Sponsored by..

Showing posts with label Injection Attacks. Show all posts
Showing posts with label Injection Attacks. Show all posts

Tuesday, 6 August 2013

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:


Block Start End CustName: Description:
65.222.202.0/28 65.222.202.0 65.222.202.15 Science Applications Int SAIC (US Defense contractor)
65.222.202.16/28 65.222.202.16 65.222.202.31 Old Dominion Internet Possibly dormant VA corporation
65.222.202.32/28 65.222.202.32 65.222.202.47 FTS2001/US Government Federal Technology Service
65.222.202.48/29 65.222.202.48 65.222.202.55 Unknown "Torsploit" block
65.222.202.56/29 65.222.202.56 65.222.202.63 Universal Machine Co of Pottsdown Inc Universal Machines (www.umc-oscar.com)
65.222.202.64/28 65.222.202.64 65.222.202.79 Kitron Electronic Manufacturing Service
65.222.202.80/29 65.222.202.80 65.222.202.87 Morningside Sports Farm Horse Training Farm in VA
65.222.202.88/29 65.222.202.88 65.222.202.95 MetTel, Inc Telecommunications Service Provider
65.222.202.96/29 65.222.202.96 65.222.202.103 Guidestar NPO Information Service
65.222.202.104/29 65.222.202.104 65.222.202.111 Walt Disney Company Mickey Mouse outfit
65.222.202.112/28 65.222.202.112 65.222.202.127 Dental Concepts Dentistry
65.222.202.128/29 65.222.202.128 65.222.202.135 GARP Research & Securities Financial Analysts
65.222.202.136/29 65.222.202.136 65.222.202.143 Assured Packaging Inc Metal boxes
65.222.202.144/28 65.222.202.145 65.222.202.159 Unknown
66.222.202.160/28 66.222.202.161 66.222.202.174 Unknown
65.222.202.176/29 65.222.202.176 65.222.202.183 Butler Medical Transport Patient Transport Services
65.222.202.184/29 65.222.202.184 65.222.202.191 Federated IT Government IT contractor
65.222.202.192/28 65.222.202.192 65.222.202.207 Old Dominion Internet Possibly dormant VA corporation
65.222.202.208/29 65.222.202.208 65.222.202.215 Pharmceuticals International, Inc Healthcare
65.222.202.216/29 65.222.202.216 65.222.202.223 Unknown
65.222.202.224/29 65.222.202.224 65.222.202.231 Unknown
65.222.202.232/29 65.222.202.232 65.222.202.239 Live Nation Events Company, CA
65.222.202.240/28 65.222.202.240 65.222.202.255 Georgetown Dat School Washington DC school

Monday, 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.


So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:   
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299


Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

Friday, 26 July 2013

Mobiquant - when IT security goes badly wrong

UPDATE: as of September 2013, this site appears to have been cleaned up.

Mobiquant appears to be a a small French IT security company run by a gentleman called Reda Zitouni that has been reportedly struggling a bit and may have shut up shop earlier in the year. They describe themselves thusly: "Mobiquant Technologies is a leading company provides mobile SECURITY management technology to enterprises & carriers (BYOD, MDM, MSM)"

They have a couple of Twitter accounts, one of which has been switched to protected and the other one has not Tweeted since April. There's very little evidence to indicate any kind of activity (although we'll get to that in a moment) and this site has it marked as "Cessé économiquement" ("Ceased economically") according to INSEE.

The problem is that their website has been serving up a RedKit exploit kit for at least the past ten days. And despite several attempts to contact them via email, Twitter and a variety of other means the exploit kit remains.


It's not a surprise to see an abandoned website being infected like this, but it is embarrassing for an IT security company. But more worryingly, it could be a watering hole attack which is deliberately targeting people involved in IT security. Not that the affiliate domain yesucantechnologies.com also appears to have been compromised.

The plot thickens though. Because it is sometimes nice to let people know that they have been hacked I looked at the WHOIS records for the domain to find the contact details. And this is what I found:

Registrant Contact:
   Fortesia
   RZ Group ()
  
   Fax:
   7
   Cheval Place
   London, P S6SDJ7
   GB

Administrative Contact:
   Fortesia
    Group (adds31@gmail.com)
   +44.20777777777
   Fax: +44.20734596895
   7
   Cheval Place
   London, P S6SDJ7
   GB


What is wrong with these records? Everything! The WHOIS details claim to be for a UK company, but according to Companies House there is no such entity in the UK as Mobiquant or RZ Group, and no active companies by the name of Fortesia. "P S6SDJ7" is not a valid UK postcode, and the address is actually an East African Restaurant. Although the fax number is potentially valid, the +44.20777777777 telephone number is extremely unlikely. What sort of company fakes its WHOIS records?

Now, when you have invalid WHOIS details for a malware site one of the quickest things to do is file a report with ICANN. I did this, expecting that this apparently zombie site would be shut down. But what happened instead is that the WHOIS details changed:

   WhoisGuard, Inc.
   WhoisGuard Protected (26ae68e0b9764d38a5d0ca312cc0d367.protect@whoisguard.com)
   +507.8365503
   Fax: +51.17057182
   P.O. Box 0823-03411
   Panama, Panama NA
   PA


Now, this is kind of odd because it means that someone must be home at Mobiquant, and they were prepared to correct their WHOIS details (or risk losing their site), but are not prepared to clean up the infection. Incidentally, the fake WHOIS details can still be seen at the site mobiquantacademy.com.

Indeed, mobiquantacademy.com (apparently uninfected) was active a few days ago which indicates that something is still happening at the company. But fixing their web site is not one of those somethings..

Strangely too, Mobiquant managed to push out a press release (don't click the Mobiquant link on that page) in the past few days about being invited to a conference (is that really news?).

Now, I don't know exactly what is happening at Mobiquant, but it does seem that they are recklessly ignoring the problems with their web site which is placing customers and visitors at risk. Is that really a good way for an IT security company to behave?

UPDATE: after publishing this post a year ago and noting that the problem has been cleaned up, Mobiquant have responded to my criticism by making personal attacks and making statements that are not true. My personal opinion is that this just shows what an unprofessional organisation they are, I would certainly not recommend doing business with them under any circumstances.

Firstly, Mobiquant did acknowledge there had been an issue with their site:

From:     Grzegorz Tabaka [markcom@mobiquant.com]
Date:     26 August 2013 19:14
Subject:     Mobiquant Technology

Dear Mr. Langmore,

My name is Grzegorz Tabaka, I am communication manager at Mobiquant Technology.
Let me first congratulate you for your great blog dynamoo.com. I went through it today, and I saw your post about us regarding the issue we had few weeks ago with some malicious code that infected our website.
I know you sent us messages about it, unfortunately we didn't receive any of them, please accept my apology for that.
I only wanted to inform that our website has been cleaned weeks ago and now is completely safe.
I suppose you wont delete this post about Mobiquant, but would you be so kind and post there a short statement, that the website is now clean and safe to visit? I will be really grateful if you could do that.

If you have any questions don't hesitate to ask,

looking forward to prompt reply.

best regards
So, as requested I amended the post to say that the site was clean. But I still had my reservations over a company that did (and still does) rely on fake WHOIS details to protect its domains, and that did not bother responding to multiple reports of an issue with their web site.

Mobiquant then decided that instead of engaging in a dialogue, they would launch a personal attack against me in their blog. Their blog got deleted for some reason (I assumed they they had done it), something that happened several months ago.. but now they have decided to blame me for it and have republished it (I suspect that all they did was screw up their own DNS entries, but whatever).

To be clear, I did not request that their blog be removed. The post they made about me was so badly written and petty that it clearly demonstrated what an unprofessional organisation Mobiquant is. And company that would behave in this way does not meet the minimum ethical and professional standards that a business should have. I'm not going to link to their blog, but I will respond to it:
UPDATE:
We learnt  (by different security friends) that the CONRAD LONGMORE loves denigrating people, revealing their personal life for free BUT DON T LIKE THIS FOR HIMSELF. ;-) YES ! in fact he asked GOOGLE to remove his post from the results in the Google search. Crazy ! that our White security Knight don t like what he does to (some) honest people and companies to ensure the Buzz and traffic on his eCommerce Blog where he is still selling crap things that Have nothing related about security.
So here we are again guys !!
Sure, I will reveal the details of bad actors when I find them. But I never put in a request to Google to remove the blog, simply because this laughable and pathetic rant from Mobiquant simply shows what kind of an outfit they are.
Earlier, in August we were informed  by some partners of a strange post from a guy claiming being a "security expert". This dude called Conrad Longmore from a blog we never heard about (dynamoo), posted an article about Mobiquant Technologies. He maybe got his freeware antivirus warning him about a malicious javascript resulting of an infection on our hoster files. The strange thing here is fully about the behaviour of the guy claiming to belong to the security community. After 20 years in the sec arena we never seen a hacked victim behing blamed and denigrated having its website infected. What about the hackers? sure it requires a real true technical work. Not given to everyone.
Actually the truth of what happened is that I attempted to contact them several times with no response. From all the evidence at the time, it appeared that all activity at the company had ceased, which was backed up company reports in France. My criticism is that Mobiquant ignored the problem and had their site infected for several weeks, not the thing that make an IT security company look good. Not that this paragraph does explicitly acknowledge that they were hacked,
We  made a quick search about this unknown blogger.
[removed to avoid Google removal ]$
He is using a personal blog space on google blogspot, after apparently having tried several corp domain (www.Conrad-longmore.co.uk 404 error, no files) and a wordpress free space (http://en.wordpress.com/tag/conrad-longmore/ 404 error , no files).)
Wow.. a dead website parked at a host I don't use and a WordPress tag about me. And your point is....?
No company, no professional profile. Jobless or Yet another freelancer. Website : dynamoo.com seems to be a fake or outdated (last update 2003) website as many links are broken. Kind of blogsite quickly setup and stopped by this myserious guy.
We found some related facebook link :https://www.facebook.com/conrad.longmore‎ ,  with a profile picture of a guy having a walk in the british countryside holding a bag with a kiddy puppet  in the back :
I don't mention the company I work for, for a number of reasons. But bits of my website haven't been updated since 2003? Wrong. There are bits of my website that haven't been updated since the mid-1990s. And actually I blog about stuff most days, but really.. what's is Mobiquant's point. As for the Facebook profile, they are referring to this picture.

Yes, there's a stuffed reindeer peeking out of my backpack of the photo on my Facebook page. Oh no.
and a twitter account with some strange twitts taking position for the [removed to avoid Google removal] community :
The original post read:
and a twitter account with some strange twitts taking position for the  homosexual community : 
Basically, Mobiquant went through all my Twitter posts and found something advocating gay rights, which they are using a reason to attack me. Does this make Mobiquant a homophobic company? I'll let you make up your own mind, but given that Mobiquant appears to operate partly from Morocco, then the answer is definitely maybe.
After having contacted the guy , our team did not have any answer from him.
Which is not true.
Seems that this guy is using various ways to drive some traffic to his blog by denigrating different websites and people with no reasons claiming they are all hackers or malicious internets users and has already many enemies apparently:
Hell, yes.. the bad guys tend not to like you much if you spoil their evil plans. But as for "no reasons".. well, anyone who reads my blog can see that it is very much centered around evidence.
This is clearly to make some business about mobile items sold on his web and by using this  technique of degritation to do some buzz ( audience is poor) he is  selling mobile accessories. Security ? ecommerce ? mobile accessories ? strange guy ;-). People are complaining on forums about receiving spam email from him to buy mobiles parts : "
Conrad Longmore does appear to sell all kinds of things,  including mobile phones, and portable air conditioners, so the guy must have read the site and added the PS for shits and giggles" :  Forum of victims describing what happened to them.
I have some old (and dead) affiliate links on my personal website promoting all sorts of things. So what? And I was a victim of a Joe Job a long time ago, after exposing this criminal activity. So what?

The malware a classical non critical  HH. JS, among thousands variants of this kind,  have spreaded thoughout the web since years, and it has infected again this summer up to 252 000 website among which Apple.com and some others which were unavailable for nearly one week for some of them.
Our dude find that on our website, which is obviously technically hosted on a distinct independent infrastructure than the corporate one, thought it was a valid and major reason to drive a deep dive study about : the company, its financial status (with French reading bad expertise ;-)) , our management, our domain .... and yes absolutely not about this malware, the security countermeasures etc . In short nothing related with security and IT.
The malware was Redkit, which was a very dangerous exploit kit. As far as I know, Apple.com was never infected with Redkit. The infection is clear from my original blog post. But in particular, the infection was dangerous because the site was still running with no apparent oversight, and the victims would have been mostly IT administrators and similar which is basically paydirt for the bad guys who had hacked the site.
The funny thing is that he did criticize our website about having a temporary non critical js malware and we thought we should find a perfect website on his side. This was aboslutely not the case:
- broken links(25/70), outdated references( last update is 2003),blogsite is  badly designed, coded and graphically disgusting. We even find 5 vulnerabilities and it  looks like a beginner web blogger.
This is the non-critical issue that was in fact an exploit kit. And my site is "graphically disgusting"? Oh no! As for vulnerabilities.. well, I'm not aware of any. The site is simply coded, and you'll notice that they don't actually have any supporting evidence.
By the way we decided not to take any action again this anonymous strange blogger which apparently is using strange techniques to exists and shine on the web to make money on our back.
I could turn this paragraph around and use it about Mobiquant myself.
Finnally, after some discussion with famous security real bloggers on the web most of them told us they never heard of him and few who did know him,  had some negative feedback about his behaviour. As in any case a security professional will  blame a hacked victim for being infect or hacked. Our company never decided to be infected for some days earlier during summer time. This mix of corporate, financial -(he is also a financial expert ;-)) and personal elements in a security analysis demonstrate clearly the guy is somehow not in the security space but just personnally blogging using security as an excuse.
Did you really? But notice again, they admit to having been hacked despite denying it in the same post. Internal inconsistencies like this are an easy way to spot a lie.
This is how the web is going nowadays :  giving some space  to unknown people, having lot of freetime to blog on all and nothing.
Perhaps if Mobiquant hired some professionals rather than the kind of idiot that wrote this, then the company might be in better shape.

Remember.. I got word of this compromised web site and tried to warn Mobiquant several times (something made more difficult by their fake WHOIS details) but I never got a response. So I instead communicated with the web host and domain registrar to attempt to get the threat removed, and warned the wider community that the Mobiquant site was dangerous. If Mobiquant actually read their emails then they would have know there was a problem, which is entirely their own fault.

Anyway, Mobiquant are entitled to their point of view, but my point of view is that in my personal opinion, this is a deeply unprofessional company that you should avoid doing business with.

Tuesday, 16 July 2013

msi.com hacked with kristians1.net

The website of msi.com (a major computer manufacturer) has been hacked and is serving up malware, despite MSI being informed of the problem. Injected code pointing to the domain kristians1.net (83.143.81.2, ServeTheWorld AS Norway) has been injected into the site and is serving up an exploit kit (report here).

This is not the only time msi.com has been hacked. Most significantly, they recently had 50,000 accounts leaked and their site defaced. Zone H also reports several recent defacements and Google reports that part of the site has been listed as containing malware 4 times over the past 90 days.

What is the current listing status for msi.com?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2470 pages we tested on the site over the past 90 days, 16 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-15, and the last time suspicious content was found on this site was on 2013-06-16.Malicious software includes 23 exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 5 domain(s), including abdelmonem.net/, oportunidadesdesdesucasa.com/, jobsreal.biz/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including for-test-only.ru/.
This site was hosted on 10 network(s) including AS12859 (NL), AS26228 (SERVEPATH), AS8220 (COLT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, msi.com appeared to function as an intermediary for the infection of 1 site(s) including 2k11.co.za/.

You really do have to question the competency of a company when it has this many hacks and breaches, especially when they make computers. How deeply do these breaches go?

Wednesday, 10 July 2013

Something evil on 199.231.93.182

199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia.com possibly through a traffic exchanger.

The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist.

afxcccck.namesjustnowsdossier.org
asddfs.bobsfuddscontrolls.info
asdfg.moneynoobslabs.biz
asfdasdf.netsristingboss.pw
assdfsa.monsterskillsd.biz
azvvbxe3.locksdayswongs.biz
bazdoacagiu.com
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
ddsfsfaall.nameswwioodoo.net
ds34faall.nameswwioodoo.net
dsccfksd.namesselwarsducks.com
dsfkcxcd.namesselwarsducks.com
dsfrrds.originalsolldsbeps.biz
dsfsdf.namesselwarsducks.biz
dsfsdf.netsristingboss.pw
dsskkk.nameswwisconsinoodoo.com
dsszzsekkk.nameswwisconsinoodoo.com
dvldp.locksdayswongs.biz
dvxxdckv.sitesjustnowsdossier.biz
fdgrthhsdffd.lardobur.biz
fgdksd.bobsfuddscontrolls.biz
fgdsdfksd.bobsfuddscontrolls.biz
fsaal.ddscontrolls.biz
fsasdfal.ddscontrolls.biz
ksdvss.buttonsyourece.biz
ksvfss.buttonsyourece.biz
moneynoobslabs.biz
moneynoobslabs.info
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
popalardo.net
popalardobur.net
sasdfsa.monsterskillsd.biz
sddffqrr.yourddscontrolls.biz
sddsfsd.domslingsfine.net
sdffaa.siteswollshertuners.com
sdfgsslsdf.bobsfuddscontrolls.com
sdflfdsdf.bobsfuddscontrolls.com
sdflsdf.bobsfuddscontrolls.com
sdfsd.domslingsfine.net
sfsbfa.ddscontrolls.info
sfsfa.ddscontrolls.info
simplibigidealog.ws
sitesjustnowsdossier.biz
ssdfsdfsa.monsterskillsd.biz
twoandhalfyear.ws
worrds.originalsolldsbeps.biz
yourddscontrolls.biz

Recommended blocklist:
bazdoacagiu.com
bobsfuddscontrolls.biz
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
domslingsfine.net
lardobur.biz
locksdayswongs.biz
moneynoobslabs.biz
moneynoobslabs.info
monsterskillsd.biz
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
namesselwarsducks.com
nameswwioodoo.net
nameswwisconsinoodoo.com
netsristingboss.pw
originalsolldsbeps.biz
popalardo.net
popalardobur.net
simplibigidealog.ws
sitesjustnowsdossier.biz
siteswollshertuners.com
twoandhalfyear.ws
yourddscontrolls.biz


Wednesday, 19 June 2013

Something evil on 205.234.139.169

205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:

[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu

URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.

The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in  red .

blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk

(And yes, apparently you can get .pk domains through GoDaddy!)



Monday, 17 June 2013

Something evil on 85.214.64.153

85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example) which is being injected into hacked websites (specifically, malicious code is being appended to legitimate .js files on those site).

The follow Dynamic DNS domains are being abused in this attack, while they are not malicious in themselves they are abused so often that I would recommend blocking them anway:
dontexist.com
dvrdns.org
dynalias.org
gotdns.com
gotdns.org
gotdns.com
homeftp.net
mine.nu
podzone.net
selfip.biz
webhop.org

These sites appear to be legitimate, I cannot vouch for them being clean or not:
drachenschutzverein.de
rollenbeck.de
rollenbeck.eu
thefinalcut.eu
thefirstcut.de
triton-world.de

These sites are mostly flagged as malicious by Google, you can see some indicators of badness here and here:
004d28e2d38895c1245cab9b.dynalias.org
02b2b43ea1ba9bb9e72d3a69.selfip.biz
04e9e737a91bd31be2668861.mine.nu
08af1b8d55e2ba1f62732d85.gotdns.com
08ed70ff228cfd034f170d5a.mine.nu
0a935f252dd7c6a97658c956.dynalias.org
0c36d49d8ec82656db219bb5.dontexist.com
0ce19c234b42bfc3f5ae92cd.mine.nu
0ce54ec3d86cf07f5ac4640d.dontexist.com
101357ada1366203f8f3410e.podzone.net
10ffeb808d1a476d6ee06d2b.dontexist.com
11ec862e5fb9ec0762af7600.dynalias.org
128d4a163a90f543c259b1e5.mine.nu
1603db959a32f7b6f070e7b1.dontexist.com
166bb7f29be512bfc5d4c949.podzone.net
16b8286aab3437edeb846cf9.gotdns.com
17323cb4c3ff8ed8cbb0cf27.dvrdns.org
19329577e3905949b51c567c.dynalias.org
19941643733a38ef578bf12e.gotdns.org
1d26ff47b5aadad2d755979a.dvrdns.org
1d3beb9da9c09a58399e1d43.homeftp.net
1d946845b43b656d8f981e66.dynalias.org
1db064c3643e8c7cb6f89b54.gotdns.com
1f68faa21ae717bdda0536dc.dontexist.com
22c4daf753a7da024bf8b24e.mine.nu
250f1e3f1a2940aa4255deb5.dynalias.org
28d23e8ed4a6dfee2643ffce.dynalias.org
2e671f830928f031ff49f94c.dontexist.com
304ef8935293491f8259aebf.podzone.net
33409d12ccd5f348eb9e1d33.dontexist.com
33ab845252f3569c05a5ac70.dynalias.org
36a42ceaeee91822ecd84d1f.dynalias.org
37a9618442c3bd213d4877e2.gotdns.com
3896ca0bf37e183b734a6632.gotdns.org
3a009cd88f47dbd55a51ca0a.webhop.org
3b22c29409273c2ba45019e4.mine.nu
3cb79af7f0615a1eb638fd11.webhop.org
3e54c514284b705b4a6d8386.dynalias.org
3e91663455c489443d2ba75d.gotdns.com
3f80c8356bec83904a0a4b82.mine.nu
428836867237c5453a08da8e.webhop.org
43ea343452c7ac0f0846c988.podzone.net
448d3de8b830b70be22600bf.gotdns.com
44f32cf9971710b869a9e9c8.dontexist.com
47b10a4ab30e61e4b74aa661.gotdns.org
48e972108842e0d0c9e5fdf2.mine.nu
4916e2635dceb69776862390.dynalias.org
4a017cd6908b09d62c425718.selfip.biz
4c7e7dacb398c086c58d3faa.dynalias.org
4cac5eabb6a2214a81ad0760.selfip.biz
4e874edeea1e68fc792bdae2.gotdns.org
5328e9f6069f470758a00acc.dvrdns.org
549b11272b8a4b3095b0537e.dontexist.com
571ea1436338cc0d99eb8078.dynalias.org
58e74d65a3cc4fe035dbbda2.gotdns.com
5adde68d3bc12bb5e625cabb.homeftp.net
5c9d25cc7cd882479a609796.mine.nu
60a25d608e4a649e4af444e0.podzone.net
60e2af3686d06f21f3020026.homeftp.net
665b44722928d6bfbeaf988b.webhop.org
66bc311918791a6794866f50.dvrdns.org
67c97cbed3d264d19d8e5b27.dvrdns.org
6b2eb59711013d300e880d1c.dynalias.org
6b3c3cc0b4dd780c2fec2f6f.gotdns.com
6b52de135dc1495e89c0ab58.dontexist.com
6b60af16dc1d0e8ea821fdbc.gotdns.org
725a523df99960216bcfbffa.homeftp.net
73c5db9904cc52e4eace0764.webhop.org
779c26501c761d5e919a6624.homeftp.net
794b5ca01bb64c48754faf0c.dynalias.org
7e0a9746bba240206beb0fd0.homeftp.net
7e781346baa3a3bce70aa5bf.webhop.org
80cb766e88b70c906ecbefd3.dontexist.com
8140d66059dfec6425f71131.podzone.net
818644b1831c84e0798f9ee0.mine.nu
856990d5b0456a8ba9dbeb32.dontexist.com
88444afacffba122547670d1.mine.nu
8cd2b11586888ecb52ffd053.gotdns.com
8e3468104627c54bc068dd44.selfip.biz
8ec80631144f0fbc1eaa8f68.mine.nu
900139eaffbcd38018876df0.homeftp.net
90499263ca224ca95ff01024.webhop.org
909e65f061017672744285f3.dontexist.com
90d52c7d0c92f6ddacf68711.dontexist.com
910396ce5254bef0819e633d.selfip.biz
92afd94d55a6da9d1f519a7c.podzone.net
94488376b5d8d3f6c6a40bc5.webhop.org
95191465ad24aa061517253a.dynalias.org
95482702ed214a4b556619c6.selfip.biz
970fdfd18df4813f52d2472b.selfip.biz
9b212ac718b2e1235943adec.dynalias.org
9b4358c823382cbb4e82bf41.dontexist.com
9c850ba00e51786140490a36.mine.nu
9d2e959724edd7f66cec301e.selfip.biz
9eae6ea1c34249c042bf0037.podzone.net
a26f23656bab8dc4508eb5a2.mine.nu
a4c2b706b85923bb957823c2.mine.nu
a6197eccdfe18ef2ca06e48c.webhop.org
a798f98455df470c0b29b34f.mine.nu
a828fe5c598dc865e924fbb9.webhop.org
aae039e0629bd1614947f0f0.dynalias.org
ab690c910c49ad2bef9cce75.dynalias.org
b0a357b5735f902bdff042c1.podzone.net
b22d5de582060e586061f15b.homeftp.net
b66583b617d2d7b6a1dded9f.gotdns.com
b6e0134b7d7da747fe0c74e0.dynalias.org
b793df5e348aeb2c7dd5b7cc.podzone.net
ba028a028a38fcd8443e5c8f.dynalias.org
bb6e1f75f8fe369d7971ecdb.dynalias.org
bc1837ebe4d995b08079df38.mine.nu
bd7421fee539607f46f1f26a.dontexist.com
bdb7e7001bfbf6865e0e5fc7.dontexist.com
bf14f07423a53dc55ea35535.mine.nu
c1642b97da37c657a97bd848.mine.nu
c467917ae834519814e0d49a.dontexist.com
c58e1b1edc0e04195f01017a.dynalias.org
c6492763968289bebce065cf.gotdns.com
c8870d5fa9727a8d5fa2b5a8.gotdns.org
d1bfb154de06cbd381ef9751.mine.nu
d827f2ea240954322849260f.dynalias.org
d83c3de86bed61e7fb14d7b1.dynalias.org
dae7fb32afe3c0f9dc6d5ad2.mine.nu
db8c62855fb701cd676004e5.dynalias.org
dcbf23097800332e59ac4def.selfip.biz
dcc4374eda96873afb137b44.dynalias.org
dff3a271573578b6cc43c725.dontexist.com
e08bcee3f8586e0d3f3a8e31.gotdns.com
e119b0eb7fc7cb31bf64c66d.dvrdns.org
e2706818cafcdf67ea2552cb.gotdns.com
e64d445987e618bea6482938.podzone.net
eb3f72f1952b17acf62ee80d.selfip.biz
eb578347b30a518687364a9e.podzone.net
f0834c7ec0926ebe78029dc0.dynalias.org
f555bf015261100d38e0f2de.webhop.org
f5e647d0a9aa2dda4898fd2f.dynalias.org
f671629e0f16049db9ccd856.mine.nu
f777e097f711778ec22426a1.selfip.biz
fa0ccbcf1b5f74984a9530d7.mine.nu
fb857508b0c9cc35e3bab1e2.gotdns.org
fd7d46aa07ab0406560b4126.mine.nu
fd8c8f5b6a2867f79d1b8e71.gotdns.com
fe753d5f9ea4f311d1d14cc2.gotdns.com
fe8b7219896da7dbd4e28520.dynalias.org
ff5267331e22549fde4ca643.mine.nu


Friday, 7 June 2013

Malware sites to block 7/6/13

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.info
finger2.climaoluhip.org
linkstoads.net
node1.hostingstatics.org
node2.hostingstatics.org

Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.

Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb.com
netstoragehost.com
connecthostad.net
climaoluhip.org
hostingstatics.org
systemnetworkscripts.org
numstatus.com
linkstoads.net
faggyppvers5.info
jstoredirect.net

Wednesday, 15 May 2013

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on  184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com


Tuesday, 14 May 2013

Something evil on 94.242.198.16

I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection.

This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer.me/hpoxqnj.php (report) or [donotclick]stempelxpress.nl/vechoix.php (report) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis.info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis.info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko.com
integrate-koleiko.org
integrate-koleiko.net
muroi-uroi-loi.info
muroi-uroi-loi.org
muroi-uroi-loi.net
zoloni-kemis.info

Subdomains spotted include:
dde.integrate-koleiko.com
drom.muroi-uroi-loi.info
helm.muroi-uroi-loi.org
ice.zoloni-kemis.info
lopre.integrate-koleiko.org
maj.muroi-uroi-loi.net
nop.integrate-koleiko.org
oi.integrate-koleiko.net
vyo.integrate-koleiko.net
xs.integrate-koleiko.com

Monday, 13 May 2013

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

Friday, 10 May 2013

Something evil on 151.248.123.170, Part IV

Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia) are below. Previous lists (and background details) can be found here, here and here or you can download a full list of everything that I can find here [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here.

3yt0jehx.servegame.com
6lmzegl7jj.servehttp.com
adxavajjss.myfw.us
ardemk.ns01.info
atiptpl.youdontcare.com
aystezsbvv.ns3.name
azukkxsrhm.dns04.com
bfgnjgjh.youdontcare.com
bnleiuyl.ddns.ms
btdclrl.mypicture.info
btsuqbkqoe.dsmtp.com
btzifwhflrzb.myfw.us
butgkyij.otzo.com
bxtqsq.organiccrap.com
camajdawmue.myfw.us
cggkfma.youdontcare.com
cmmwdypmy.port25.biz
csanogftz.myfw.us
ctrdsxpssh.youdontcare.com
d8kcyl0.no-ip.org
dhslkorcd.xxuz.com
edbtet.serveusers.com
eiqimwf.dns04.com
enndcddwjm.myfw.us
eqdjbeayx.ocry.com
esqiuut.jetos.com
etfozjyin.ikwb.com
fiwhqxobce.mypicture.info
fkmfvunrg.ocry.com
foibgxnhdt.4pu.com
fpybosb.ikwb.com
ftrlndi.ddns.us
gbhccehuj.otzo.com
gjkfowknws.mefound.com
gjqviesu.ftpserver.biz
gmxpdggub.mypicture.info
gqqwww.ftpserver.biz
gsddwknxgy.port25.biz
hhzodla.mefound.com
hizkpthkgf.xxuz.com
hjywvtg.ddns.us
hm193zqtcj.servebeer.com
hwybsmavbo.serveusers.com
itblzdut.ns01.info
itqzzww.dynamicdns.biz
iwtppvsfp.dynamic-dns.net
ixpoohstcli.myfw.us
jpistkhteo.dns04.com
jqeseobut.myfw.us
jrlqjz.ikwb.com
jviwdlsku.4mydomain.com
jxgpwnesm.ddns.us
knltqeeg.freeddns.com
korvrno.organiccrap.com
kozdeh.freeddns.com
ljpeornds.otzo.com
lqsbwfyzmw.myddns.com
lwfmuxq.ns3.name
mfvfcpcpw.ns3.name
miqejhn.mysecondarydns.com
mnlabo.myddns.com
nfzpmqnl.freeddns.com
nmxnyb.jetos.com
nqhddxtcq.dynamicdns.biz
nqzyjpe.freeddns.com
nzzts4z.serveftp.com
oejaysgvlk.4mydomain.com
omupisrv.changeip.org
opbipfxgni.xxuz.com
orypbk.xxuz.com
pceqiij.jetos.com
pdfdahhm.youdontcare.com
pghdqfaoqnpp.myfw.us
pjxkfgps.myddns.com
ptwnvmxgwd.lflinkup.net
puhwzk.mysecondarydns.com
qbcbhwk.jetos.com
qezmcexxws.myddns.com
qzjrom.otzo.com
r5nejrnp.no-ip.org
rccvuohpolsv.myfw.us
rfpixnn.4mydomain.com
rjwixpi.4mydomain.com
rqfqjt.ikwb.com
rsswzmvu.ns02.us
sfaabl.ftpserver.biz
slpeeasssq.ns01.info
sp71jz.myvnc.com
sqwlqgtoh.ns02.us
svoqg5.servehttp.com
tandpmh.organiccrap.com
tfrjskfdc.4pu.com
thiwckoba.ns3.name
tkugnsl.ns3.name
tnbfgoejiu.itemdb.com
udaxsafajq.mysecondarydns.com
udesetsuzpw.myfw.us
uesltoru.lflinkup.net
uiyxxb.dsmtp.com
uqqkechgc.xxuz.com
uvhshmzndy.mefound.com
uycwvwvkh.mefound.com
uyieev.ddns.us
v9obnjp76.3utilities.com
veiamew.4pu.com
vghvghtlrd.dns04.com
vhgnxpjm.organiccrap.com
vhrikjzccavv.myfw.us
vszwte.otzo.com
waimkiuvkn.dsmtp.com
wfjpjammn.ftpserver.biz
wjweiv.itemdb.com
wmjaar.ns01.biz
wmlxuylh.changeip.org
wndjsagu.4mydomain.com
woltpys.ddns.us
wpdnbsnc.xxuz.com
wsuzzrvwvqte.myfw.us
wyohroerl.dsmtp.com
xtphpm.ninth.biz
yhuqgylpyrl.myfw.us
ynghww.changeip.org
yqmfxylyoo.mysecondarydns.com
yqrhrd.port25.biz
yyelgsss.freeddns.com
zborhzxkvk.myfw.us
zemqzpslt.ninth.biz
zlkhlz.organiccrap.com
zyxzfwosnyu.myfw.us