Sponsored by..

Wednesday 2 April 2014

Something evil on 213.229.69.41

This tweet by Malmouse got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness.

First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way. Ones currently regarded as malicious by Google are highlighted.

cdnjscript.com
cssjscript.com
cssjscript.com
dolinkjs.com
domainjscript.com
getjslink.com
gfthost.com
gotojscript.com
hrefjscript.com
jscriptcdn.com
jscriptcss.com
jscriptin.com
jscriptmod.com
jscriptnow.com
jscriptstyle.com
js-href.com
js-link.com
linkinscript.com
linkjscript.com
metajscript.com
modjscript.com
namejscript.com
regjscript.com
scriptaccept.com
scriptdo.com
scripthttp.com
scriptshttp.com
stylejscript.com
timejscript.com
webjavascript.com
webjslink.com
webjsname.com

VirusTotal gives a good overview of the badness on this IP.


All these domains appear to be recently registered with the exception of gfthost.com which has ns1.gfthost.com and ns2.gfthost.com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection. The WHOIS details for that are:

Registrant Name: Nikolay Legkov
Registrant Organization: -
Registrant Street: Nevsky 23-7
Registrant City: Saint-Petersburg
Registrant State/Province: Saint-Petersburg
Registrant Postal Code: 197008
Registrant Country: ru
Registrant Phone: +79052789848
Registrant Phone Ext:
Registrant Fax: +79052789848
Registrant Fax Ext:
Registrant Email: admin@gfthost.com


Of course it is trivially easy to fake WHOIS details, so I cannot guarantee that this is really the person behind the malware domains.

Anyway, I recommend that you block 213.229.69.41 (Simply Transit, UK) and/or the domains listed above.

No comments: