Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:
inetnum: 81.17.24.64 - 81.17.24.95
netname: CLIENT2391
descr: CLIENT2391
country: CH
admin-c: JP5315-RIPE
tech-c: JP5315-RIPE
status: ASSIGNED PA
mnt-by: KP73900-MNT
source: RIPE # Filtered
person: James Prado
address: Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone: +5078365602
nic-hdl: JP5315-RIPE
mnt-by: KP73900-MNT
source: RIPE # Filtered
route: 81.17.16.0/20
descr: Ripe Allocation
origin: AS51852
mnt-by: KP73900-MNT
source: RIPE # Filtered
netname: CLIENT2391
descr: CLIENT2391
country: CH
admin-c: JP5315-RIPE
tech-c: JP5315-RIPE
status: ASSIGNED PA
mnt-by: KP73900-MNT
source: RIPE # Filtered
person: James Prado
address: Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone: +5078365602
nic-hdl: JP5315-RIPE
mnt-by: KP73900-MNT
source: RIPE # Filtered
route: 81.17.16.0/20
descr: Ripe Allocation
origin: AS51852
mnt-by: KP73900-MNT
source: RIPE # Filtered
The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net
The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.
You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f
No comments:
Post a Comment