Sponsored by..

Showing posts with label Gandi. Show all posts
Showing posts with label Gandi. Show all posts

Wednesday, 4 September 2013

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.

First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):


173.246.101.146
CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com
173.246.102.2
Malware sites to block 7/3/13
173.246.102.223
Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com
173.246.102.246
Something evil on 173.246.102.246
173.246.103.26
ADP spam / 14.sofacomplete.com
173.246.103.59
Malware sites to block 23/11/12
173.246.103.112
Malware sites to block 22/11/12
173.246.103.124
Malware sites to block 23/11/12
173.246.103.184
Malware sites to block 23/11/12
173.246.104.104
Something evil on 173.246.104.104
173.246.104.136
CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net
173.246.104.154
Something evil on 173.246.104.154
173.246.104.184
PayPal spam / londonleatheronline.com
173.246.104.21
Malware sites to block 23/11/12
173.246.104.55
"INCOMING FAX REPORT" spam / chellebelledesigns.com
173.246.105.15
eFax / jConnect spam and eliehabib.com
173.246.106.150
"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip


So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:


173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185


That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.


Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.



Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.


Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info

Tuesday, 3 September 2013

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:

Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com

ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net

Monday, 2 September 2013

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status

facebook
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute;)"

Go to comments

Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js

These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.

Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com

codebluesecuritynj.com
mobileforprofit.net
tuviking.com





Thursday, 15 August 2013

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:
[donotclick]millionaireheaven.com/mable/rework.js
[donotclick]pettigrew.us/airheads/testier.js
[donotclick]www.situ-ingenieurgeologie.de/tuesday/alleviation.js

from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns.com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:
173.246.104.55
1800callabe.com
1866callabe.com
chellebelledesign.com
chellebelledesigns.com

millionaireheaven.com
pettigrew.us
www.situ-ingenieurgeologie.de


Thursday, 8 August 2013

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Home|Contact|Login
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com


Tuesday, 30 July 2013

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Wednesday, 24 July 2013

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:


Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily Zemler, Special to CNN
July 21, 2013 -- Updated 1546 GMT (2346 HKT)
Actor Harrison Ford said he wasn't concerned about
Actor Harrison Ford said he wasn't concerned about "Ender's Game" author Orson Scott Card's views on gay marriage.


Editor's note: CNN.com is covering Comic-Con, the international gathering of geek and mainstream pop culture enthusiasts, through Sunday.

San Diego (CNN) -- For actor Harrison Ford, who is starring in a movie adaptation of Orson Scott Card's heralded and popular novel "Ender's Game," statements against same-sex marriage by the science-fiction author "are not an issue for me." FULL STORY

The link in the email goes through a legitimate hacked site, and then tries to run one or all of the following scripts:
[donotclick]ellensplace.lk/orientated/honecker.js
[donotclick]rodeiouniversitario.com.br/vicissitudes/furlong.js
[donotclick]funeralsintexas.com/gazillions/donkey.js

In turn, these scripts direct the victim to a malware landing page at [donotclick]fragrancewalla.com/topic/accidentally-results-stay.php (report here, appears to be 403ing but that could just be an anti-analysis response) hosted on 173.246.101.146 (Gandi, US).

The domain in question appears to be a hacked GoDaddy account, and the following GoDaddy registered domains are also on the same server and should be treated as suspicious:
happykidoh.com
fragrancewalla.com
fragrancessurplus.com

Monday, 24 June 2013

Something evil on 173.246.104.154

173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it
governmentofantarcticland.org
governmentofantarcticland.us
governodiantarcticland.it
governodiantarcticland.org
inflectionism.com
marinedockladders.com
premiumrentalproperty.com
principalityaustrallands.org
principatodiantarcticland.it
principatodiantarcticland.org
remote-recording-mixing.com
soundstudiosearch.com
trippling.com
waltwhitman150.org

These domains were recently hosted on that server but now appear to be back with GoDaddy and are probably fixed:
audiomasteringmeistro.com
beachfrontconcierge.com
audio-mastering-music.com
novafitnesstrainer.com
dinneraffairs.com
douglasvillestorage.com
subprimemortgage.us
loadingdockgear.com
loadingdockdepot.com
rippedtrainer.com
herblade.com
audiomasteringmaestro.com
audiomasteringsearch.com
austinremoterecording.com
bestseoamerica.com
hotrankseo.com
jacksonvillefloridacommercialrealestate.com
online-audio-mixing.com
findmynewhouse.co.uk
greatwestinsurancegroup.com
jewelboon.com

Tuesday, 23 April 2013

Something evil on 173.246.104.104

173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon.com/news/pint_excluded.php (report here).

Both VirusTotal and  URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in  red  (which is most of them!). I recommend that you apply the following blocklist for the time being:

173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com


Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com




Thursday, 7 March 2013

Malware sites to block 7/3/13

Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:

173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)

Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl


Thursday, 24 January 2013

ADP spam / 14.sofacomplete.com

This fake ADP spam leads to malware on 14.sofacomplete.com:

From:     Erna_Thurman@ADP.com Date:     24 January 2013 17:48
Subject:     ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

The malicious payload is at [donotclick]14.sofacomplete.com/read/saint_hate-namely_fails.php hosted on 173.246.103.26 (Gandi, US). These other malicious domains are also visible, there may be more:

14.sofacomplete.com
14.onlinecollegecomplete.com
14.technicianinformations.com

Update, these additional sites are on the same server:
14.internationalscholarships.org
14.igeekygadgets.com

Wednesday, 9 January 2013

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

Thursday, 13 December 2012

Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com

This fake Citi Cards spam leads to malware on 6.bbnface.com and 6.mamaswishes.com:


Date:      Thu, 13 Dec 2012 11:59:33 +0300
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement
   

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$8,803.77
Minimum Payment Due:     $750.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

============================


Date:      Thu, 13 Dec 2012 10:30:55 +0200
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement
   

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$5,319.77
Minimum Payment Due:     $506.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface.com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes.com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent.

Update: the following domains appears to be on this server:
6.bbnface.com
6.mamasauction.com
6.bbnfaces.com
6.mamaswishes.com
6.bbnfaces.net
6.mamaswishes.net

Friday, 23 November 2012

Malware sites to block 23/11/12

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one).  The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)

Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118

Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)

1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Thursday, 22 November 2012

Malware sites to block 22/11/12

This is part of a newish cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here and on this blog here.

50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)

Plain list of IPs and domains for copy-and-pasting:
 5.estasiatica.com
5.chinottoneri.com
6.grapainterfood.com
6.grapaimport.com
6.grapafood.com
6.pascesoir.net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207