Sponsored by..

Wednesday 28 September 2016

Something evil on 69.64.63.77

This appears to be some sort of exploit kit leveraging hacked sites, for example:
[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:

OrgName:        MegaHosterNetwork
OrgId:          MEGAH
Address:        Zaporozhskogo kazachestva 15
City:           Zaporozhzhe
StateProv:     
PostalCode:     69097
Country:        UA
RegDate:        2012-09-02
Updated:        2012-09-02
Ref:            https://whois.arin.net/rest/org/MEGAH


These other domains are hosted on the same IP:

[donotclick]j8le7s5q745e.org
[donotclick]3wdev4pqfw1u.org
[donotclick]fg1238tq38le.net

All of those domains are registered to:

Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru


It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.


No comments: