Sponsored by..

Tuesday 28 May 2013

Something (a bit) evil on 158.255.212.96 and 158.255.212.97

The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example for fussball-gsv.de). These two examples report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware.

The following sites are hosted on those two domains, plus a link to the Google Safebrowsing diagnostics:
linkstoads.net [no malware reported]
node1.hostingstatics.org [malware reported]
node2.hostingstatics.org
nodeph.hostingstatics.org
numstatus.com [no malware reported]
systemnetworkscripts.org [no malware reported]
finger2.climaoluhip.org [malware reported]
connecthostad.net [malware reported]
netstoragehost.com [malware reported]
nethostingdb.com [no malware reported]

In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so.

I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
hostingstatics.org
climaoluhip.org
numstatus.com
linkstoads.net
systemnetworkscripts.org
connecthostad.net
netstoragehost.com
nethostingdb.com

No comments: