Sponsored by..

Tuesday 23 April 2013

Something evil on 173.246.104.104

173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon.com/news/pint_excluded.php (report here).

Both VirusTotal and  URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in  red  (which is most of them!). I recommend that you apply the following blocklist for the time being:

173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com


Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com




No comments: