Sponsored by..

Friday, 31 January 2014

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113


I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

No comments: