Sponsored by..

Wednesday 28 September 2016

Something evil on

This appears to be some sort of exploit kit leveraging hacked sites, for example:
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report. The IP address appears to be a customer of ServerYou:

OrgName:        MegaHosterNetwork
OrgId:          MEGAH
Address:        Zaporozhskogo kazachestva 15
City:           Zaporozhzhe
PostalCode:     69097
Country:        UA
RegDate:        2012-09-02
Updated:        2012-09-02
Ref:            https://whois.arin.net/rest/org/MEGAH

These other domains are hosted on the same IP:


All of those domains are registered to:

Registrant Name: sergey muromov
Registrant Organization: sergey muromov
Registrant Street: veteranov 45-87
Registrant City: sank-tpeterburg
Registrant State/Province: leningradckaya
Registrant Postal Code: 458223
Registrant Country: RU
Registrant Phone: +7.66473838987
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: muromov96@bk.ru

It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking.

No comments: