Sponsored by..

Monday 17 March 2014

Something evil on 198.50.140.64/27

Thanks again to Frank Denis (@jedisct1) for this heads up involving grubby web host OVH Canada and their black hat customer "r5x.org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27.

A full list of all the web sites I can find associated with this range can be found here, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16).

Domains in use that I can identify are listed below. I recommend you block all of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.

Recommended blocklist:

198.50.140.64/27
ingsat.eu
kingro.biz

allnew-overstocked-items.us
auto-policy-june.us
creditscorerangeadvice.com
endenergy-bills.us
endundereyedarkcircles.us
getmatch-on-line.us
godating-thurs.us
gomarine-nows.us
neweyehealth-now.us
new-omeganew.us
nowreverse-new.us
topomegafi-x.us
calculated1.us
advisoracct.us
auto9spec.us
autocquotes.us
brightmangroup.us
car04212.us
dailytips4health.us
estrexpe.eu
facts4burningfat.us
fallspecials1.us
freereview.us
fsaccounting.us
homes1research.us
homesavngs.us
hometactics.us
ieligible.us
imusiche.biz
kleycast.biz
kunstar.eu
maoride.eu
micklet.com
my3newscores.us
myreport3card.us
newdaily-health-tip.us
new-healthtip-today.us
newomegaheartfix.us
newoverstock-now.us
newproprate.us
newvisionsummer.us
note018271.us
rate-changes1.us
ratedropps.us
ratenotice09182.us
renew-autoprotection.us
reportcenter3.us
repostcc.us
sandersonhomes.us
spauto1.us
theactivity3.us
unifiedregister1.us
updateon3report.us
updateratehr.us
updscore03.us
uptodate-records3.us

No comments: