OVH Canada have a long history with this bad actor (who I believe to be r5x.org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all.
First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active are:
dns1.alcogylogyc.com
dns2.alcogylogyc.com
dns1.bedroklow.com
dns2.bedroklow.com
dns1.boobledns.com
dns2.boobledns.com
dns1.dedains.com
dns2.dedains.com
dns1.dnshelpers.com
dns2.dnshelpers.com
dns1.eleziks.info
dns2.eleziks.info
dns1.europinghome.com
dns2.europinghome.com
dns1.flouwping.com
dns2.flouwping.com
dns1.geovipns.com
dns2.geovipns.com
dns1.glousby.com
dns2.glousby.com
dns1.goldrushns.net
dns2.goldrushns.net
dns1.goupfaster.info
dns2.goupfaster.info
dns1.grephipst.com
dns2.grephipst.com
dns1.hazahaza.net
dns2.hazahaza.net
dns1.highlinerservices.com
dns2.highlinerservices.com
dns1.hiporq.com
dns2.hiporq.com
dns1.hopsups.com
dns2.hopsups.com
dns1.hyperbola.info
dns2.hyperbola.info
dns1.kakzumi.com
dns2.kakzumi.com
dns1.masscarete.com
dns2.masscarete.com
dns1.koljong.com
dns2.koljong.com
dns1.masssilk.com
dns2.masssilk.com
dns1.mifthme.net
dns2.mifthme.net
dns1.mitilean.net
dns2.mitilean.net
dns1.muslibusli.org
dns2.muslibusli.org
dns1.neitronefx.org
dns2.neitronefx.org
dns1.nutizk.org
dns2.nutizk.org
dns1.performanced.net
dns2.performanced.net
dns1.platusinplatus.org
dns2.platusinplatus.org
dns1.plemians.org
dns2.plemians.org
dns1.poeglu.net
dns2.poeglu.net
dns1.popkirko.com
dns2.popkirko.com
dns1.portfoliorealtors.com
dns2.portfoliorealtors.com
dns1.seburingo.net
dns2.seburingo.net
dns1.sretunset.net
dns2.sretunset.net
dns1.timverbahdd.net
dns2.timverbahdd.net
dns1.telalcobuh.info
dns2.telalcobuh.info
dns1.vinigretov.net
dns2.vinigretov.net
dns1.yakuns.net
dns2.yakuns.net
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30
I can see the following domains being actively supported by these nameservers, all of which should be considered hostile:
activresa.biz
airlead.biz
allbat.biz
battingkayaking.pw
bikinghighs.pw
blackconstruction.biz
blizzardfielder.pw
bowpollutant.pw
bronzefoger.pw
cardiologistfastlane.pw
choiceshell.biz
clubdewef.pw
coachmacroburst.pw
competitordownburst.pw
competitormist.pw
competitormoisture.pw
cookray.pw
creativegeo.biz
cricketslush.pw
cricketsmoke.pw
curlingdefense.pw
dailyaqua.biz
decemberboxer.pw
digitalra.biz
drummerballerina.pw
epeeradar.pw
evergreenplay.pw
exercisebreeze.pw
experptware.biz
expertsurvey.biz
eyefreeze.biz
fieldingboxer.pw
fieldingdrizzle.pw
fieldingrainbands.pw
firstozip.biz
fitnessrafting.pw
flypanda.biz
furnacerace.pw
galekarate.pw
gamecoldfront.pw
glacierfootball.pw
glacierhelmet.pw
goalsnowstorm.pw
goldhailey.pw
heaterboxing.pw
hibernatebatting.pw
hibernateguard.pw
homesteamz.pw
hotchocolatefield.pw
hotchocolateplayoffs.pw
icebergcatcher.pw
icecaprace.pw
icehockeyair.pw
jacketcyclist.pw
januarygame.pw
javelinmicroburst.pw
jockeycustodian.pw
judodegreeo.pw
kayakermacroburst.pw
kayakingleeward.pw
kickballeyer.pw
lacrossebarometer.pw
lightcasa.biz
magicse.biz
manufacturerpresto.pw
mapmove.biz
mittensrafting.pw
movieprice.biz
negotiatorsecond.pw
netfogert.pw
novelistflutist.pw
onbytce.biz
onlincerobo.biz
playingsnowflake.pw
polarkayaking.pw
poolridgeq.pw
quiltcanoe.pw
quiltquarter.pw
racketforecast.pw
ridingmacroburst.pw
safemeta.biz
scanbeat.biz
snowflakereferee.pw
snowyboules.pw
stovecricket.pw
stovegolfer.pw
thermometerequipment.pw
thinkisoftware.biz
winterdefense.pw
zerocompetition.pw
No comments:
Post a Comment