Sponsored by..

Showing posts with label UK2.NET. Show all posts
Showing posts with label UK2.NET. Show all posts

Thursday 11 July 2013

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.

37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)

Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:

From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".

If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:

[donotclick]www.rebeccacella.com/wp-content/plugins/subscribe/


Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but hacked website (rebeccacella.com) and lands on a malware landing page at [donotclick]dajizzum.com/team/administration/admin4_colon/fedora.php?view=44 (report here) which contains an exploit kit.

dajizzum.com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a hijacked server. At the moment I can only see that one site hosted on this box, but blacklisting the IP as a precaution may be wise.

The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider.

Tuesday 22 January 2013

Something evil on 109.123.66.30

109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here.

Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com - in this case darkhands.com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands.com.

In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. Update: it seems that a single customer was compromised and the OrionVM issue has been resolved.

So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars).

Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group. The domains are:

00.co.kr
07drama.com
1001mg.com
1sim.net
20cargo.com
2ndi.com
2seul.net
3gendata.co.kr
atomthecreators.com
bodaguatemala.com
ciudaddelangel.com
colmodasa.com
ctsau.com
cyberdyne.net.au
dafconstructions.com
darkhands.com
deanmathers.com
demon-networks.com
dentistasguatemala.com
dfs-mortgages.com.au
easygosa.com
elitebusinesssupplies.com.au
eliteoz.com.au
enaballet.com
escapeelsalvador.com
fairymeadowsurfclub.com.au
floor-me.com.au
furniturebiweb.com.au
frankflick.com
fwmesker.com.au
gcbustours.com.au
giftsbiweb.com.au
goddessmassage.com.au
goldcoastnorth.org.au
goldcoastpacifictours.com.au
greyfoxjumps.com
grubisaguitars.com
img.or.kr

Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here):
gguwvn.in
gmvgyx.in
humswz.in
jlqrnp.in
krvrkh.in
lupszm.in
nwujgl.in
onylkp.in
pmkvyh.in
sirrpk.in
tmthzz.in
ukokqz.in
ymjjjm.in
yxrkyu.in
zjmnwv.in
znztip.in
zpjhjv.in

It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea.

As for those subdomains I wrote about, well here are some examples (there are probably many more!)
9e3cca5e3db56bb811912113012211341099855c391a9f23ee6fdf9310ef65f.escapeelsalvador.com
9e3cca5e3db56bb8.escapeelsalvador.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
4378075af081a68c01911413012115588268499bd156f02785043714358bc6d.bodaguatemala.com
adc3e9311efa48f701604513012020274181958c0c1dd94d15b082c2f456729.2seul.net
613c852e72852488.12bears.org
4378075af081a68c119070130121141091436015a23f6147f4a5cb6f46c9612.bodaguatemala.com
4378075af081a68c01608613012113376175301d0604046f19450957fd59d89.bodaguatemala.com
4378075af081a68c0190861301211545518988357b1766a7c844beb4d7d552d.bodaguatemala.com
cb3c7f5e8885de88019102130121235232244364ff60ccc807ebd5d014bc12a.dentistasguatemala.com
cb3c7f5e8885de8801902413012123563228240bb24890930199ff12981f22c.dentistasguatemala.com
4387a7b5506e066301515913012202291029798326847e181e5c85ee57ec48c.doctoresguatemala.com
e93c8d2e7a852c88014072130119115171974917aa12cca08315e832c31f05b.07drama.com
e93c8d2e7a852c88019016130119091781150715f71f0b9afdd4128ec4cbb9c.07drama.com
da0f5ebda916ff1b01402413011913245133774bd3f2acbdbb427f332b0509e.07drama.com
4378c7aa3071667c01511113012120512184494445a0a9fabe4d9f815049c39.colmodasa.com
4378c7aa3071667c1191211301211930317435053144fdeced2f362b8701b9c.colmodasa.com
f80fcced3b066d0b1191211301220847209700257ce00433c7d66b6873eb420.easygosa.com
f80fcced3b066d0b0190861301220832613187254b83422e0b4c441fde73336.easygosa.com
073c137ee495b2980140251301220622508971181451a35f7f31a53edbc1f68.easygosa.com
073c137ee495b298.easygosa.com
ad870975fedea8d3019044130119144392288741f96f4d9d259a1b9c46683e0.1001mg.com
9eb4aa965d5d0b5001418513012018266185128b200492041c9fa22e5d7765e.2ndi.com
43c347f1b07ae67701418513011715199157549c11b32571ee03ac63e5df44a.frankflick.com
43c327b1d06a8667014102130121164341794225edd7badb251a6d939612b70.ciudaddelangel.com
43c327b1d06a8667119121130121182651816415774ff223bcf7794f72f9901.ciudaddelangel.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
bc4bb8f94f32193f114161130120170671429678682220d8fb9257f98a64133.20cargo.com
bc4bb8f94f32193f116161130120160641274345c1e0d1e821270ad394dce24.20cargo.com
9e3cca5e3db56bb801907013012210373118558538d878c0932bac859f75915.escapeelsalvador.com
9e3cca5e3db56bb811412113012210099114754a47f7f4cdd48cdf995c40c69.escapeelsalvador.com
9e3cca5e3db56bb80190861301221149212109450483885b4caf3bc1aa9f0ec.escapeelsalvador.com
700ff4ad03c655cb114163130116131561128525b412bf0eb1f0d8b3373d530.darkhands.com
700ff4ad03c655cb01902413011612555164840bb4054383b351bed0be72cb0.darkhands.com
700ff4ad03c655cb019025130116115161699125ddc19c767ee08cad8037869.darkhands.com
700ff4ad03c655cb01906313011612074085590bc4ca3a96ab9f70f60a845be.darkhands.com
700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com
da871eb5e9debfd3.demon-networks.com
da871eb5e9debfd3014025130116170451125355cc8672327f4e3759493a7b6.demon-networks.com
da871eb5e9debfd311416313011617182114754b6edb0d4e245e105a88985e8.demon-networks.com
cb789f8a68e13eec01402413011611067087175549c49b8c26df1b1e117ce52.dafconstructions.com
cb789f8a68e13eec0190241301161048514233351542cd2b24d195ba0bf6f2b.dafconstructions.com
cb789f8a68e13eec0191371301160824408432252ef981c7a10856259ae52ff.dafconstructions.com
8f0fdbcd2c567a5b.greyfoxjumps.com
8f0fdbcd2c567a5b0190761301181449720858689e2e4bcb46d495489f755db.greyfoxjumps.com
8f0fdbcd2c567a5b01410413011815492132506be98360c690e0577314b571c.greyfoxjumps.com
25c3a1b1562a002701615313011819586240920cc2c0a048cb012e78ce717e3.grubisaguitars.com
25c3a1b1562a002701409913011818231126800513e8276203b5e4706c64ac5.grubisaguitars.com
25c3a1b1562a0027.grubisaguitars.com
cb4b6fe99882ce8f01402413011613576192736c93af1192f50fb15cfe1fb20.deanmathers.com
52874685b15ee75301902413012112331103342bb3bba5bfc191f0fcffeff42.atomthecreators.com
07b43316c4cd92c00191841301211308110270853cafa0ede390f54488279a2.atomthecreators.com
52874685b15ee753.atomthecreators.com
52874685b15ee753014072130121104741407487aa1c9758f11ecec8a5080e9.atomthecreators.com
52874685b15ee753014064130121125041591348d3a795f75aa30f3c07c12fa.atomthecreators.com
52874685b15ee75301918513012110462108414055334aad721923de002768f.atomthecreators.com
ad4b99a96ed238df01902413011700222020288c860e4eed12a0c47a53b2d01.enaballet.com
ad4b99a96ed238df.enaballet.com
8f875b85acdefad3.ctsau.com
8f875b85acdefad3014086130115235542019295b59f74e05eefad146e21954.ctsau.com
520fa6dd5146074b01902413011903443069106c9587029dc299fef3a02a1cf.00.co.kr
da3c3e0ec9c59fc8014050130121084910792509f94ca468b493ae140b594f1.3gendata.co.kr
8f0f8bdd7c062a0b019044130121095082044654e48461a03046b9a158f0b56.3gendata.co.kr
da3c3e0ec9c59fc8.3gendata.co.kr
ad0fa92d5e96089b.12.img.or.kr
1687c295352e632301904413012011471097002d9bf1df5a4477988e98ea7f5.1sim.net
1687c295352e6323019115130120125041553301f169b228df07c49f6f8243f.1sim.net
8f4b9b896c123a1f0190241301181159211348659b5706dd8bba9ac9f65cc8a.goldcoastnorth.org.au
52c376c1814ad747116159130117164792434566ca998fa703bdba9f5fad36c.furniturebiweb.com.au
cb87bff5487e1e73019024130117230451540624eab8d91eedee6aae935bce8.giftsbiweb.com.au
250fa16d5616001b116062130117064610561095bc0c075f5de40e7ed52d204.fairymeadowsurfclub.com.au
6187852572ae24a3014077130118075481933705d68a7d58e329cd19e1d4831.goddessmassage.com.au
e9c32dd1daaa8ca71141631301171015509319889e28e6ae67eb0ff6dea8d71.floor-me.com.au
e9c32dd1daaa8ca70190861301171005507734854b82701243446e1f5747513.floor-me.com.au
e9c32dd1daaa8ca7.floor-me.com.au
e9c32dd1daaa8ca70150461301171003307037446410ff324aa6549c60cc9e7.floor-me.com.au
700f44ddb356e55b014025130117185911325065edcde5312a0fbd05c98f038.fwmesker.com.au
700f44ddb356e55b.fwmesker.com.au
700f944d6326352b019084130116191021210948682e24ad4db4900e40a73b4.dfs-mortgages.com.au
700f944d6326352b1141631301161913413314058ae84aa556671678b3f5e96.dfs-mortgages.com.au
700f944d6326352b.dfs-mortgages.com.au
f83c9c6e6b353d381141631301151452414962455f29541148efc4e37826913.elitebusinesssupplies.com.au
f83c9c6e6b353d3801511113011515087109682445a0a9f951927ef50f6d8c4.elitebusinesssupplies.com.au
070f33bdc4e692eb0191141301151407910841451c188064ca7eab689697868.elitebusinesssupplies.com.au
070f33bdc4e692eb0140861301151349718988357a3ee82f57b94dee43ccb7a.elitebusinesssupplies.com.au
61f02502d2998494119191130118142491702293e019202990ce84e1570c0db.goldcoastpacifictours.com.au
708774f5836ed5630140181301180909508051875c927d7e6aa55de3837e434.goldcoastbuschartertours.com.au
f8b4ac165b9d0d90014096130117213511429674e08c2686a0bb289bc3fa9d8.gcbustours.com.au
bcf038d2cf899984119163130115182621198264fd5f6cf84137810b203d561.eliteoz.com.au
61f0c522327964740190861301152121515564750483987b2c6cc62e0435464.eliteoz.com.au
61f0c52232796474.eliteoz.com.au
bcf038d2cf89998401404313011519058127117579abdbfca7f3f850c10f19b.eliteoz.com.au
bcf038d2cf8999840140241301151905812711753ae2611208cafdf0c10f19b.eliteoz.com.au
61f0c522327964740140161301152137113028789e2464b24229b3f5a3a889e.eliteoz.com.au
bcf0b8624f091904115129130116034061033429069f5026657971ac822f264.cyberdyne.net.au

Monday 16 April 2012

"You've just ordered pizza from our site" / uiwewsecondary.ru

We haven't seen this "pizza spam" (or spam pizza?) for a while. Rest assured, it leads to malware on uiwewsecondary.ru:
Date:      Mon, 16 Apr 2012 08:40:47 -0500
From:      CeceliaKosack@hotmail.com
Subject:      Order confirmation

You've just ordered pizza from our site

Pizza Triple Meat Italiano with extras:
- Ham
- Ham
- Bacon Pieces
- Pineapple
- Onions
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Ham
- Jalapenos
- Black Olives
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Pepperoni
- Italian Sausage
- Beef
- Pineapple
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Italian Sausage
- Bacon Pieces
- Italian Sausage
- Jalapenos
- Diced Tomatoes
- Green Peppers
- Easy On Cheese
- Extra Sauce
Drinks
- Fanta x 4
- Limonade x 6
- Schweppes x 6
- Sprite x 2
Total Charge:    89.70$



If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!


If you don't do that shortly, the order will be confirmed and delivered to you.


With Best Regards
Pizza by AMERIGO


The malicious payload is at uiwewsecondary.ru:8080/internet/fpkrerflfvd.php (report here) hosted on some familiar IP addresses (a subset of the ones found here):

41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
210.56.23.100
211.44.250.173
219.94.194.138

Thursday 12 April 2012

Federal Reserve Wire Network spam / vanishingmasers.ru

This spam leads to malware on vanishingmasers.ru:

Date:      Thu, 12 Apr 2012 15:14:41 -0300
From:      "Lidia Polk" [uzbekistanqp39@sterkinekor.com]
Subject:      RE: Wire transfer cancelled

Good afternoon,

Wire transfer was canceled by the other bank.



Rejected transaction:

FEDWIRE REFERENCE NUMBER: SK9415179747ODP36641K

Wire Transfer Report: View



The Federal Reserve Wire Network

The payload is on vanishingmasers.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on some familiar looking IP addresses:

41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
210.56.23.100
211.44.250.173
219.94.194.138

Wednesday 22 February 2012

Contract spam / cpojkjfhotzpod.ru

Another spam run (will they ever end?) this time with a malicious .htm attachment that tries to download from cpojkjfhotzpod.ru. Here are some examples:

Date:      Wed, 21 Feb 2012 07:17:49 +0800
From:      "LARUE Riley"
Subject:      Fw: Contract from LARUE
Attachments:     Contract_Scan_N5005.htm

Good afternoon,



In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

LARUE Riley, secretary

==========

Date:      Wed, 21 Feb 2012 05:17:01 +0700
From:      "DELORIS Hensley"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N0395.htm

Dear Customers,

In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

DELORIS Hensley, secretary

===========


Date:      Wed, 21 Feb 2012 09:10:09 +0900
From:      "ALISHA MCMILLIAN"
Subject:      Fw: Contract from ALISHA
Attachments:     Contract_Scan_N67448.htm

Dear Customers,

In the attached file I am transferring you the Translation of the Sales Contract



that I have just received today. I am really sorry for the delay.

Best regards,

ALISHA MCMILLIAN, secretary

==========

Date:      Wed, 21 Feb 2012 04:41:45 +0700
From:      "Drake Milton"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N7682.htm

Hello,

In the attached file I am forwarding you the Translation of the Purchase Contract

that I have just received a minute ago. I am really sorry for the delay.

Best regards,

Drake Milton, secretary

==========

The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.

46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

Thursday 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173