Sponsored by..

Tuesday 5 March 2013

Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)

Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us

A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com

Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com

5.9.196.0/28 is a Hetzner IP allocated to:

inetnum:        5.9.196.0 - 5.9.196.15
netname:        PQCSERVICE-LLC
descr:          pqcservice llc
country:        DE
admin-c:        VS4214-RIPE
tech-c:         VS4214-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Vadim Sheyin
address:        pqcservice llc
address:        Universitetskaya 2a
address:        61091 Kharkov
address:        UKRAINE
phone:          +380506268399
nic-hdl:        VS4214-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


I haven't seen anything of value in this /28, blocking it may be prudent.

No comments: