Sponsored by..

Tuesday 25 November 2014

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145
707 Wilshire Boulevard is a massive office block  but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation. 

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:


address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR


It isn't a big place according to Google.  I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

1 comment:

lt said...

It's possible 707 Wilshire is the location of the equipment - there is at least one data centre in that building.