Sponsored by..

Monday 3 February 2014

Something evil on 192.95.43.160/28

More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.

However, the key thing is the registrant details which have been used in many malware attacks before.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859116


I can see the following .pw domains active in this range:
basecoach.pw
crewcloud.pw
boomerangfair.pw
kickballmonsoon.pw
martialartsclub.pw
runningracer.pw


All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28.

(Hat tip to my source, you know who you are!)

No comments: