Sponsored by..

Thursday 13 March 2014

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30


OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

192.95.6.24/29
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.41.88/29
192.95.43.160/28
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

198.27.0.0/16
198.50.0.0/16

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24


OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?



No comments: