Sponsored by..

Showing posts with label Neutrino. Show all posts
Showing posts with label Neutrino. Show all posts

Tuesday 20 September 2016

Evil network: 178.33.217.64/28 et al (evolution-host.com, customer of OVH)

This customer of OVH appears to be registered with fake details, and are distributing malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:

178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79

A list of the domains associated with those IPs can be found here [pastebin].

OVH have allocated the IP range to this customer:

organisation:   ORG-JR46-RIPE
org-name:       Jason Reily
org-type:       OTHER
address:        32 Oldfarm Road
address:        GB21DB London
address:        GB
e-mail:         ourbills@evolution-host.com
abuse-mailbox:  ourbills@evolution-host.com
phone:          +353.8429143
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-24T18:16:03Z
last-modified:  2016-05-24T18:16:03Z
source:         RIPE


There is no such address in London, the postcode is obviously invalid and the telephone number appears to be an Irish mobile phone. Checking the evolution-host.com domain reveals something similar:

Registrant Name: OWEN PHILLIPSON
Registrant Organization: EVOLUTION HOST
Registrant Street: 24 OLDFARM ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: SW19 3RQ
Registrant Country: GB
Registrant Phone: +353.851833708
Registrant Phone Ext:
Registrant Fax: +44.7479012225
Registrant Fax Ext:
Registrant Email: info@evolutionhost.co.uk
Registry Admin ID: 


Again, an invalid address with a different street number from before and an Irish telephone number. We can look at evolutionhost.co.uk too..

    Registrant:
        Owen Phillipson

    Registrant type:
        UK Sole Trader

    Registrant's address:
        24 Oldfarm Road
        London
        London
        SW19 3RQ
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 09-Feb-2014


Obviously Nominet's validation process isn't worth rat shit. The Evolution Host website appears to have no contact details at all.

RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block all of them:

91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28


UPDATE

A contact says that IP listed at the beginning of the post are the Neutrino Exploit Kit.

Friday 3 May 2013

Something evil on 173.255.200.91

173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit [see URLquery and VirusTotal reports). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server.

I can see the following domains on the server, ones flagged by Google for malware are highlighted. I would recommend blocking all domains on this server however, or simply block the IP address.

3dgamess.com
allcityhotels.com
allnewshere.com
anewschannel.com
backlinkfinder.com
backlinkhunter.com
cycling-infos.com
cycling-infos.info
cycling-infos.net
cycling-infos.org
dover-road.com
dover-road.info
dover-road.net
dover-road.org
dubuinc.com
dubuinc.info
dubuinc.net
dubuinc.org

ehotelguide.com
essentiale-water.com
essentiale-water.info
essentiale-water.net
essentiale-water.org

favoritewatches.com
fiveandsixandseven.com
fiveandsixandseven.net
imbiss-directory.com
imbiss-directory.info
imbiss-directory.net
imbiss-directory.org
imbiss-restaurants.com
imbiss-restaurants.info
imbiss-restaurants.net
imbiss-restaurants.org
jab-servers.com
jab-servers.info
jab-servers.net
jab-servers.org

komedidukkani.com
li210-91.members.linode.com
opengolfguide.com
paris-online-guide.com
paris-online-guide.info
paris-online-guide.net
paris-online-guide.org
rome-online-guide.com

rome-online-guide.info
rome-online-guide.org
shinebaby.info
shinebaby.org

toplumailgondermeprogrami.com
whereismysiteongoogle.com
wordpressthemes1.com

The malicious domains appear to be registered to the same person, but as the email address seems to bear no relation to the person's name then they may well be fake:
owner-name: Hans Funfell
owner-address: Mohrenstrasse 55
owner-city: Berlin
owner-state: DE
owner-country: DE
owner-postcode: 10117
owner-telephone: +49.89789200
owner-fax:
owner-email: jowiams779@gmail.com


A quick bit of Googling came up with exactly zero people called "Hans Funfell" (of course if you do it now there will be a match..)