Sponsored by..

Wednesday 9 January 2013

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

No comments: