
Shalalopdns.com
Vstils.ru
Tygolev.com
Hostingpanelavg.com
Homesiteuk.com
Vk-socks.net
Lrstat.com
Statistics-of-world.org
Eu-analytics.com