Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.
This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.
There's a more detailed file with MyWOT ratings and IP addresses to download here.
Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com
UPDATE 2014-06-25: It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.
Sponsored by..
Showing posts with label Latvia. Show all posts
Showing posts with label Latvia. Show all posts
Wednesday 25 August 2010
Friday 30 July 2010
Evil network: Microlines (microlines.lv), AS2588 (79.135.128.0/19)
Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.
Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.
I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.
Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.
A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com
Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.
I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.
Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.
A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com
Thursday 29 July 2010
freead.name / mybar.us / toolbarcom.org / adsnet.biz
A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.
Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:
66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251
All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.
One one domain (mybar.us) is not anonymised:
Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.
The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.
The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.
If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name
Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:
66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251
All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.
One one domain (mybar.us) is not anonymised:
Registrar URL (registration services): www.publicdomainregistry.com Domain Status: clientTransferProhibited Registrant ID: DI_11638984 Registrant Name: Andrew Black Registrant Organization: N/A Registrant Address1: 555 Taylor Rd. Registrant City: Enfield Registrant State/Province: Connecticut Registrant Postal Code: 06082 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +860.7492291 Registrant Email: dday.rabbit@gmail.com Registrant Application Purpose: P1 Registrant Nexus Category: C11
Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.
The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.
The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.
If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name
Thursday 1 July 2010
Sagade Ltd is still evil
I blogged about AS6851 / Sagade Ltd / ATECH-SAGADE a little while ago. A Java-based drive-by download from one of their servers brought them to my attention again.
Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:
AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
These sites are either involved in illegal activities or malware distribution, avoid them.
Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:
AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
These sites are either involved in illegal activities or malware distribution, avoid them.
Monday 10 May 2010
Evil network: Sagade Ltd / ATECH-SAGADE
There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.
inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered
person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered
% Information related to '91.188.32.0/19AS6851'
route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered
All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com
inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered
person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered
% Information related to '91.188.32.0/19AS6851'
route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered
All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com
Thursday 23 July 2009
Subscribe to:
Posts (Atom)