Sponsored by..

Thursday 20 March 2014

Evil network: OVH Canada / r5x.org / Penziatki (updated)

I've covered OVH Canada and their black hat customer r5x.org aka "Penziatki" before. They consistently host exploit kits, and the way that the bad hosts are spread over OVH's network looks like a deliberate attempt at snowshoeing.

The following blocks in the OVH range have hosted malware from this customer. Some of the IPs are identified through my own research, others through OSINT from others, notably Frank Denis, @ReverseChris and .

192.95.6.24/29
192.95.6.92/30
192.95.6.196/30
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.12.56/30
192.95.40.240/30
192.95.41.88/29
192.95.43.160/28
192.95.44.0/27
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
192.95.51.164/30
192.95.58.176/30

198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27

198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.177.120/30
198.50.185.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.116/30
198.50.212.172/30
198.50.216.144/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.241.120/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Given the large number of exploits, you might want to consider a larger pre-emptive block on the OVH Canada ranges if you are in a security-sensitive environment and can live with blocking some of the legitimate sites that OVH also host.

192.95.0.0/16
198.27.0.0/16
198.50.0.0/16


I'll try to keep this blog post updated with more bad OVH Canada ranges as they are brought to my attention. Please consider adding any new information to the Comments if you have some. Thanks!

No comments: