Sponsored by..

Thursday 26 September 2013

Something evil on 91.231.98.149 and boats.net

This injection attack [urlquery] on boats.net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards.biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards.biz/_cp/crone/ which cannot be anything good.

What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar, who also removed the Privacy Protection giving the following WHOIS details:

Registrant ID:             DI_29743100
Registrant Name:           Deni Kember
Registrant Organization:   N/A
Registrant Address1:       350 W 42nd St #37D
Registrant City:           New York
Registrant State/Province: NY
Registrant Postal Code:    10036
Registrant Country:        United States
Registrant Country Code:   US
Registrant Phone Number:   +1.6337362122
Registrant Email:          deni_kember658@ghanamail.com


I suspect that these details are fake. The address given is this rather nice $2.1 million apartment in New York, which I suspect has been chosen at random.

I can identify some other (almost definitely malicious) domains that are either on the same server or have been there recently:
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com

The IP address is allocted as follows:

inetnum:        91.231.98.0 - 91.231.98.255
netname:        NEOHOST
descr:          FOP ILIUSHENKO VOLODYMYR OLEXANDROVUCH
descr:          Neohost.net
country:        UA
org:            ORG-FIVO1-RIPE
admin-c:        IV1015-RIPE
tech-c:         IV1015-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         NEOHOST-MNT
mnt-routes:     NEOHOST-MNT
mnt-domains:    NEOHOST-MNT
source:         RIPE # Filtered

organisation:   ORG-FIVO1-RIPE
org-name:       Neohost.net
org-type:       other
address:        Ukraine, Kyiv, 03039, Nauki
admin-c:        IV1015-RIPE
mnt-ref:        NEOHOST-MNT
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered

person:         ILIUSHENKO VOLODYMYR
address:        Ukraine, Kyiv, 03039
phone:          +38 (044) 599-79-85
nic-hdl:        IV1015-RIPE
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered

route:          91.231.98.0/24
descr:          Neohost.net
origin:         AS57311
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered


The name "ILIUSHENKO VOLODYMYR OLEXANDROVUCH" is a weird translation of a name we would more commonly call Vladimir Iliushenko who is the administrator of Neohost. A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites that look legitimate. Google's prognosis of AS57311 isn't too bad.

I don't know what the payload is, but the IP address was also used in this recent malware attack. The IP and domains are definitely malicious, and I would recommend the following blocklist:

91.231.98.149
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com

Added: it looks like this site has been compromised before [1] [2] [3]

No comments: