Sponsored by..

Thursday 15 August 2013

Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937
Registrant Name:Leonardo Salim Chahda
Registrant Street1:Patron 6755
Registrant Street2:
Registrant Street3:
Registrant City:Capital Federal
Registrant State/Province:Buenos Aires
Registrant Postal Code:1408
Registrant Country:AR
Registrant Phone:+46.444407
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@brigitteunderwear.com


All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear.com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack.

I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)

Recommended blocklist:
162.211.231.16
acioepod.biz
acioepod.info
acioepod.org
acioepod.us
adrietod.biz
adrietod.info
adrietod.org
adrietod.us
alienore.biz
alienore.info
alienore.org
alienore.us
alpirute.biz
alpirute.info
alpirute.org
alpirute.us
alpojser.biz
alpojser.info
alpojser.net
alpojser.us
aniopirs.us
bialooes.biz
bialooes.info
bialooes.org
bialooes.us
boriskpr.biz
boriskpr.info
boriskpr.org
boriskpr.us
bugaletir.biz
bugaletir.info
bugaletir.org
bugaletir.us
bugaltoiy.biz
bugaltoiy.info
bugaltoiy.org
bugaltoiy.us
buhortes.biz
buhortes.info
buhortes.org
buhortes.us
caniopeo.us
caoilrsr.biz
caoilrsr.info
caoilrsr.org
caoilrsr.us
ciponeor.biz
ciponeor.info
ciponeor.org
ciponeor.us
deilonei.biz
deilonei.info
deilonei.org
deilonei.us
delovyto.biz
delovyto.info
delovyto.org
delovyto.us
diopoesl.us
diposero.biz
eniroikj.biz
eniroikj.info
eniroikj.org
eniroikj.us
feocipor.biz
feocipor.info
feocipor.org
feocipor.us
foleiord.biz
foleiord.info
foleiord.org
foleiord.us
foliadoe.biz
foliadoe.info
foliadoe.org
foliadoe.us
foprtise.biz
foprtise.info
foprtise.org
foprtise.us
gelaiork.biz
gelaiork.info
gelaiork.org
gelaiork.us
gipoeror.biz
gipoeror.info
gipoeror.org
golerods.biz
golerods.info
golerods.org
golerods.us
imanielo.biz
imanielo.info
imanielo.net
imanielo.us
mokioers.org
nimolpeo.biz
nimolpeo.info
nimolpeo.org
nimolpeo.us
niuritos.biz
niuritos.info
niuritos.org
niuritos.us
okoreiki.biz
okoreiki.info
okoreiki.net
okoreiki.us
openirod.biz
openirod.info
openirod.org
openirod.us
reoiklri.biz
reoiklri.info
reoiklri.org
reoiklri.us
tolikord.biz
tolikord.info
tolikord.org
tolikord.us
viloeirp.biz
viloeirp.org
vilosprs.biz
vilosprs.info
vilosprs.org
vilosprs.us
vokoralr.biz
vokoralr.info
vokoralr.org
vokoralr.us



No comments: