Something evil on 193.107.16.213 / Ideal Solution Ltd

193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range.

VirusTotal detects a number of malicious sites on this server (see report) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects.

The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv]. Use this data as you see fit.

The following sites are on 193.107.16.213. Ones marked in  red  are flagged by Google as being malicious, although you should assume that they all are and block them accordingly.

allbestauto097.ru
forumsupport015.ru
forumsupport016.ru
forumsupport017.ru
forumsupport018.ru
forumsupport019.ru
forumsupport020.ru
forumsupport023.ru
forumsupport024.ru
forumsupport025.ru
forumsupport026.ru
forumsupport027.ru
forumsupport028.ru
forumsupport029.ru
forumsupport030.ru
forumsupport034.ru
forumsupport037.ru
forumsupport038.ru
forumsupport039.ru
forumsupport040.ru
forumsupport041.ru
forumsupport043.ru
forumsupport044.ru
forumsupport045.ru
forumsupport046.ru
forumsupport047.ru
forumsupport048.ru
forumsupport049.ru
forumsupport050.ru
newssearch001.ru
newssearch002.ru
newssearch003.ru
newssearch010.ru
newssearch017.ru
newssearch024.ru
newssearch039.ru
overviewdrive023.ru
overviewdrive026.ru
overviewdrive027.ru
overviewdrive028.ru
overviewdrive030.ru
overviewdrive032.ru
overviewdrive034.ru
overviewdrive035.ru
overviewdrive036.ru
overviewdrive039.ru
overviewdrive040.ru
overviewdrive041.ru
overviewdrive042.ru
overviewdrive043.ru
overviewdrive044.ru
overviewdrive045.ru
overviewdrive046.ru
overviewdrive047.ru
overviewdrive051.ru
overviewdrive054.ru
overviewdrive056.ru
overviewdrive059.ru
overviewdrive061.ru
overviewdrive063.ru
overviewdrive065.ru
overviewdrive066.ru
overviewdrive070.ru
overviewdrive072.ru
overviewdrive075.ru
overviewdrive087.ru
overviewdrive092.ru
overviewdrive093.ru
overviewdrive094.ru
overviewdrive100.ru
promoution242.ru
rotatorjps001.ru
rotatorjps030.ru
rotatorjps044.ru
rotatorjps046.ru
rotatorjps050.ru
newssearch004.ru
newssearch005.ru
newssearch006.ru
newssearch007.ru
newssearch008.ru
newssearch009.ru
newssearch011.ru
newssearch012.ru
newssearch013.ru
newssearch014.ru
newssearch015.ru
newssearch016.ru
newssearch018.ru
newssearch019.ru
newssearch020.ru
newssearch021.ru
newssearch022.ru
newssearch023.ru
newssearch025.ru
newssearch026.ru
newssearch027.ru
newssearch028.ru
newssearch029.ru
newssearch030.ru
newssearch031.ru
newssearch033.ru
newssearch034.ru
newssearch035.ru
newssearch036.ru
newssearch037.ru
newssearch038.ru
newssearch050.ru
overviewdrive091.ru
overviewdrive095.ru
overviewdrive097.ru
overviewdrive098.ru
permanentbiz.com
promoution115.ru
promoution181.ru
promoution218.ru
promoution221.ru
promoution222.ru
promoution223.ru
promoution224.ru
promoution225.ru
promoution226.ru
promoution227.ru
promoution228.ru
promoution229.ru
promoution231.ru
promoution246.ru
promoution247.ru
promoution248.ru
promoution250.ru
roger001.ru
roger002.ru
roger003.ru
roger004.ru
roger005.ru
roger006.ru
roger007.ru
roger008.ru
roger009.ru
roger010.ru

Malware sites to block 22/4/13

These domains form part of a large Kelihos botnet described over at Malware Must Die and which is related to the recent Boston Marathon and Texas Fertilizer Plant spam runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network.

Update: a list of associated IPs can be found here. There are too many to analyze, but the majority seem to be hacked PCs in Ukraine, Russia, Bulgaria and Poland.

agrybnyd.ru
akafneyd.ru
aqloqsis.ru
bajidmed.ru
butlesuh.ru
ciwefbod.ru
conrozof.ru
dapxonuq.ru
derdepan.ru
dijxohqa.ru
dydebmek.ru
dypuhtiw.ru
emysgual.ru
ewhynwox.ru
fadanres.ru
fubkimab.ru
funkabyv.ru
fuqiwriv.ru
gojzawde.ru
howoggoc.ru
ickyrjum.ru
ivsykifa.ru
jabfetiq.ru
jakyskyf.ru
jehbuqri.ru
jigzilys.ru
jujeblob.ru
juqhasri.ru
jykoamny.ru
kezamzoq.ru
kolasoeg.ru
kuiffaam.ru
lohdyrpa.ru
melijfes.ru
meuhwycu.ru
migyxluk.ru
mujosdim.ru
needhed.com
nudegnuc.ru
nurwiwur.ru
nyhhakfi.ru
okxusout.ru
ovxurxom.ru
poretget.ru
qeqgomha.ru
qevihnit.ru
qyxpucaf.ru
rezselix.ru
rigyhdyq.ru
rithakip.ru
sagucqyp.ru
sahiwten.ru
siajxenu.ru
sigkeqvi.ru
soljasek.ru
taurbael.ru
tuhoxkyt.ru
tuklicit.ru
tuswusah.ru
ubhyfnyz.ru
ufqinweb.ru
ulvojfol.ru
vezylgys.ru
wirxopiz.ru
wylovpuc.ru
xikgygga.ru
xujxiwli.ru
yddivvev.ru
yhwursyn.ru
yhzewguv.ru
ymvuchyq.ru
yskicfuw.ru
ytliywax.ru
zahebfox.ru
zaszigic.ru
zurgeqyr.ru

OVH WTF

If you work in the anti-spam or anti-malware business then you've probably come across OVH. It's a company with a shockingly bad reputation in these fields, tolerating malware and spammers to an extent that no other major host does. It even has a special tag in this blog to keep track of all the crap it hosts.

One particularly bad part of the network is the "MMuskatov" block 5.135.67.128/25 (5.135.67.128 to 5.135.67.255). I covered this back in February, but the situation has become even worse since that. This entire /25 hosts apparently zero legitimate sites and one of the highest concentrations of malware sites that I have seen for some time.

Out of 456 sites that I have identified in this block, 84 (18%) have been flagged as being dangerous by Google. 106 (23%) have a WOT trustworthiness score of 10 or less, and only 2 (0.4%) manage more than 40%.. and that's probably by accident.

A full list of the sites I can find and their ratings can be found here. And this isn't the only large scale black hat customer that OVH host, because there is Sidharth Shah as well. One can only speculate about the type of financial arrangements that these customers have in order to keep going.

I would recommend blocking the entire 5.135.67.128/25 range and implementing a zero-tolerance approach for OVH blocks that might appear on your radar for spamming and malware

These following sites are flagged by Google as being malicious:

basteln5.de

ktxstat240.info

charterd4.de

freepokee1.info

lozytose2.de

natrium7.de

spannend3.de

tj6e8k.com

fastmovekko.net

vertigozone.net

babynicefreelove.org

federewf.org

justifymanually.biz

stagesidebars.biz

virusspywareparents.biz

avivariva2.info

avivariva3.info

bbumpers.com

christmasmemot.com

cocojambo.info

cocojambo2.info

miniexchange.at

standard14.net

standard15.net

asnosnubmu.org

mronetcomgroup.com

qwertium.com

standard14.com

standard14.de

standard15.com

gofathermotherborns.com

iamtyredforblockdomins.com

mydnssa.com

visit-my-web-site.eu

visit-my-web-site.info

visit-my-web-site.net

as-bar.info

as-catch.info

as-closure.info

as-lock.info

asbolt.info

ascatch.info

asclasp.info

asfastener.info

aslatch.info

aslock.info

center-city-home.info

center-city.info

center-urban.info

centercitydental.info

centercityhome.info

centertown.info

centerurban.info

data-sales.info

freeinfosales.info

homeinfosales.info

hub-city.info

huburban.info

info-sales.info

information-sales.info

informationsales.info

infosalesonline.info

infosalestraining.info

istanbultransfer.info

my-first-blog.info

my-food-blog.info

my-life-blog.info

my-money-blog.info

mybeautyblog.info

myfoodblog.info

mygolfblog.info

myhomeblog.info

mylifeblog.info

myonlineblog.info

news-sales.info

newssales.info

thermaltransfer.info

transfer-domain.info

transferaccount.info

transferauthorization.info

transfercode.info

transfercredit.info

transferownership.info

transferservices.info

The sites are flagged by WOT as being untrustworthy (less than 20):
basteln5.de
ktxstat240.info
charterd4.de
freepokee1.info
lozytose2.de
natrium7.de
spannend3.de
tj6e8k.com
fastmovekko.net
vertigozone.net
babynicefreelove.org
federewf.org
fuchsduhastdiegansgestohlen.info
mojojojo.info
powerpuffgirls.ru
1aumir.biz
dfhiod.biz
seghiv.biz
sfgjjj.biz
sjbmb.biz
srghoop.biz
wdgwber.biz
wergxcb.biz
wryeuy.biz
daimlerfidelity.info
perstversion.info
provertymegastore.info
thewholespend.info
versetaility.info
emporiomurmani.info
fakeferarri.info
frankmousepo.com
gussi.info
mapplestory.info
mybestprojextmm.com
supermegaextragood.info
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
apeld.biz
bederg.biz
dhajbg.biz
hernn.biz
heronew.biz
lokoier.biz
mdopk.biz
mederf.biz
medoew.biz
neregda.biz
nerero.biz
oploug.biz
perokil.biz
polocz.biz
reseder.biz
trenere.biz
tydfghk.biz
ufrere.biz
vededd.biz
yherem.biz
zaderf.biz
basicsensorcomfort.info
brasenetworks.info
complexesuluation.info
creamvisitiorfinder.info
daisychellenge.info
dasuycompletesuluation.info
allrisor.com
anarebrelleee.me
my-res-to.com
myrisor.com
newrisor.com
res-to.com
resscience.com
risorgroup.com
risoronline.com
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
therisor.com
fbuniverse.net
carambala.com
freepokee2.info
freepokee3.info
monoxy3.de
natural9.de
shuttle4.de
sunari9.de
swedpuikavrot.info
jagsertowns.com
pendingtransfer.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
loveplanetfr.org
sexcamsfreenow.org
analytics-djmusic-online.de
justifymanually.biz
stagesidebars.biz
virusspywareparents.biz
groholding.ru
traffffff.biz
trafffffff.biz
traffffffff.biz
invertingiharvest.biz
mobilityblurb.biz
rpostsmounting.biz
webcompatibleelect.net
calderamagicjack.com
touringassists.com
gymscertified.biz
savingdropboxs.biz
starwoodsignal.biz
touchpadequalizer.biz
depletedpermalink.biz
super8jdkwdkw.org
superversiya31337.com

Malware sites to block 18/4/13

These malicious domains and IPs are associated with this malware spam run. Block 'em if you can.

5.9.191.179
5.45.183.91
5.135.67.215
5.135.67.217
23.19.87.38
37.230.112.83
46.4.179.127
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71
46.37.165.104
46.105.162.112
62.109.24.144
62.109.26.62
62.109.27.27
80.67.3.124
80.78.245.100
91.220.131.175
91.220.131.178
91.220.163.24
94.250.248.225
108.170.4.46
109.235.50.213
146.185.255.97
146.185.255.207
149.154.64.161
149.154.65.56
149.154.68.145
173.208.164.38
173.234.239.168
176.31.216.137
176.31.191.138
184.82.27.12
188.93.211.57
188.120.238.230
188.120.239.132
188.165.95.112
188.225.33.62
188.225.33.117
192.210.223.101
193.106.28.242
193.169.52.144
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
19megalife.info
addonsforbacks.com
adoptery.in
advert.app-myups.org
advertslead.com
aegisglow.org
airportfounded.com
alistlinkedins.com
alliedconclusion.org
alwaysvisibleyellowunderlined.biz
amarateredefe.org
amateurxxxtubes.net
ammebala.xxuz.com
annunciohosteddbm.org
anyns.biz
anywayitquerying.biz
apkjava.com
aplombblacktie.biz
appsforcombined.biz
arcadeprinterfriendly.biz
assimilatedaquos.biz
atomemerged.biz
attorneyconversational.com
aujjmpkt.ns02.biz
ayc.rudamalove.ru
b7cb9b6e9.org
ballsperdevice.net
bamesd.biz
barisurroundings.net
bearrecor.com
benefitsonetime.net
bertns.biz
bertolparty.in
beryoncy.in
bikbike.info
billedtestmanager.biz
biros.wikaba.com
bloggerscreencasts.com
bo2mp7.zapto.org
books.amarateredefe.net
bottomrightgrandpa.net
bridgelady.biz
burieslabel.com
businessalbeitclicked.biz
buttomwithouts.info
buttomwithouts.net
buttonskilos.info
buttonskilos.net
carbonitesbalked.biz
cars.catharinawestergaard.com
casperksy.tv
cats.oktoberfestglasses.com
ccxzadhp9.info
cddownloadverbal.biz
cerryon.in
chanchecker.asia
chargingclose.biz
childrendisk.org
chordcrtbased.biz
chvarkovski.info
classifyipchains.biz
clouddocreddit.biz
cmfnwiolos.biz
collagesneat.biz
competingopts.biz
completenessgrandmaster.com
comsilhouette.org
conjecturecrouch.biz
consumerorientedneednt.org
cornucopiacoax.org
crampedhipmunk.com
createrender.net
crowskbsec.org
cryingregister.biz
crysiscore.net
dangersreduce.biz
darlingbranding.biz
darrensuperior.net
dasa.sexxxy.biz
denystreamlining.biz
dfghbrewkja.4dq.com
dispatchingtruly.net
dissources.in
dj1fcc21sdf.net
doma-ns.com
dontraktorsol.com
drilledwantcamera.biz
dugsthirtyodd.org
dynamicdns1.com
dynomitdns.com
efq89.ugliserver.com
entryleveldecrease.biz
envelopesdestined.net
essentiallymonitoringutilities.biz
estimatepick.net
exhibitsgoodfinds.biz
expandedkreds.biz
externallytheres.biz
f1bd4e0f9b.com
feeshiddenstax.info
feeshiddenstax.net
fidgetingmarginal.biz
fingerinass.net
fiteringsworrow.info
fix-ntrade.info
framedknob.biz
frayscratches.net
friendcropped.biz
fullerdrought.org
gabwrenches.biz
gamingtoplevel.net
geogserver.com
giremoji.info
givingshortcoming.biz
g-ns.biz
goodorange.tk
goofyrejoice.biz
google-cache-server.biz
gowebthreats.biz
gramns.biz
greative.in
greentintedparallels.biz
gtbmd.rudamalove.ru
hamapaysite.info
hedsapher.info
hijackerssim.org
hiloocount.pw
hiphopbeatwares.org
hitthemebased.biz
hocutf.org
horrendouslyscrounged.biz
hostfastwow.info
howcalendars.biz
hqnspwbwixjtthrtip.biz
hubtabloid.org
huddlepyro.biz
icjs.ugliserver.com
img.annistonnewcars.net
img.annistonpreowned.net
incantationsbibliographic.biz
incidentallymbr.biz
integritylistens.org
intendsunique.biz
internetsavvyintransit.info
iptcmax.net
iwbshfiiv.freeinfo
iworkemg.org
jikohost.info
journeyprotect.org
joyaftershots.com
jpegincantations.org
justhoverover.biz
justintvfreefall.org
jyke.dasedi.ru
kernelseagles.net
l0ad.me
largestpainton.org
leatherpullquotes.org
liberrtyrreserve.com
libertyrreserve.biz
lightyearinspectorstyle.biz
lionbroadband.org
livedvaudiohow.com
loddos.biz
lonelybuttery.biz
lopinaksof.otzo.com
machinemiss.org
mailmergingsqlplus.biz
managerssellers.biz
maneuveringfanned.biz
mapicompliantreddens.biz
masterworkheir.org
mavericksurrounds.org
maximmiami.biz
meniuslittles.info
meniuslittles.net
microphonessmashes.org
miderneed.pw
midqeuh.freeinfo
mildnecessitated.biz
millionentrystreamlined.biz
minipaysyst.info
mixstudionet.info
mizerviters.info
miznayjob.info
modnudom.info
montanathirdvoice.com
morendofiles.net
moverbeet.info
mozyhometrust.biz
multifacetedloader.biz
mutualtriangle.biz
myfitnesspalpaints.net
myspaceah.biz
namepasswordlu.net
needsmultitasking.biz
new-1controller.org
newpayss.in
newsdaily1.info
newsstandreactivate.org
nightlifetiles.net
nightnesslow.com
nigrianteam.info
nohonestly.biz
notablish.in
nsdoms.com
nsgaryt.biz
organizationallyyourselfa.org
overlapchat.biz
overviewhour.biz
packetrecovery.in
partyharddns.com
pattayasuay.com
paypalkunden-news.org
personaclientserver.biz
phonecarddeadline.biz
platinumxpthe.info
playanewer.biz
playrem.com
plymorfhing.info
poorestpersonnel.org
portfoliocomfox.net
powerpointoverprint.biz
pqkfrbfo.sellclassics.com
pristineplayground.biz
prominentlibraries.net
qacazuza.tk
qqxbik.freeinfo
quickofficesnetmotions.biz
rdfkxtdx.wikaba.com
reasoningframework.com
rebootdollar.biz
reflectingextract.org
renamingisnt.org
rentedvisible.biz
resettingrelocation.biz
retrospectsovertime.com
rippedability.biz
rolodextransient.biz
safelyplayback.biz
samaritanwasting.org
securingcombine.org
seggos.biz
setdatafree.info
shutdowndoubleclicks.net
sixteentrackhow.net
skydrivestoken.biz
spywareanagram.net
sqk.rudamalove.ru
squirrelguide.com
ssmuiudl.ezua.com
statdipped.biz
stolenhoned.biz
stormreining.biz
strangersformbuilding.net
struggledsaves.com
stumpedconsult.biz
suitespecificoffending.net
suptickets.info
surfsoliddiet.biz
surfupfar.net
swiclick.com
systemscomputerfree.org
tddthjsdgnzz.ikwb.com
therteamx.info
threated.itemdb.com
threeapiecebeyondcom.net
throttlestoragebefore.com
thumbtackeffects.biz
t-ns.biz
toolsworkouteven.org
tracescalable.biz
travellingwebcast.com
troue.rudamalove.ru
tuneupsfiletransfer.biz
twicebusinessrelated.net
twittermultimixmedia.net
tysteak.com
ufhjskfvjdjshg.4pu.com
understandingwritten.biz
uponsuburban.biz
venusdrek.info
violettsa.in
visapaysnext.info
vivaitali.info
waysidepursuit.net
webcastengine.biz
webwasherintrinsic.net
widthsquality.biz
workgroupsynchronization.biz
worldtampering.net
wrenchimagepan.biz
youriscktines.info
youriscktines.net
zigmans.in

Sidharth Shah / OVH / itechline.com

I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:

5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27

These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.

So, what do we know about Mr Shah? Well, the IPs have the following contact details:

organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

This is presumably the same Mr Shah who owns sidharthshah.com:
   Technical Contact:
      Shah, Sidharth  sidharth134@gmail.com
      12128 Skylark Rd
      Clarksburg, Maryland 20871
      United States
      (240) 535-2204

These contact details are 

The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.

BBB rating is based on 16 factors.

Factors that lowered the rating for ITechline.com include:

    Length of time business has been operating
    8 complaints filed against business
    Failure to respond to 7 complaints filed against business

ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.

Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.

Something evil on 176.31.140.64/28

176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.

Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.

a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net

Something evil on 37.59.214.0/28

37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.

The owner of this block is as follows:
organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:

1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .co.za and .cl domains.

The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in  red   have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP).

190.196.23.231 (clean)
sanjoselosandes.cl
liceomixto.cl
servicioseximia.cl
siitec.cl
sictral.cl
specialdetail.cl
sycabogados.cl

199.34.228.100 (clean)
delfinos.co.za

208.70.149.57 (clean)
cafehavana.co.za
destinationsunlimited.co.za
firearmlicence.co.za
dolceluce.co.za
firearmsafe.co.za
firearmlicense.co.za
familysuite.co.za
bolandparkhotel.co.za
gamesmodels.com
onthebeachjbay.com
disc-deals.com

The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report) and can be assumed to be malicious, and are hosted on 62.212.130.115:

google-statistic.in
libola.com
minizip.org
msdbug.com
msrst.com
nlsdl.org
ntdsapi.com
ntmsdba.com
pifmgr.org
piparse.com
spam-rep-service.in

This third group are almost definitely malicious and are on the same server:

garmonyoy.eu
harmonyoy.eu
kinyng.ru
ntimage.net
ntmsapi.net
ntmsmgr.net
pastaoyto.eu
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru

The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on)  62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too,

54fd8c9fa1abf2b5.firearmsafe.co.za
32464a746740345e.familysuite.co.za
fece86cc9b68c8761151711302121857a5da12fce1b0b.sanjoselosandes.cl
ba7562877f032c1d0160451302111347717339942fd25832980fc947bbaab6e.liceomixto.cl    104698f48570d66e01910213021108078ff41b00051a92fb8f.liceomixto.cl
897581b79c33cf2d016045130210212851378959885060ea5995f416222722b.liceomixto.cl
cd028570a864fb7a01402413021722022144552c318ce7cab9e09a0d2a6a8b5.cafehavana.co.za
23753bc716e345fd114110130218141121065128682695243c3a6e68eaa454c.destinationsunlimited.co.za
23753bc716e345fd119181130218123421084144fafd9a8a2ecee7c9e8a813d.destinationsunlimited.co.za
23753bc716e345fd.destinationsunlimited.co.za
fefd56cf7bfb28e501402413021916372140748bad59371eb615c227bcf6494.firearmlicence.co.za
fefd56cf7bfb28e50191851302191616816357255aa3a775d33e0e87031dabd.firearmlicence.co.za
efce974cba68e97601902413021819141134725bc512d95c3a3367364f60e7f.dolceluce.co.za
54fd8c9fa1abf2b50152021302192150218227543eacf3e65962cfa456e6742.firearmsafe.co.za
54fd8c9fa1abf2b50190551302192029115216056c76db44aa04bf200b3dd64.firearmsafe.co.za
54fd8c9fa1abf2b501511113021919479278009323500c592bf3b0a3e0e48b8.firearmsafe.co.za
54fd8c9fa1abf2b5115023130219202841813244c0634fe85c4f0d28b6001ac.firearmsafe.co.za
54fd8c9fa1abf2b511511113021920019153428450b973995f121f87d07597d.firearmsafe.co.za
54fd8c9fa1abf2b5019003130219205011588175e845eee9fba56981ef9762f.firearmsafe.co.za
54fd8c9fa1abf2b5019184130219200951610365d41a651918d996c2262265f.firearmsafe.co.za
1002a8108524d63a01411013021917377210805bc813254f0b52ddadc7a4fb6.firearmlicense.co.za
1002a8108524d63a0190861302191834518734754e1569db098dc04657268c7.firearmlicense.co.za
1002a8108524d63a015135130219171541448694b4a5ad611740bce908b41e9.firearmlicense.co.za
1002a8108524d63a01608613021918067148673452fc4f3b25e4a92991e388c.firearmlicense.co.za
32464a746740345e0140861302191352721746257b791a8cb29212692450169.familysuite.co.za
ab02b3809e94cd8a0141851302171831719273654b106add758c4d1ea448054.bolandparkhotel.co.za
fe3116d33bd768c9014185130217152321157054e238a5d15e6899e06b4a256.bolandparkhotel.co.za
ab02b3809e94cd8a014014130217181671594515d6908be7ac815a5c8aec9bd.bolandparkhotel.co.za
104648746540365e.familyholidayaccommodation.co.za
2375dba7f6b3a5ad01900313021810166108414bc5043b30fcbf6df10ac0d36.delfinos.co.za
2375dba7f6b3a5ad.delfinos.co.za
2375dba7f6b3a5ad1141101302181050617308286822211b6e41c16bae4a8ad.delfinos.co.za
104618a40570566e0190861302141716512521554e01e13647caa0d7585e0a2.servicioseximia.cl
104618a40570566e01608613021416261099221452fc4f3fddf44bf19ce67a3.servicioseximia.cl
cd46f5c4e810bb0e014029130214200431169736dd938489c7b1b51af4b6f74.servicioseximia.cl
cd46f5c4e810bb0e0142031302142008713472502551149f67b7bdb45a92f07.servicioseximia.cl
104618a40570566e019096130214190761242645133a051309afb24913257bb.servicioseximia.cl
104618a40570566e01900713021417086116022bad56157e487133b8039b0fb.servicioseximia.cl
104618a40570566e.servicioseximia.cl
dc8a5458498c1a92019024130215034191505755a15eef17404dfc7a914c407.siitec.cl
fe7596178bc3d8dd01515913021423367212073189eb0ffdcfd7bc050f5cc84.sictral.cl
fe7596178bc3d8dd01612913021501048032017adf505b4a51493df8d7e7e8b.sictral.cl
01ce199c04785766.specialdetail.cl
01ce199c047857661140151302151103607956789e2ef312e860b4529ed0fdc.specialdetail.cl
76fdbedfa36bf075014025130213175772228515fdfce25de6ebd91bd067892.sanjoselosandes.cl
23fdcb3fd68b859511416113021320291114120d5436e9454395fe51a4f8bd4.sanjoselosandes.cl
32fd2a6f37db64c501613813021307218103025988506029ed2c2b5c8df9915.sanjoselosandes.cl
5431bca3a167f27901604513021414306142650adf4cf112a9c89769565e055.sanjoselosandes.cl
45fdad0fb0abe3b5.sanjoselosandes.cl
54fdec0ff1cba2d5.sanjoselosandes.cl
23fdcb3fd68b859501612913021321298189883d812e2a7244210d47d2832e5.sanjoselosandes.cl
fece86cc9b68c876.sanjoselosandes.cl
dcceb41ca9a8fab6.sanjoselosandes.cl
98fd50bf4d1b1e05019086130212235552028805ddb0cd40d31dd927eda2037.sanjoselosandes.cl
76fdbedfa36bf07501916613021318165124581972ac37159baca15f93b3b48.sanjoselosandes.cl
23fdcb3fd68b859501916113021320155132506020b16ab30472c9a28008598.sanjoselosandes.cl
76fdbedfa36bf07501612913021318103106829d074104b45444a6bd90368bb.sanjoselosandes.cl
76fdbedfa36bf07501902413021317264126483b1287cb246f1c65418b6a03c.sanjoselosandes.cl
cd8a85e8984ccb5211409913021215378176886b2072dbee3d87f6b240713fd.sanjoselosandes.cl
ef46f7f4ea10b90e.sycabogados.cl
45b90ddb20ff73e1.disc-deals.com
89fd717f5c4b0f5511511113021922528294810b80d17e6193d54e6faa102d8.gamesmodels.com
89fd717f5c4b0f55014185130219223852203155b41df139190d76dfce35e2c.gamesmodels.com
89fd717f5c4b0f550151311302192250727293718c48e6c9eab856d51453cbe.gamesmodels.com
0102d920f434a72a.chinese.onthebeachjbay.com

Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain, the bulk of which are as follows:

assexyas.com
athersite.com
byinter.net
findhere.org
isgre.at
isthebe.st
kwik.to
lookin.at
lowestprices.at
myfw.us
myredirect.us
onmypc.info
onmypc.org
onthenetas.com
ontheweb.nu
passinggas.net
rr.nu

You can find a copy of the domains, IPs, WOT ratings and Google prognosis here [csv].

These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics:

govgrantstodays.assexyas.com
kqenc.assexyas.com
tesyf.assexyas.com
athersite.com
qezwdz.athersite.com
tdbnsc.athersite.com
www1.safeqwcleanerdm.athersite.com
www1.simple-ozfgsecurity.athersite.com
dnwswurowz.byinter.net
kcshhdvqzmte.byinter.net
mhlswzmqpe.byinter.net
oorkaibadtb.byinter.net
wonfhujmel.byinter.net
ztmgyzknjpf.byinter.net
cmvwixzxhl.findhere.org
dhyaugqmbgwm.findhere.org
gkqqujqsd.findhere.org
lvindkiys.findhere.org
lyfxhiyza.findhere.org
pvhetiozstg.findhere.org
tdtxohbjbvzx.findhere.org
thgdtujicjtq.findhere.org
ueuvjqhvao.findhere.org
wcnnrcjgb.findhere.org
free-ddddsex-ddddpasswords.isthebe.st
free-dsex-dpasswords.isthebe.st
index.isthebe.st
radiomangalia.isthebe.st
asfqphphk.kwik.to
gebofuoautl.kwik.to
lqlonqihgkco.kwik.to
mowkespvffn.kwik.to
nbnezaszei.kwik.to
qmgplmfyibh.kwik.to
ydsjveyfjr.kwik.to
rrmoymcqskq.lookin.at
htrxcytvfmhg.lowestprices.at
aadhvxiftw.myfw.us
abtqgybicghr.myfw.us
ameyznosvam.myfw.us
amvgvvyasde.myfw.us
aokeufvoci.myfw.us
azddoalylxsn.myfw.us
azojgzmnj.myfw.us
bkhrwvxblnm.myfw.us
caedvkkimck.myfw.us
cbqlthvefhv.myfw.us
ckvwoajjjg.myfw.us
crmnfeeooft.myfw.us
csllshncxdu.myfw.us
cudthmeyl.myfw.us
cwvmtudybwvr.myfw.us
dfredwpcun.myfw.us
dnbdjddrvwl.myfw.us
dsublegejzg.myfw.us
ebgilaznkcxa.myfw.us
ebhiacfkaddk.myfw.us
eepyofqzl.myfw.us
eivxprpbemv.myfw.us
ejyffxuookfi.myfw.us
eldttmawnvt.myfw.us
elfncrfubk.myfw.us
eprlccywb.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
esuifzeipsz.myfw.us
euhhmufug.myfw.us
ewvwzpiqw.myfw.us
eyefvnzwoyg.myfw.us
ezphudgyyjy.myfw.us
femtpvrvr.myfw.us
feutgqoyxc.myfw.us
fowgvslqqvgf.myfw.us
fugqgxxuiwe.myfw.us
gbptzyqhoc.myfw.us
gmnmwmuhf.myfw.us
gohvjgbrplkm.myfw.us
gvbxwmicjvq.myfw.us
gyuaowfnlrw.myfw.us
hcdazkdqlvci.myfw.us
hcwryplhc.myfw.us
hfkfeuqfvzf.myfw.us
hhifsoine.myfw.us
hhzlhizlbil.myfw.us
hqzgrwmorws.myfw.us
hvdkdcgae.myfw.us
hwmhlbscbs.myfw.us
hxlxxaqntaxb.myfw.us
idjgpnkmaj.myfw.us
isdrjerrd.myfw.us
itzpsmkbyabo.myfw.us
jebrglmzye.myfw.us
jeyqstlybz.myfw.us
jjfzmzfkoky.myfw.us
jjxhjygwcnln.myfw.us
jmmbspisw.myfw.us
jspyaaqfuj.myfw.us
jugfzxlitus.myfw.us
jumzijibbh.myfw.us
jybvhfvfhwu.myfw.us
kbahixlxpe.myfw.us
kqpaxhumj.myfw.us
ktxxlgwgze.myfw.us
kwjgjnmmcu.myfw.us
ljszveihhqb.myfw.us
lswgpbvvkukx.myfw.us
lsxswsgka.myfw.us
lwztritpzuvl.myfw.us
mibgbbbwioml.myfw.us
miptvfzufwal.myfw.us
mldtdbsoko.myfw.us
mqqpwxjlf.myfw.us
mrqmsbqrdkvk.myfw.us
mydvonyeagt.myfw.us
ngcfuanjtm.myfw.us
nsnybecste.myfw.us
nvkdyjhplpo.myfw.us
okctxkxny.myfw.us
ookzctlfazdl.myfw.us
oqlupounl.myfw.us
orownhbgn.myfw.us
oxegwgflld.myfw.us
pbvmirnwk.myfw.us
phibmvaqsap.myfw.us
phvcbflqrsbo.myfw.us
qeavazuugk.myfw.us
qhbkyfehpbzi.myfw.us
qivtnqqxjnp.myfw.us
qlhkccfosm.myfw.us
qyjkiuopo.myfw.us
rexewmyxgl.myfw.us
rjrzcrswqhl.myfw.us
rjytkixbfjxkk.myfw.us
rqjghacecazb.myfw.us
rwdpuifin.myfw.us
rynucqapeinv.myfw.us
sqazmgapz.myfw.us
sqqqrsnozlgj.myfw.us
srutebmduoh.myfw.us
sslqlwitv.myfw.us
tevrntjkrl.myfw.us
tsxwbywjwdm.myfw.us
tuobdghfp.myfw.us
tvodqreyyyh.myfw.us
ujzkfdpdf.myfw.us
ukwwwhkamh.myfw.us
wbynflhapl.myfw.us
weapwihjpu.myfw.us
whxszkeaot.myfw.us
wigfdfuvps.myfw.us
wpddnjknrn.myfw.us
wpvhiedhnzxs.myfw.us
wtgylzokmsyd.myfw.us
xiudvllnl.myfw.us
ybzwfyvadq.myfw.us
yowbgyyykemw.myfw.us
yrhamrfrzk.myfw.us
ywzjvqssv.myfw.us
yxbbvktub.myfw.us
yxkgtyqmz.myfw.us
yznafipqmd.myfw.us
zqruajfsgir.myfw.us
zwzfvpxksyx.myfw.us
zzjsujpstcsx.myfw.us
ryeyymburbyr.myredirect.us
twenbrmndfui.myredirect.us
zfhbsvcererr.myredirect.us
btwosfunny.onthenetas.com
xfinity-dddddddddddddddddddddddddddddddzimbra.onthenetas.com
xfinity-dddddddddddddddddddzimbra.onthenetas.com
forehmailywt.ontheweb.nu
hahasfunnyfb.ontheweb.nu
lhixjcdtgypr.ontheweb.nu
pornogratis.ontheweb.nu
pwvmochqwb.ontheweb.nu
qlphivcmm.ontheweb.nu
uhjqzvcjfmb.ontheweb.nu
ohchr.passas.us
mysignin-ddddddddddddddddddddddddddddddddddddddddddcomcast.passinggas.net
passinggas.net
andsto57cksstar.rr.nu
cha39nce.rr.nu
chelpo94landsa.rr.nu
dahfugwhsmzi.rr.nu
deunce68rtaint.rr.nu
its53new.rr.nu
jarujtltg.rr.nu
lasimp04risoned.rr.nu
nabwpjdola.rr.nu
nytndbssyrtkjuykiryu7.rr.nu
ssbo98omin.rr.nu
tenin58gaccel.rr.nu
tentsf05luxfig.rr.nu
jsngupdwxeoa.uglyas.com

These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious:

skidka-ddddd90.bestdeals.at
ensac.byinter.net
safe-defensehrm.byinter.net
combo-dddddddddddddddddddd04-ddddddddddddddddddddkarla.findhere.org
daphne-d52full.findhere.org
mabjdawzaqw.findhere.org
netnummers.findhere.org
nqonet.findhere.org
odiwmklhah.findhere.org
www2.first-ozsoft.findhere.org
xcnyyj7973.findhere.org
ycqtxsac62.findhere.org
215.isgre.at
power-dddfiarmy.isgre.at
ab-din.kwik.to
ag-in.kwik.to
confirm.content.files.internet.secure.access.go.kwik.to
confirm.content.files.internet.secure.access.goto.kwik.to
ksarefunny.kwik.to
media.secure.sites.acc.portal00.kwik.to
media.secure.sites.acc.portal0002.kwik.to
media.secure.sites.acc.portal001.kwik.to
media.secure.sites.acc.portal003.kwik.to
newess.kwik.to
portal00.kwik.to
www2.safeyg-sentinel.kwik.to
www2.strongsoftyc.kwik.to
ebzryeaba.lookin.at
game.lookin.at
gdz-dddddddatanasyan.lookin.at
ru-drabota.lookin.at
skidka-dvsem.lookin.at
teiinxdpe.lookin.at
wett-dddwendy.lookin.at
what.are-you.lookin.at
wyoqdaeru.lookin.at
iuntrbtyvstbn.lowestprices.at
mof-ddddddddddddddddddddddddddweb.lowestprices.at
mof-ddweb.lowestprices.at
aggwgeskrby.myfw.us
htawhcgamvq.myfw.us
jtzxmudxtno.myfw.us
mexico.activa.myfw.us
michelemontas.myfw.us
pjkcyvzcyz.myfw.us
savejtxv-sentinel.myfw.us
secure4.lac.enroll.mexico.myfw.us
umbbwtcler.myfw.us
www2.simplehircantivir.myfw.us
xglzbowlmuco.myfw.us
9999992099.rr.nu
asin54grepl.rr.nu
mila.kat.sexyphoto.athersite.comkede.rr.nu
ossnyfpkag.rr.nu
ourae.rr.nu
pcnews.rr.nu
personalhvrsecurity.rr.nu
pimping.gangsta-paradise.rr.nu
rrrrrrrrrr.rr.nu
save-antivirchecker.rr.nu
topsentinelet.rr.nu
vpnfx-d001.rr.nu
www1.mystemguard.rr.nu
www1.personal-antivirgwg.rr.nu
www3.netsurfingprotectionwe.rr.nu

These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present:

aotztod.almostmy.com
ueizqnm.changeip.name
jakrcr.changeip.org
fgzsnergle.compress.to
fmmrlp.ddns.name
gyomtcnzc.dhcp.biz
gifqravi.dnsrd.com
ydrehhvgjz.ezua.com
rawvgbygj.gr8name.biz
sspmrwli.jkub.com
slnpqel.lflinkup.org
ywtxkebtx.ns01.info
wjbluj.ns01.us
hurocozr.onedumb.com
rmvpfdg.onmypc.info
qhtqqtxqua.onmypc.org
cejkopsbv.port25.biz
efdghpug.sexxxy.biz
ttenmxqq.vizvaz.com
iselktnfo.xxxy.info

These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect.

uzdknpz.4dq.com
zzxvxyi.mydad.info
blur.rr.nu
org.rr.nu
axyaqb.xxuz.com

Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more.

actuallywebdav.biz
adoptionarchive.org
adscard.net
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsspark.com
adstimes.net
adstown.net
akon342.info
apolonq3.info
arenthis.org
bigtimetcpip.org
booksdesk.org
bounceeleven.biz
carambala.com
casesswooshpretty.net
classifyipchains.biz
columnheavyhanded.org
competingopts.biz
conaninefficiently.biz
confickerclones.com
cuxystaf.ru
dlnabeta.org
efisamil.ru
enjoycapacious.org
exciifun.ru
extcg.org
eyefulconcern.com
fan.ysb3.net
fesdrtfgfddsadsa.homelinux.com
filesforretail.org
gazzuxiz.ru
greatville.org
huaxydpa.ru
hudsfjfdsueofakl.homelinux.com
ifdependable.org
ifkyxdys.ru
img.handyworksfl.com
img.sppta.org
iqkibbuz.ru
ivqojsaj.ru
kamisca.com
kejfhtee.cu.cc
kemalxun.ru
koldpsaofdkdlsa.homelinux.com
kopsakfdsasew.homelinux.com
languageinads.com
languageinads.net
lebowskiappcentric.org
libertynetsgums.info
limminglory.net
lisybsij.ru
live.28356365.com
lowerqualitydocstac.in
milioneer.com
missiledongle.biz
modesthalfempty.org
moneysfilegon.net
navaten.tk
netingsixform.net
nobuaudiophile.org
offensivesimple.biz
ohvelzym.ru
partyharddns.com
performingspinoffs.org
pipelivemotion.biz
pyncegok.ru
resendfold.biz
safelyplayback.biz
sedikivu.tk
startstracker.info
syllablesshrinkwrap.org
syrjikhe.ru
techntitus.com
touristdefinitions.biz
tracktighter.biz
upicampaign.com
usingthisxploreing.org
velvetnoret.com
vowakabo.tk
wontlogics.biz
wpw.bestgoodshop.info
www.aanoownsw.tld.cc
ybavwego.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zypvynas.ru

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

Something evil on 46.163.79.209

The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.

social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu
ns.eyon-neos.eu
euroherz.eyon-neos.eu

The domains look like they might be legitimate onese that have been hijacked, nonetheless blocking them would be an excellent move.

MMuskatov / OVH malware sites to block

I've mentioned an OVH range of IPs allocated to a mystery  "MMuskatov" a couple of times before (here and here). It seemed like they needed a closer look.

The IP ranges are in the 5.135.67.x block, mostly in small /28 allocations hosted in different OVH datacentres in Europe. They are:
5.135.67.128 - 5.135.67.135
5.135.67.136 - 5.135.67.143
5.135.67.144 - 5.135.67.159
5.135.67.160 - 5.135.67.175
5.135.67.176 - 5.135.67.191
5.135.67.192 - 5.135.67.207
5.135.67.208 - 5.135.67.223
5.135.67.224 - 5.135.67.239
5.135.67.240 - 5.135.67.247

Obviously, that gives an contiguous block of 5.135.67.128 to 5.135.67.247 which is annoying difficult to express in CIDR notation. This is the best I can do:
5.135.67.128/26
5.135.67.192/27
5.135.67.224/28
5.135.67.240/29

If you don't mind a bit of collateral damage then you could simply block 5.135.67.128/25.I

Anyway.. what's so bad about this range? Well, as far as I can see, there are no legitimate sites here at all. But there do appear to be malware sites, suspicious subdomains of hijacked legitimate sites and other nasties. Quite a few have been registered very recently indeed, and to be honest I'm probably missing a lot of sites hosted in this range.

The sites are listed below. Sites listed as malware by Google are listed in  red , sites with a bad WOT rating are listed in  blue (there are no sites listed at both, so I can spare you from purple). You can safely assume that anything not blacklisted has just not been noticed yet. You can download a full list of the sites, IP addresses, WOT rating and the Google prognosis from here.

1aumir.biz
afito.nyxsus.net
agnitumsnuking.net
allrisor.com
analytics-djmusic-online.de
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
anarebrelleee.me
apeld.biz
azizmarizish2013.com
azizmarizish2013.info
azizmarizish2013.us
babynicefreelove.org
basicsensorcomfort.info
basteln5.de
bederg.biz
beratopl.sinanfe.com
besprof.samisales.com
bestfor.rotaract4670.org
bopljert.ultuma.com
brasenetworks.info
broki.wem44.com
browser.rainbowstarfish.com
carambala.com
charterd4.de
clomment.calenergy.info
clubs.sandipmistry.com
complexesuluation.info
creamvisitiorfinder.info
daimlerfidelity.info
daisychellenge.info
dasdasd.tss33.com
dasuycompletesuluation.info
dfhiod.biz
dhajbg.biz
djjgurda.com
djjgurda.us
domainsfiverich.com
dotguy.set-god.com
emporiomurmani.info
fakeferarri.info
fastmovekko.net
fbuniverse.net
federewf.org
firepow.l2firepower.com
first.bartych.com
frankmousepo.com
freepokee1.info
freepokee2.info
freepokee3.info
fromza.thirteentoedcat.com
fuchsduhastdiegansgestohlen.info
gertapo.bbcuteonline.com
gfssexcam.org
gfssexcamcum.com
ggty.oops-to.com
goodby.nissisystems.com
goodly.hukmen.com
gussi.info
heart.wheels4salvador.org
hernn.biz
heronew.biz
jagsertowns.com
jbworldtrd.com
joeturismo.com
kiloui.svxr.org
kinodrom.ivanwalker.net
ktxstat240.info
lake.frontsighlitigations.com
lefttendencies.net
lokoier.biz
loveplanetfr.org
lozytose2.de
mapplestory.info
mdopk.biz
meanse.ayesh.asia
mederf.biz
medoew.biz
mikil.hititbett.org
mini.sindiat.com
miniini.iosstore.org
mobile.mathyux.com
mojojojo.info
monoxy3.de
msner.slingthor.com
mybestprojextmm.com
my-res-to.com
myrisor.com
natrium7.de
natural9.de
ndqegsx.efx-capital.com
neregda.biz
nerero.biz
newrisor.com
news.webcam-archives.com
next.spacemonkeypirate.net
ninzaaa.commoninterestgroups.org
oploug.biz
perokil.biz
perstversion.info
poijert.ilaog.com
polocz.biz
powerpuffgirls.ru
price.hollywoodsaloon.us
provertymegastore.info
radarsky.biz
rainbowloveahaji.com
reseder.biz
resscience.com
res-to.com
risorgroup.com
risoronline.com
ronaldo.bangun.org
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
sec520.dyndns.info
sec521.dyndns.info
seghiv.biz
sexcamsfreenow.org
sfgjjj.biz
shop-best-good.info
shuttle4.de
sitesfiverich.com
sjbmb.biz
spannend3.de
srghoop.biz
stay.petersmunicipalconsultants.com
sun.frontsightbankruptcy.com
sunari9.de
supermegaextragood.info
swedpuikavrot.info
taste.frontsightblog.com
techntitus.com
termse.sharemomentwith.us
therisor.com
thewholespend.info
tikooo.afropod.com
tj6e8k.com
traespo.smoothasbeauty.com
trenere.biz
tydfghk.biz
ufrere.biz
umpi102.dyndns.info
umpi103.dyndns.info
unusedgb.net
vededd.biz
versetaility.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
vertigozone.net
wdgwber.biz
wergxcb.biz
wryeuy.biz
xrifa.dhzq.net
yherem.biz
zaderf.biz

Something evil on 74.91.117.50

OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run.

The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.

These are the domains that I can see right now:
13.blumotorada.net
13.carnovirious.net

The domains are registered wit these apparently fake details:
Glen Drobney office@glenarrinera.com
1118 hagler dr
neptune bch
FL
32266
US
Phone: +1.9044019773

Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking.

Malware sites to block 14/1/13

A couple of interesting posts over at Malware Must Die!  showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:

91.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)

I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.

91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.

46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.

62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.

These following domains are all connected to these two attacks:
amgstaying.net
awczh.portrelay.com
bestchange001.ru
bestchange002.ru
bestchange003.ru
bestchange004.ru
bestchange005.ru
bestchange006.ru
bestchange007.ru
bestchange050.ru
bestchange051.ru
bestchange053.ru
bestchange054.ru
blydjkqtj.2waky.com
clientlink011.ru
clientlink015.ru
clientlink018.ru
clientlink024.ru
clientlink026.ru
clientlink027.ru
clientlink034.ru
clientlink038.ru
clientlink040.ru
clientlink042.ru
clientlink046.ru
clientlink063.ru
clientlink067.ru
clientlink070.ru
clientlink073.ru
clientlink074.ru
clientlink075.ru
clientlink076.ru
clientlink077.ru
clientlink078.ru
clientlink079.ru
clientlink080.ru
clientlink083.ru
clientlink084.ru
clientlink085.ru
clientlink086.ru
clientlink087.ru
clientlink089.ru
clientlink090.ru
clientlink091.ru
clientlink093.ru
clientlink094.ru
clientlink095.ru
clientlink100.ru
coshqa.2waky.com
diresofnetbook.com
djondonetwork.com
dukcwhmc.portrelay.com
ewarmz.2waky.com
fiendishtask.info
frnujzogt.2waky.com
glcuofjx.2waky.com
glrozxsjk.portrelay.com
gvcrtf.2waky.com
hrwusuf.portrelay.com
husvmp.portrelay.com
hvgzklbx.portrelay.com
igrhcsfdx.portrelay.com
imvkmu.portrelay.com
inherentlywriters.info
ipaeh.portrelay.com
iqtbzwa.2waky.com
jbygu.2waky.com
jjfzxpim.2waky.com
jzkwt.2waky.com
khmdkcath.portrelay.com
ksgha.2waky.com
lbuym.2waky.com
lgoqsh.portrelay.com
museumsnimble.net
ndcukbk.2waky.com
nvzlyez.portrelay.com
oaigq.2waky.com
owowgjqof.2waky.com
oyobalz.2waky.com
pavingcorroborated.org
pefmpltrz.2waky.com
pjmbpvacm.portrelay.com
pxsthim.portrelay.com
qqmtqy.portrelay.com
reservedir003.ru
rndhezha.portrelay.com
root.kaovo.com
simplicitypernicious.org
snxecl.2waky.com
supportservice001.ru
supportservice002.ru
supportservice003.ru
supportservice004.ru
supportservice005.ru
supportservice006.ru
supportservice008.ru
supportservice009.ru
supportservice010.ru
supportservice011.ru
supportservice012.ru
supportservice013.ru
supportservice014.ru
supportservice015.ru
supportservice016.ru
supportservice017.ru
supportservice018.ru
supportservice019.ru
supportservice020.ru
supportservice021.ru
supportservice022.ru
supportservice023.ru
supportservice025.ru
supportservice028.ru
supportservice029.ru
supportservice030.ru
supportservice031.ru
supportservice032.ru
supportservice033.ru
supportservice035.ru
supportservice038.ru
supportservice042.ru
supportservice044.ru
supportservice047.ru
supportservice054.ru
supportservice055.ru
supportservice058.ru
supportservice060.ru
supportservice064.ru
supportservice065.ru
supportservice066.ru
supportservice068.ru
supportservice069.ru
supportservice075.ru
supportservice078.ru
supportservice082.ru
supportservice083.ru
supportservice085.ru
supportservice089.ru
supportservice093.ru
supportservice095.ru
supportservice096.ru
supportservice097.ru
supportservice098.ru
tezjytph.portrelay.com
tpfoc.2waky.com
trghfx.2waky.com
uretf.2waky.com
utilityremember.net
uzmai.portrelay.com
vzaxmfgz.portrelay.com
wfeanf.2waky.com
wibeay.2waky.com
wpacule.portrelay.com
xycoordinatesskinny.org
yfvvmj.portrelay.com
zbwss.portrelay.com
zrwhrkm.portrelay.com
zzspkyrcr.portrelay.com

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

Malware sites to block 21/12/12

There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog.net blogging system (I think specifically [donotclick]zezete2.centerblog.net/i-247-136-1356095651.html)

The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)

[donotclick]svwlekwtaign.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/

[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.

avigorstats.pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a huge iceberg of malicious IPs and domains that are all interconnected.

Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..

Recommended blockist (annotated):

5.39.121.18 (OVH, Ireland)
5.135.20.2 (OVH, France)
5.135.67.144/28 (MMuskatov / OVH, Belgium)
5.135.67.192/28 (MMuskatov / OVH, Czech Republic)
5.135.97.6 (OVH, Ireland)
5.135.204.16/28 (Shah Sidharth / OVH, Ireland)
5.135.218.32/27 (Shah Sidharth / OVH, France)
5.135.223.96/27 (Shah Sidharth / OVH, France)
5.199.172.0/22 (BALTICSERVERS, Lithunia)
37.9.53.0/24 (Sheludyak-NET, Russia)
37.221.170.88 (Voxility, Romania)
46.28.71.68 (UA Servers, Ukraine)
46.105.102.18 (OVH, France)
46.235.8.175 (Teknik Data Internet Teknolojileri San.Tic.Ltd. Sti., Turkey)
46.249.42.0/24 (Serverius Holding, Netherlands)
62.76.40.0/21 (Rosniiros, Russia)
62.76.176.0/22 (Rosniiros, Russia)
62.76.180.0/24 (Rosniiros, Russia)
62.76.184.0/21 (Rosniiros, Russia)
62.109.0.0/21 (The First, Russia)
62.122.74.0/23 (Leksim, Poland)
63.247.91.188 (Global Net Access, US)
64.120.193.0/24 (HostNOC, US)
78.140.135.128/25 (Webazilla, Gibraltar)
84.200.77.204 (Misterhost, Germany)
85.17.92.146 (Leaseweb, Netherlands)
85.143.166.0/24 (Pirix, Russia)
88.198.30.19 (Hetzner, Germany)
91.201.214.0/23 (PS Internet, Kazakhstan)
91.211.116.0/22 (Zharkov Mukola Mukolayovuch, Ukraine)
91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.231.156.0/24 (Sevzapkanat-Unimars, Russia)
91.232.29.70 (Realon Service LLC, Ukraine)
91.235.128.0/23 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
91.238.83.0/24 (Standart LLC, Moldova)
91.243.115.0/24 (Aztec, Russia)
92.46.62.128/25 (Shevchenko Sergey, Kazakhstan)
93.170.13.4 (Alfa Telecom, Czech Republic)
93.170.128.253 (Alfra Telecom, Russia)
95.211.199.34 (Leaseweb, Netherlands)
108.163.188.250 (iWeb, Canada)
142.0.37.60 (VolumeDrive, US)
142.54.183.96/27 (Datashack, US)
146.185.255.0/24 (Petersburg Internet Network Ltd, Russia)
151.248.116.54 (Reg.ru, Russia)
178.162.134.128/26 (Silin-Vitaly-Petrovich, Belarus)
178.162.147.111 (Leaseweb, Germany)
184.82.222.126 (HostNOC, US)
184.82.222.127 (HostNOC, US)
185.4.227.42 (Sayfa.NET, Turkey)
188.93.211.114 (Logol, Russia)
188.190.127.118 (Infium LTD, Ukraine)
188.208.32.0/23 (Ch-net Srl, Romania)
193.107.16.0/22 (Ideal Solution Ltd, Seychelles)
194.62.233.0/24 (Stils Grupp, Russia)
195.3.145.45 (RN Data, Latvia)
195.3.145.51 (RN Data, Latvia)
195.20.141.0/24 (Sigma Ltd, Russia)
195.138.240.0/21 (Creative Telematics & Trade s.r.o., Czech Republic)
198.49.66.159 (Hostdime, US)
198.147.22.69 (Front Range Hosting, US)
199.231.210.231 (Enzu Inc, US)
206.212.240.202 (Colostore, US)
206.212.240.206 (Colostore, US)
206.222.17.136/29 (XLHost, US)
208.88.226.230 (WZ Communitions, US)
208.88.226.231 (WZ Communitions, US)
217.23.11.103 (Worldstream, Netherlands)
217.23.15.110 (Worldstream, Netherlands)

Recommended blockist (Plain list):

5.39.121.18
5.135.20.2
5.135.67.144/28
5.135.67.192/28
5.135.97.6
5.135.204.16/28
5.135.218.32/27
5.135.223.96/27
5.199.172.0/22
37.9.53.0/24
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.10/24
62.76.40.0/21
62.76.176.0/22
62.76.180.0/24
62.76.184.0/21
62.109.0.0/21
62.122.74.0/23
63.247.91.188
64.120.193.0/24
78.140.135.128/25
84.200.77.204
85.17.92.146
85.143.166.0/24
88.198.30.19
91.201.214.0/23
91.211.116.0/22
91.220.131.0/24
91.231.156.0/24
91.232.29.70
91.235.128.0/23
91.238.83.0/24
91.243.115.0/24
92.46.62.128/25
93.170.13.4
93.170.128.253
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.96/27
146.185.255.0/24
151.248.116.54
178.162.134.128/26
178.162.147.111
185.4.227.42
188.93.211.114
188.190.127.118
188.208.32.0/23
193.107.16.0/22
194.62.233.0/24
195.3.145.45
195.3.145.51
195.20.141.0/24
195.138.240.0/21
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.136/29
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Raw list of malicious IPs:
5.39.121.18
5.135.20.2
5.135.67.145
5.135.67.198
5.135.97.6
5.135.204.19
5.135.204.20
5.135.218.33
5.135.223.127
5.199.174.99
5.199.175.36
5.199.175.59
5.199.175.60
37.9.53.71
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.161
46.249.42.168
62.76.41.75
62.76.41.208
62.76.178.9
62.76.180.191
62.76.184.246
62.76.185.206
62.76.185.211
62.76.186.109
62.109.2.239
62.109.12.166
62.109.16.94
62.122.74.45
63.247.91.188
64.120.193.144
64.120.193.177
64.120.193.218
64.120.193.219
78.140.135.194
78.140.135.195
84.200.77.204
85.17.92.146
85.143.166.87
85.143.166.202
85.143.166.219
88.198.30.19
91.201.215.173
91.211.119.56
91.211.119.63
91.211.119.66
91.211.119.67
91.220.131.67
91.231.156.50
91.231.156.98
91.231.156.188
91.232.29.70
91.235.129.35
91.238.83.46
91.238.83.56
91.243.115.28
92.46.62.252
93.170.13.4
93.189.40.223
93.170.128.253
94.242.219.3
94.242.219.6
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.110
146.185.255.66
151.248.116.54
178.162.134.138
178.162.134.139
178.162.132.202
178.162.134.198
178.162.134.200
178.162.134.201
178.162.134.202
178.162.134.212
178.162.147.111
178.162.134.141
184.82.222.126
184.82.222.127
185.4.227.42
188.93.211.114
188.190.127.118
188.208.33.10
193.107.17.105
193.107.19.76
194.62.233.26
194.62.233.31
194.62.233.63
194.62.233.79
194.62.233.137
194.62.233.146
194.62.233.171
194.62.233.173
194.62.233.183
194.62.233.242
195.3.145.45
195.3.145.51
195.20.141.22
195.20.141.23
195.20.141.85
195.20.141.86
195.138.241.79
195.138.241.88
195.138.241.92
195.138.241.93
195.138.241.95
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.138
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Known malicious domains:
001dtbflutxcy.changeip.org
001vlcjibtwrh.changeip.org
002yfzwqyhhqi.changeip.org
003wceqzsouib.changeip.org
004wifxfqqelw.changeip.org
004wsragrwziy.changeip.org
005litvisulyl.changeip.org
005pqlvqwowvh.changeip.org
005szgfxyhyuf.changeip.org
006epphovwevl.changeip.org
006jowpvflxwu.changeip.org
006okqwhyklyg.changeip.org
007gydbgxftcl.changeip.org
007hppoqubtvs.changeip.org
007lvsqhpjtrd.changeip.org
008ftuuqluzoq.changeip.org
008rdzfkykqdv.changeip.org
009g.domaiinn.be
009kkuhgyrazq.changeip.org
009xxqqflqvec.changeip.org
010ipjzyqeuor.changeip.org
017bqelicwssl.changeip.org
020bedzycxryv.changeip.org
020qagbfqxtzq.changeip.org
021lkukzxbuuu.changeip.org
022xwsejqchre.changeip.org
023qrgoreztit.changeip.org
023zqpiblrfso.changeip.org
024vkaoabwhsf.changeip.org
025cldzpffyvl.changeip.org
026cocyjbhahg.changeip.org
027yzlofltfyp.changeip.org
16nnb7b.gm9.com
17vfdvr.gm9.com
2012-2013.org
3d27bc5173b799ec363ebb6a.mine.nu
42f0e25d8baf2c5df64842f5.merseine.nu
555flashpoker.com
555flashpoker.info
555flashpoker.me
555flashpoker.net
7domaindns.com
888flashpoker.com
888flashpoker.info
8domaindns.com
8xvideos-tube.com
8xvideos-tube.info
8xvideos-tube.mobi
a0246d72.mayhemavz.pro
a1000000.mayhemavz.pro
a2b3490dc28df6ec1db21d10.merseine.nu
aboutmailmerging.net
accelerationarrangement.info
acclaimny.pro
acquiringhawaiian.asia
addservice.flu.cc
adobestyledives.org
adriano-bull.com
adriano-bull.net
adsquatropower.com
adsquatropower.info
adsquatropower.net
adsquatropower.org
adventureslh.net
ae1830b97080c83176b59c94.mine.nu
af9b7985802bc09fb9e19663.merseine.nu
affairlikely.net
agegateguru.net
agelumosityroad.net
ahjlfmm.freewww.biz
ahzhfvfjn.freewww.biz
aimedmetaballs.org
airprintlacks.net
ajsuqhsq.freewww.biz
ajwvnwcm.freewww.biz
aktsf.freewww.biz
alhmzpxsdtj.net
altsjhin.mynumber.org
amountinterrupting.pro
analytics-djmusic-online.de
ananasert.cu.cc
anbab.freewww.biz
anti-carding.info
antivirusscleanuponly.info
approximatelyshopkeepers.net
appsfordefaultappear.pro
aqxetx.freewww.biz
archaicpatron.asia
areoperations.net
arltdbsg.freewww.biz
armiesboxes.info
arndlink.com
arny.nazleennoor.com
artilleryupgrading.com
asefeferea.uni.me
asifq.freewww.biz
asimuthstats.pro
associatesgymnastic.asia
astrotester.com
attataponger.ru
audiodevelop.net
auraletterandnumber.org
authoringtriplecore.net
autoplaycyberdrive.info
avenuerequests.net
avigorstats.pro
axis.lenuerry.com
bajoqavu.tk
ballfill.net
baltes.verikanam.com
barpoxert.cu.cc
basun.lenuerry.com
bathtubdanger.net
bazarafcantoscabiz.com
bctwqsgcu.freewww.biz
bdslength.net
beansreschedule.com
beautifullytriangulate.info
bedtimeroes.pro
begpkcd.freewww.biz
bellevident.pro
bestcountstat.com
bestlastnest.asia
besttipscars.info
beta.lenuerry.com
betterlookingflabby.org
bhrhrim.freewww.biz
bicyclesteachers.info
bicyclingsecondfastest.pro
bigprobivbig.net
billtrackerremoval.info
biosopers.pro
bioticshypermodular.org
bitsrentr.pro
bizon.verikanam.com
bkuoq.freewww.biz
blanki-basa.info
bliclink.com
blikke.verikanam.com
blogtoolonsteroidscreations.net
bmfield.pro
bmgdrive.net
bobodrive.info
bobson7ka.pro
bomba.bonocchio.com
brandnewtransfer.pro
brandsanalog.info
breakingretouching.net
bregfxul.mynumber.org
brighterintuitiveness.info
browsecomplaints.org
brtrampolines.biz
brustramestra.org
buenos-varilias.com
bufferlumia.info
bunat.verikanam.com
buttonjp.org
c446fe861bdb8a2bbea44022.merseine.nu
cakuxeco.tk
calderatextletting.net
campaignmanagementmoneys.info
candyruns.pro
cantothemebased.pro
canyoninstructed.net
capricioussample.info
carswhilestaff.biz
cassettesbeauty.org
caubqj.freewww.biz
cdsbandwidthsaving.info
cejinayu.tk
centurylogmeinnow.net
cfarcto.freewww.biz
cheapbiotics.info
cheche.jrm-enterprises.com
checklistearpiercing.net
chidedpointofinterest.pro
cilidep.tk
cityscaperollbacks.net
ciwabiha.tk
clackt.freewww.biz
clarificationspackages.info
classbasecamp.pro
clckllink.com
clean-service.info
clearlydefinedjr.net
click2click.pro
click4click.org
clipboardbarely.pro
closedeasy.net
cloudtalkepicture.info
cloutremote.asia
cmesrearranged.pro
cogsfeet.net
cohostedpareddown.pro
coincidentlyreduce.net
collaborativerationals.info
collectingtabletfriendly.info
collectionsbleeding.pro
combinedbecause.org
common.thebattleroyal.com
conductinability.net
consciousnessmobileoptimized.info
constructionverified.org
contentdeliveryworldwide.pro
contentnomasterwork.net
convenienceconclusions.org
conversionitlegendary.info
convertervocal.net
corantipursue.info
correspondingpchoused.net
counterattackaltercast.asia
courseworktitanium.net
coxmxvku.freewww.biz
creast.afkepock.com
crosscountrypertinent.info
crossingpivot.info
crustwatch.com
crytprodom.net
cullinghenry.pro
curmudgeonlowerquality.net
cutlongurls.com
cwnddazt.freewww.biz
czxsazzz.cu.cc
dapuyok.tk
darkroomimageport.info
data.fossilflour.org
datcikas.co.uk
dazzlingthirst.info
dbzptwxhm.freewww.biz
dc21.asia
dckikyas.1dumb.com
dcrriklc.freewww.biz
ddbnbmpt.freewww.biz
dealingcas.pro
delawareriveromainssinglwwerx.com
delivercdn.com
demonstratepowerfully.net
denialdeduplication.net
densepromissory.info
deomainssinglwwerx.net
departuresheettogo.asia
dependenciesusers.net
deraman.cu.cc
dereteweret.org
desreappear.pro
devicetantalized.pro
dialerseasoned.org
digitalbrio.net
digitalspointsstorys.net
disappointsultra.net
discoverleaving.net
disperseconceptdraw.net
districtagenda.net
dixoxupo.tk
diysweeper.net
dkpjumouz.mynumber.org
dns20number.org
dnsnum10.com
dnsnum11.com
dnsnum12.pro
dnsnum9.com
dnsnumber1.com
dnsnumber14.pro
dnsnumber15.pro
dnsnumber2.com
dnsnumber3.com
docktoolsthe.org
docstogolists.info
docxlassos.net
doggedmask.pro
domaincreations.info
domainjustmails.net
domainscingapurs.net
domainsgweate.net
domainsjinniks.net
domainsnetstatts.net
domainsplaylgtaxes.com
domainsplaylgtaxes.net
domainsrighbind.net
domainssinglargetaxes.net
domainssinglgirs.net
domainssinglsnet.info
domainssinglssin.info
domainssmiles43.net
domainsstressadd.com
domssingomangos.net
downloaderchippers.org
dqytgefar.freewww.biz
dragonocerusfluidity.info
dramaticmacromedia.info
drumspeedthrottled.pro
dunfe.lenuerry.com
durhamdirectory.net
dworddb.com
earnhardtphoto.info
earthnearness.pro
ecwlqx.freewww.biz
edrenbaton.mouseclickcentralization.info
edvbph.freewww.biz
ekvwynlse.freewww.biz
endgameaboveaverage.pro
engagegoto.com
englandcompared.info
enlargement4.pro
enthusiastmystery.net
epsconsisted.pro
esscer47emonyno.rr.nu
essentiallyrepresents.net
estheticsindianapolis.info
etritotube.me
etritotube.mobi
etritotube.net
everpresentoctave.net
evngiaca.freewww.biz
examiningstores.org
excludedsure.pro
execpragues.net
expansionletter.net
experimentalsatellitecommunicationsprojectlaunchedinindia.info
eyebrowsprefilled.pro
f8u5.asia
fabulouszen.net
fallokidor.org
fastgreendns.com
fastum.gm9.com
favorablestarted.pro
faxesworry.asia
fbjvbkjp.freewww.biz
featuresconverter.asia
fedrekpolik.org
feedbacvolcanoes.pro
fenoqere.tk
ffffoundbirthdate.org
fgjcctg.cu.cc
fhpbuqac.freewww.biz
fiendishtask.info
figuringdictating.net
fillinjabber.net
filmeducators.net
finddomainsdicr.net
finlandfires.info
flierstrusting.biz
floodedhomeplus.net
flrkcyoln.almostmy.com
flvagye.freewww.biz
flyport.nut.cc
foldersmodify.org
force.verikanam.com
formsbasedscreeners.asia
forum-pro-siski.info
frameratepekingese.pro
freeexpenditure.pro
frustratedrosetta.pro
fssdnk.freewww.biz
ftycik.freewww.biz
fulllengthunderdahl.info
gabon.lenuerry.com
gaepovzsdr.cu.cc
gainskeeper.asia
gamesduoswin9.info
gaplessaddremove.info
gduobyc.freewww.biz
gefilteheadway.pro
geographiccomplicating.net
germen.almostmy.com
gfydjpo.freewww.biz
ghanaembassyusa.com
ghostauthority.info
gitro.lenuerry.com
gkluyc.freewww.biz
global.usa.cc
gobangwriterson.com
godutegodozybat.org
goldclick.pro
good.timepiece-locator.com
googlenilesrt.net
governingjerk.org
gpuep.freewww.biz
grainscatching.net
grauezonen.com
grauezonen.net
greatctrlaltdel.pro
gretta.pcanywhere.net
gsshphwbn.freewww.biz
gttrle.freewww.biz
guaranteesroman.net
gwqpx.freewww.biz
gybphqhwf.mynumber.org
gyukrmmw.itsaol.com
halfdozendesktop.asia
hanskohlerltd.com
hanskohlerltd.net
harddrivedeepens.pro
hatsvisuals.org
haventons.org
hazardstweet.pro
hcsqhop.freewww.biz
hearingcertificate.info
heartshapedradiosity.info
heatcycle.asia
hecticearning.pro
heellowtech.pro
hellousers.mobimexa.ro
hesdr.org
highflyingmotivates.info
highresfunnel.pro
hihuvay.tk
hjtqfai.freewww.biz
hjxynh.freewww.biz
hkect.freewww.biz
hmirsdwqo.freewww.biz
hmqth.freewww.biz
hobbjnlji.freewww.biz
hocblockable.pro
homegrownphonetic.pro
hoopsvibrate.pro
hornyfile.net
hotelspecificvocalization.info
hreflnk.com
hugo.lenuerry.com
hutren.lenuerry.com
ibbyqkp.freewww.biz
iccyrgfh.mynumber.org
icebergsorts.info
ictrnr.freewww.biz
ifuzlt.freewww.biz
ihazalittleknob.us
ihrtytw.freewww.biz
iirrack.org
ijkguxk.freewww.biz
ikles.lenuerry.com
imanagepooka.pro
imapscans.info
imationbones.net
img.buchananjenkinshyundai.com
img.centralfloridahyundaidealers.com
img.centralfloridaunder10grandautos.com
img.zeitersseptics.com
img.zsuinc.com
impactrelease.pro
importslatenot.info
imrkcm.freewww.biz
incompatiblechoice.info
indocumentgunning.info
infostartbizcher.net
innetrecordf.net
installerhappens.com
intelextraction.org
interesting.moneta.cl
internalcake.asia
internetsdd4.net
internetsdd4.org
internetsturk.net
intervalsselfservice.pro
ioalcsy.freewww.biz
ioragement.net
iphonedata.info
irresponsibletablets.asia
irritatingtrailers.info
isaacdocs.com
iwwcwxjoy.freewww.biz
jafcomuzzle.com
jamdownsizes.info
jaquxedo.tk
jefvqloqs.freewww.biz
jekpot.net
jekpot.org
jexiyohi.tk
jopoplop.cu.cc
joxopzzz.cu.cc
jqkxhv.freewww.biz
jrhhqbgf.freewww.biz
jsccrzo.freewww.biz
jscripttoughgeek.biz
jtalwiwu.freewww.biz
junest.lenuerry.com
justpingmoow.net
juwkulgw.freewww.biz
jxzyi.freewww.biz
kcttqwmg.freewww.biz
kcxqach.freewww.biz
keyboardhigherpriority.pro
keywordrecordrookie.info
kgugoasr.freewww.biz
kimqtpbj.freewww.biz
kiost.lenuerry.com
kjrkbvrws.freewww.biz
kochenmitspass.com
kochenmitspass.net
komat.lenuerry.com
kopan.lenuerry.com
kopcasdf.cu.cc
ksopyt.freewww.biz
kupimiy.tk
kuuiukcd.freewww.biz
kvidzs.freewww.biz
lapuneran.com
lastfmwidescreen.info
lastwestbizz.info
laternotairplanes.org
laxonot.tk
lbd.lenuerry.com
leadingpartymoderateshewasejectedfromaftershesaid.info
leaguedigs.pro
legendpairing.info
lenskuog.freewww.biz
lesgpda.freewww.biz
letterpresssketching.info
levanto-poker.com
levanto-poker.info
levanto-poker.net
levanto-poker.org
lglsuo.freewww.biz
libertybigestnoob.org
linestrate.biz
linusrival.info
lipor.afkepock.com
lipsbylines.pro
listingsnonexecutable.org
litebizzchersearch.org
liteklick.com
litenames.com
littleknobnsack.us
ljbsll.freewww.biz
llsoftness.info
llxtyzh.freewww.biz
loadsgamescraft.org
locatorrotten.net
lollipoporno.org
longnikdb.com
lops.verikanam.com
lopxaert.cu.cc
lowkeytonights.pro
lpbjscrsa.freewww.biz
lpnkbwx.freewww.biz
lqbiyic.freewww.biz
lwwpmfw.freewww.biz
lynwau.freewww.biz
m6j2.info
macbookxed.net
macdonaldsfast.net
mangosautomated.info
manibackbestbizz.net
marxloha.com
marxloha.net
mastercarddialog.pro
masterxz.cu.cc
mayhemavz.pro
mazdak.cu.cc
mdrphfri.freewww.biz
mechanicalagenda.asia
membersnetsgunss.info
membersnetsgunss.org
memoryhddmonitor.org
memossingleuser.info
mentscommence.net
merstengrown.com
mesburtterpe.ddns.name
metaizosulfatmetanol.com
metasearchexcessively.net
mexicomongo.com
mexodini.tk
mhpuya.freewww.biz
mikesnutssner.net
mikesnutssner.org
minisiteshassle.info
minker.lenuerry.com
mitest.lenuerry.com
mitre.verikanam.com
mixed.verikanam.com
mjhcymist.freewww.biz
mmwap.freewww.biz
mnroemawa.freewww.biz
mnszyhxgp.freewww.biz
mobilefriendlysingledisk.info
modemgamers.info
modesicompared.org
modesiscenes.info
mofiozesbzcom.net
mokas.lenuerry.com
mondayswizardnet.info
moneysdialogs.net
monikaheinold.net
monitorsystemsdep.net
monitorsystemsdep.org
mopiserb.cu.cc
morrisgussmir.biz
mouseclickcentralization.info
mqtqjkyo.all-emoticons.com
multidimensionalpersisted.org
multilevelclass.net
museumsnimble.net
mwmfue.freewww.biz
mxssweeten.pro
mydreamnewone.com
mydreamnewone.me
mydreamnewone.org
mydreamnewone.us
naejadxge.freewww.biz
namesstressadd.net
ndengine.com
nedra.ddns.infoc
neos.lenuerry.com
nerest.ddns.info
nerfaserty.fondinfocenters.info
netdocumentsinaccessible.info
new-generation-affiliate.net
new-generation-affiliate.org
new-generation-affiliateonline.co
newyorkcarrent.com
ngfyt.freewww.biz
nicert.afkepock.com
njgblmlg.freewww.biz
nlbdiv.freewww.biz
nnczl.freewww.biz
noacmvbg.gr8name.biz
nospaceforced.pro
ns1.collectionsbleeding.pro
ns1.haventons.org
nsc.hornyfile.net
nuert.lenuerry.com
nvelqxkt.freewww.biz
nzhewnvi.freewww.biz
nzuqojkf.freewww.biz
oboobx.freewww.biz
oevcrn.freewww.biz
oferts.net
ohnjckgo.freewww.biz
okles.lenuerry.com
oltpspeakers.pro
oneiricinfocenters.info
ones.myservicecomments.com
onlineadvertclick.eu
onlineadvertclick.info
onlineadvertclick.org
oovmmb.freewww.biz
operationseverlearn.pro
opticshoc.pro
originalchristopher.net
originatingpixelize.pro
ortide.afkepock.com
otscfr.com
overseassouth.net
ow42.org
ownorreverting.org
ownprice.net
paggpuvv.freewww.biz
palacio-casino.com
palacio-casino.in
palacio-casino.info
palacio-casino.me
palacio-casino.mobi
palermopoker.asia
palermopoker.biz
palermopoker.co
palermopoker.info
palermopoker.me
palermopoker.net
palermopoker.org
pamaetyd.cu.cc
panasoniccatnap.net
panasoniclibs4.biz
panasoniclibs4.net
paneheftier.info
parlorlimitsforemost.org
participaterevisions.info
pasrewder.cu.cc
passedtwitpic.pro
paszerqef.cu.cc
pawertyse.cu.cc
pbhukx.freewww.biz
pejot.freewww.biz
pfannengericht.com
pfvfsi.freewww.biz
photoemailingbrethren.pro
physicallyoffer.asia
picniksdistrict.info
pigrona5.com
piicentrally.org
pikkolorgy.org
pistolop.cu.cc
pityr.verikanam.com
plannerspressed.net
pmquggb.freewww.biz
pmxlzumf.freewww.biz
pnppz.freewww.biz
pocasredr.cu.cc
polaroidstylesaved.info
pomertax.cu.cc
pornooncar.pro
pornoseccasgirls.info
pornoseccasgirlss.net
pornostroycenters5v.net
portallnk.com
postprepminimize.pro
potar.lenuerry.com
potentlatency.net
povertzag.cu.cc
powertnoii.cu.cc
prettydik.net
privacyxslegacy.info
producercheesy.net
progresseddrilled.net
promoitaliane.tv
prosperplug.info
psgva.freewww.biz
pvsblues.info
pzdupny.freewww.biz
qadosiwixe4.pro
qadosiwixe45.pro
qadosiwixe5.pro
qgwbhqthc.freewww.biz
qiksmotorcycles.pro
qojnwkp.freewww.biz
qoyuhiwe.tk
qpxibesp.freewww.biz
quellesimple.com
quellesimple.info
quickcamsassembled.net
quickofficemosaic.info
quincypuublicschools.com
quittsfasaf14.net
quqzpzfwr.freewww.biz
qxwhucsruaifu.pro
radarholga.pro
ratzeputze.com
rayoperu.tk
rbeqj.freewww.biz
rcjdnesni.freewww.biz
receivesagillions.info
recklessblacklisting.net
recoffsets.net
redirestoodersfin.info
redownloadingraucously.info
redspeed.asia
redundantblockskew.pro
redut.is-leet.com
reinventsciti.pro
relatedfarsi.info
releasedoutofbox.info
reliabilitytedium.info
reliantscrambled.org
remissimpediments.net
rentalhummers.pro
rentedtransactions.info
repinvoiceover.info
reportingautomatingoutliners.info
repurposedsmtppop.asia
re-served.com
respectsprosuite.info
restoronsafe.info
reusemorepersonalized.org
revolutioncodehinting.pro
rewardbounces.info
rhacsy.freewww.biz
riatiapafor.dnset.com
rizapizda.com
rojoxal.tk
roomyqualysguard.info
rootkitsprintready.pro
roudroadersnetliker.com
roxjd.freewww.biz
rozohudu.tk
rubilonk.biz
rubilonk.com
rubilonk.info
rutes.lenuerry.com
rxkpd.freewww.biz
safaristereos.biz
safetywebclassifies.net
samcrop.info
santnhzg.freewww.biz
saucesensorlys.info
savedordernumbers.net
sbyaiqvpm.freewww.biz
scarcecookiecutter.pro
schirkaal.com
schneemen.info
schoolsreading.asia
scrot-um.biz
securemanagerspecialcollectlinesite.info
security-checking.info
sedukimozzaik4net.info
seewild.net
seinfeldwlpg.pro
selamoitoipour.com
selamoitoipour.net
selamoitoipour.org
selmoipourtoi.com
selmoipourtoi.net
separatedsurprises.com
sequentialbiotics.info
sexclub4h.net
sexgirlsmembers4g.net
sexmurenagirlssex.info
sexsexporno.info
sexxxstaz.org
sfhnvvs.freewww.biz
shareself.info
sharingdelays.pro
sharpeyedresizable.net
shepardforests.info
shizzledizle.com
shortlonglinks.com
siamanfocont.ddns.name
sidhpuwtvkwrtv.flu.cc
signingsample.pro
signupdestinations.org
similaritiesinverting.net
singlecolumnhalloween.asia
sitesstressadd.com
sitesstressadd.net
sjryycwpl.freewww.biz
ska9.info
skitchrestaurants.net
skjaqowjtr.all-emoticons.com
slackmultiline.info
slnhtkqu.freewww.biz
smoothlyexit.net
snailmailupdater.net
snamedb.com
snoopscooperate.pro
sometimescroogle.asia
sorryintellicookie.net
soulplacing.pro
speedanymore.net
speedyfraction.pro
stampedetarget.info
stat.sportspirate.net
stathemliberiy.com
stationscannons.net
statistic.kodiakwireline.ca
stereoobjects.info
stetomoney.org
stinglnk.com
stlpartnership.asia
stoppedcam.info
storagemediumfoolish.pro
streetpiloteffortlessly.biz
strnglink.com
stumbleuponbutlowerpriced.info
subjectslicing.net
sublistsvirus.info
suckro.lenuerry.com
sufopati.tk
sugad.afkepock.com
sunbeltinverting.pro
suncurrentlytransitstheconstellationoflibrafromoctober.info
superbrustramestraonline.org
supportflashoutlookstyle.pro
susssurrounds.info
suxoyad.tk
swallowsreenable.pro
sydzslq.freewww.biz
syenial.com
system0001.pro
taipeirazor.pro
talliedclassit.info
tares.verikanam.com
tauscansenders.info
tavawf.freewww.biz
tcpipbyfiletype.info
teddyderhund.com
teddyderhund.net
tekqswas.freewww.biz
tellementads.net
tenscrub.net
testr.pcanywhere.net
textingnode.info
thewirelesscaalog.com
theydlauncher.net
thrillededward.pro
thundercatsimplications.net
tibukns.freewww.biz
timingwaste.net
tisla.lenuerry.com
togglesengines.info
toolbarpcmag.info
totalethreetabbed.net
toypourtoy.info
toypourtoy.net
toyticket.info
tracklessactivedisk.info
trading-consult.info
trafficstock.net
transformspace.pro
trnio.lenuerry.com
troopersresided.info
truesamuraidns.com
tufbu.freewww.biz
turnkeynew.pro
twesst.afkepock.com
twitteresqueingenious.info
txdfldh.freewww.biz
txtbznqia.freewww.biz
tzhone.freewww.biz
uadwfj.freewww.biz
uatogspme.freewww.biz
ubiuzkfw.freewww.biz
uidlikmcr.freewww.biz
ujergbcfcskuxvd.dyndns-remote.com
unhuzrtje.freewww.biz
uninstallerthumbtack.asia
unprotectedepicture.info
unuere.freewww.biz
update-cdn.com
uptel.afkepock.com
ureqedaz.mrbasic.com
usdaqpl.freewww.biz
user2.lenuerry.com
usnet.lenuerry.com
usomainssinglwwerx.com
uszefhy.freewww.biz
uukdktlc.onmypc.us
uvvtscte.biz
uwndet.freewww.biz
uybeor.freewww.biz
uyfea.freewww.biz
uzvxb.freewww.biz
vabnoynua.freewww.biz
vabosaho.tk
validatorbasses.net
validfacts.info
vchysb.freewww.biz
veraconference.info
verghavinias.com
verisimilitudeguidelines.pro
viewsbootup.net
viiju.freewww.biz
viqrzfvi.freewww.biz
virginiacompanyron.com
visasunspot.net
vitres.verikanam.com
vjhgd.freewww.biz
vmteuayfi.freewww.biz
voltsdragandselect.net
voniucka.co.uk
vsddbm.freewww.biz
vvsgoqe.freewww.biz
vzfascinating.info
wallmountedsubprojects.info
watisawarosydok.org
waybunch.org
webcheckfinalizing.net
webdavinfluential.pro
webmasteraolcom.asia
websearchsite.net
weekdaysaccountif.org
wefirefoxs.info
wellreceivedrug.pro
wentovergomountain.net
wereworkstationlike.org
westlnk.com
wfslwzbmj.freewww.biz
whpdn.freewww.biz
wildcarddigest.org
wimipol.tk
winproducersdisks.asia
wirmsnetsreg.org
wizikohu.tk
wjtuvxr.freewww.biz
wlklayju.freewww.biz
wlvgkym.freewww.biz
womukul.tk
wordreg.com
worksheetrating.info
woteucv.freewww.biz
wouldstats.com
wpvrq.freewww.biz
wqolljp.freewww.biz
writexrealtek.pro
www.hornyfile.net
www.jscripttoughgeek.biz
www.livecamsxxxnow.com
www.schneemen.info
www.sexsexporno.info
wwwlogmeincomafflicts.net
xasnc.freewww.biz
xberfdpfo.freewww.biz
xcwalwbwg.freewww.biz
xerta.lenuerry.com
xfulu.freewww.biz
xgrvj.freewww.biz
xicajevi.tk
xkaceln.freewww.biz
xmlstructurednewegg-affiliate.asia
xmmtry.freewww.biz
xokildrgfht.dyndns-remote.com
xokildrggjy.dyndns-remote.com
xokildrghkuy.dyndns-remote.com
xptyhuob.serveusers.com
xrtecjq.freewww.biz
xvideotubehq.net
xvideotubehq.org
xvidious.co
xvidious.info
xvidious.net
xvidious.org
xvidstubes.asia
xvidstubes.biz
xvidstubes.co
xvidstubes.com
xvidstubes.info
xvidstubes.me
xvidstubes.mobi
xvuxl.freewww.biz
yabalvate.freewww.biz
yale.verikanam.com
ycwmpwmh.freewww.biz
ycwvoad.freewww.biz
ycxbecdci.freewww.biz
yfajapit.americanunfinished.com
yhejzgsc.freewww.biz
yhgqw.freewww.biz
yjihtguzr.freewww.biz
ykasszk.freewww.biz
ynerfklpgjazsc.servebbs.com
ynybaduv.itemdb.com
yourxvideos.asia
yuokmyxhk.freewww.biz
yuppiebatchmode.info
yvngzms.freewww.biz
ywtytciqr.freewww.biz
yyvpdr.almostmy.com
yzhhn.freewww.biz
yzmek.mynumber.org
yzociz.freewww.biz
z8s0.info
zawejame.tk
zegejic.tk
zenuxozo.tk
zenworksencourages.pro
zeroknowledgealwil.asia
zhnmnjtm.freewww.biz
zikertlijgyhku.dyndns-remote.com
zikertlzcsyvdx.dyndns-remote.com
zikertydhwegawd.dyndns-remote.com
zikertydhwegsd.dyndns-remote.com
zikrftgbaefas.dyndns-remote.com
zikrfvdeccsxw.dyndns-remote.com
ziniospdfs.org
zkpys.freewww.biz
zoom.verikanam.com
zoomedpentiumequipped.info
zvxct.freewww.biz
zywyr.freewww.biz