Sponsored by..

Showing posts with label Magnitude. Show all posts
Showing posts with label Magnitude. Show all posts

Wednesday 30 October 2013

Something evil on 144.76.207.224/28

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum:        144.76.207.224 - 144.76.207.239
netname:        SPHERE-LTD
descr:          Sphere LTD.
country:        DE
admin-c:        AR10715-RIPE
tech-c:         AR10715-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Alexander Redko
address:        Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone:          +79104407852
nic-hdl:        AR10715-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info

I would recommend blocking all those domains plus the 144.76.207.224/28 range.

Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23