I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.
Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.
37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)
Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su
No comments:
Post a Comment