Sponsored by..

Showing posts with label Netserv Consult SRL. Show all posts
Showing posts with label Netserv Consult SRL. Show all posts

Friday 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Wednesday 21 September 2011

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Wednesday 14 September 2011

Injection attack: malavasso.com, migraviro.com and montenegrorio.com

Three more domains being used in injection attacks today:

malavasso.com
migraviro.com
montenegrorio.com

The payload is the Sinowal trojan. Malicious software is hosted on 95.64.45.43 which is well-known very dark grey hat host Netserv Consult SRL of Romania. Blocking 95.64.0.0/17 (95.64.0.0 - 95.64.127.255) will probably do no harm.

The (possibly fake) registrant for these domains is:
Registrant Contact:
   Xicheng Co.
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Administrative Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Technical Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Billing Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

bundespol.com is not the Bundespolizei

Another fake Bundespolizei today, bundespol.com is registered through  a Chinese registrar and then is anonymised through a Chinese WHOIS privacy service

The site doesn't resolve yet, but it is almost identical to bundespol.net which is fingered in this attack. In that case, the fake Bundespolizei site was hosted on 188.229.97.2 which is Netserv Consult SRL in Romania (incidentally, blocking 188.229.0.0/17 will probably do you no harm).

There's a whole bunch of fake Bundespolizei at the moment, but I'm guessing that this particular bunch of scammers may well try the same thing in other countries very soon.

Thursday 14 July 2011

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net

Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:

fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net


Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

67.205.0.0/18
69.163.128.0/17
75.119.192.0/19

208.97.128.0/18

..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Friday 8 July 2011

Evil network: hotmailbox.com

The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.

There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.

You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.

Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:

84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)

Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".

If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.


8nm2.com
aaaholic.com
aaoutfit.com
aarocket.com
abcartel.com
abminute.com
abutable.com
acgoblin.com
aemodern.com
afchalet.com
agfiesta.com
alexblane.com
alisa-carter.com
analitycscredit.com
asweds.com
automaticsecurityscan.com
awesomepornofree.com
awfulice.com
bcrocket.com
bdcartel.com
bestipdns.com
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
caldnsserver.com
calmsearch.org
cbhammer.com
cblender.com
cebistro.com
cfaholic.com
clickabundant.org
clickaccept.org
clickadvice.org
clickahead.org
clickalmost.org
clickan.org
clickancient.org
clickany.org
clickanybody.org
clickanybody.org
clickarrogant.org
clickarvada.org
clickattempt.org
clickautomatic.org
clickbad.org
clickbatonrouge.org
clickber.org
clickboa.org
clickbored.org
clickbrake.org
clickbury.org
clickcharleston.org
clickclear.org
clickclever.org
clickdesmoines.org
clickdowe.org
clickdrea.org
clickdreadful.org
clickfer.org
clickflat.org
clickfortlauderdale.org
clickfremont.org
clickhartford.org
clickicy.org
clickill.org
clickjacksonville.org
clickmesquite.org
clicknorman.org
clickodd.org
clickolathe.org
clicksalem.org
clickshy.org
clicksyracuse.org
clickwet.org
comasians.com
comchemicalsns.com
daily-basis.com
daletter.com
darksecurityscan.com
dateoncount.com
dbchalet.com
dnseasy.ru
dnsforwebuse.com
dns-good-you.com
dnshot.ru
dnssuperb.com
dnsundservice.com
dnsvip.ru
domainforuse.com
dowpolenas.org
dynamicip-dns.com
e48i.com
easysecurityscan.com
edsawake.org
edsawake.org
edsback.org
edsbang.org
edsbang.org
edsbeautiful.com
edsbent.com
edsbent.com
edsbid.com
edsblew.com
edscold.com
edsfull.com
edsfull.com
edswoken.org
emptywin.com
engduates.com
excellentdnshost.com
fastsapere.com
fastsofgeld.com
findacid.org
findaddition.org
findadvertisem.org
findalert.org
findangry.org
findattack.org
findawful.org
findbitter.org
findblow.org
findbrake.org
findbrave.org
findcaret.org
findchalk.org
findchance.org
findcheeks.org
findclumsy.org
findcolorful.org
findconsonant.org
findcopper.org
findcurly.org
finddamaged.org
finddistribution.org
finddrawer.org
finddriving.org
finddrop.org
findear.org
findearly.org
findears.org
findearth.org
findeast.org
findexperie.org
findeyes.org
findfertile.org
findfierce.org
findforeign.org
findforget.org
findfort.org
findforth.org
findharsh.org
findinexpensive.org
findinnocent.org
findjolly.org
findjoyous.org
findjuicy.org
findlate.org
findsister.org
findsize.org
findsky.org
findsour.org
findstage.org
findstart.org
findstation.org
findstem.org
findstep.org
findstitch.org
findstone.org
findstraight.org
findstrange.org
finduneven.org
findunsightly.org
findvoiceless.org
findwandering.org
findwet.org
findwicked.org
fixtracker.com
forumaccept.org
forumadd.org
forumadmire.org
forumadmit.org
forumadvise.org
forumafford.org
forumallow.org
forumamuse.org
forumanalyze.org
forumbusy.org
forumcalm.org
forumcold.org
forumcute.org
forumdamp.org
frailwin.com
frequentwin.com
gcocgle.com
goodworkdns.com
goodworkdns.com
googletrackgeo.com
hotmailbox.com
ibtable.com
ibtable.com
imageacid.org
imagebad.org
imagebent.org
imagefipe.org
imagelue.org
install-internet.com
ipbestdns.com
IpCodesNet.com
IpInternetExplorer.com
ipmagicnet.com
ipnetworklegal.com
ipsecurityuse.com
ip-tracing.com
IpWebDirectory.com
koxtable.com
lizamoon.com
m0o0.com
malineip.com
milapop.com
netlinksgo.com
networkdnstrust.com
nondeip.com
op0o.com
ottomip.com
ottomip.com
phlorip.com
pornootrada.com
portalkey.org
s0po.com
searchabout.org
searchact.org
searchadorable.org
searchadvice.org
searchaffect.org
searchafternoon.org
searchago.org
searchairplane.org
searchalaska.org
searchalice.org
searchalike.org
searchallow.org
searchaloud.org
searchalphabet.org
searchalready.org
searchalready.org
searchalso.org
searchalso.org
searchalthough.org
searcham.org
searchamount.org
searchamusement.org
searchand.org
searchangle.org
searchanimal.org
searchanswer.org
searchant.org
searchapparatus.org
searcharound.org
searcharrange.org
searcharrow.org
searchas.org
searchaside.org
searchask.org
searchasleep.org
searchaswe.org
searchat.org
searchate.org
searchatlantic.org
searchatmosphere.org
searchatom.org
searchatomic.org
searchattached.org
searchattention.org
searchbad.org
searchbase.org
searchbat.org
searchbattery.org
searchbattle.org
searchbegan.org
searchbeginning.org
searchbegun.org
searchbehavior.org
searchbehind.org
searchbet.org
searchbetsy.org
searchbeyond.org
searchbigger.org
searchbiggest.org
searchbilly.org
searchbirth.org
searchborn.org
searchbottle.org
searchbound.org
searchbow.org
searchbowl.org
searchbread.org
searchbreak.org
searchbreathe.org
searchbreathing.org
searchbreeze.org
searchbreeze.org
searchbrick.org
searchbrick.org
searchbrief.org
searchclumsy.com
searchcruel.org
searchdead.com
searchdear.org
searchdepressed.org
searchdrab.com
searchdrab.org
searchdull.com
searchelated.org
searchfertile.org
searchfindestablish.org
searchfindfix.org
searchfindfund.org
searchfoggy.org
searchgrieving.org
searchhuge.org
searchhumid.org
searchhushed.org
searchjewel.org
searchlarge.org
searchlazy.org
searchmany.org
searchmeat.org
searchmedical.org
searchmemory.org
searchmetal.org
searchmilk.org
searchminiature.org
searchmisty.org
searchmixed.org
searchmodern.org
searchnumber.org
searchodd.org
searchof.org
searchplant.org
searchrelieved.org
searchways.org
seardall.org
static-ipdns.com
t02j.com
tadygus.com
trafficjoyous.com
u98i.com
ultradnshost.com