The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.
The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com
Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.
If you need to block by domain, then the list below is everything that I can identify in this block.
abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com
Sponsored by..
Showing posts sorted by relevance for query lizamoon. Sort by date Show all posts
Showing posts sorted by relevance for query lizamoon. Sort by date Show all posts
Saturday, 2 April 2011
Wednesday, 8 June 2011
94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
JamesNorthone James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 1180
us
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.
Monday, 26 March 2012
gbfhju.com/r.php injection attack in progress
I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.
According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.
The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:
These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.
The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:
fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com
These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.
The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:
Domain name: gbfhju.com Registrant Contact: JamesNorthone James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Administrative Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Technical Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Billing Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us DNS: ns1.dnsexit.com ns2.dnsexit.com ns3.dnsexit.com ns4.dnsexit.com Created: 2012-03-17 Expires: 2013-03-17
These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.
The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:
fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com
These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.
Tuesday, 24 April 2012
nikjju.com injection attack in progress
Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.
Friday, 8 July 2011
Evil network: hotmailbox.com
There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.
You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.
Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:
84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)
Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".
If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.
| 8nm2.com |
| aaaholic.com |
| aaoutfit.com |
| aarocket.com |
| abcartel.com |
| abminute.com |
| abutable.com |
| acgoblin.com |
| aemodern.com |
| afchalet.com |
| agfiesta.com |
| alexblane.com |
| alisa-carter.com |
| analitycscredit.com |
| asweds.com |
| automaticsecurityscan.com |
| awesomepornofree.com |
| awfulice.com |
| bcrocket.com |
| bdcartel.com |
| bestipdns.com |
| bookaros.com |
| bookarra.com |
| bookavio.com |
| bookdolo.com |
| bookfula.com |
| bookgusa.com |
| bookmonn.com |
| bookmono.com |
| bookmylo.com |
| booknunu.com |
| bookpolo.com |
| booksgou.com |
| booksoco.com |
| booksolo.com |
| booktuba.com |
| bookvila.com |
| bookvivi.com |
| bookvoxy.com |
| bookzoul.com |
| bookzula.com |
| caldnsserver.com |
| calmsearch.org |
| cbhammer.com |
| cblender.com |
| cebistro.com |
| cfaholic.com |
| clickabundant.org |
| clickaccept.org |
| clickadvice.org |
| clickahead.org |
| clickalmost.org |
| clickan.org |
| clickancient.org |
| clickany.org |
| clickanybody.org |
| clickanybody.org |
| clickarrogant.org |
| clickarvada.org |
| clickattempt.org |
| clickautomatic.org |
| clickbad.org |
| clickbatonrouge.org |
| clickber.org |
| clickboa.org |
| clickbored.org |
| clickbrake.org |
| clickbury.org |
| clickcharleston.org |
| clickclear.org |
| clickclever.org |
| clickdesmoines.org |
| clickdowe.org |
| clickdrea.org |
| clickdreadful.org |
| clickfer.org |
| clickflat.org |
| clickfortlauderdale.org |
| clickfremont.org |
| clickhartford.org |
| clickicy.org |
| clickill.org |
| clickjacksonville.org |
| clickmesquite.org |
| clicknorman.org |
| clickodd.org |
| clickolathe.org |
| clicksalem.org |
| clickshy.org |
| clicksyracuse.org |
| clickwet.org |
| comasians.com |
| comchemicalsns.com |
| daily-basis.com |
| daletter.com |
| darksecurityscan.com |
| dateoncount.com |
| dbchalet.com |
| dnseasy.ru |
| dnsforwebuse.com |
| dns-good-you.com |
| dnshot.ru |
| dnssuperb.com |
| dnsundservice.com |
| dnsvip.ru |
| domainforuse.com |
| dowpolenas.org |
| dynamicip-dns.com |
| e48i.com |
| easysecurityscan.com |
| edsawake.org |
| edsawake.org |
| edsback.org |
| edsbang.org |
| edsbang.org |
| edsbeautiful.com |
| edsbent.com |
| edsbent.com |
| edsbid.com |
| edsblew.com |
| edscold.com |
| edsfull.com |
| edsfull.com |
| edswoken.org |
| emptywin.com |
| engduates.com |
| excellentdnshost.com |
| fastsapere.com |
| fastsofgeld.com |
| findacid.org |
| findaddition.org |
| findadvertisem.org |
| findalert.org |
| findangry.org |
| findattack.org |
| findawful.org |
| findbitter.org |
| findblow.org |
| findbrake.org |
| findbrave.org |
| findcaret.org |
| findchalk.org |
| findchance.org |
| findcheeks.org |
| findclumsy.org |
| findcolorful.org |
| findconsonant.org |
| findcopper.org |
| findcurly.org |
| finddamaged.org |
| finddistribution.org |
| finddrawer.org |
| finddriving.org |
| finddrop.org |
| findear.org |
| findearly.org |
| findears.org |
| findearth.org |
| findeast.org |
| findexperie.org |
| findeyes.org |
| findfertile.org |
| findfierce.org |
| findforeign.org |
| findforget.org |
| findfort.org |
| findforth.org |
| findharsh.org |
| findinexpensive.org |
| findinnocent.org |
| findjolly.org |
| findjoyous.org |
| findjuicy.org |
| findlate.org |
| findsister.org |
| findsize.org |
| findsky.org |
| findsour.org |
| findstage.org |
| findstart.org |
| findstation.org |
| findstem.org |
| findstep.org |
| findstitch.org |
| findstone.org |
| findstraight.org |
| findstrange.org |
| finduneven.org |
| findunsightly.org |
| findvoiceless.org |
| findwandering.org |
| findwet.org |
| findwicked.org |
| fixtracker.com |
| forumaccept.org |
| forumadd.org |
| forumadmire.org |
| forumadmit.org |
| forumadvise.org |
| forumafford.org |
| forumallow.org |
| forumamuse.org |
| forumanalyze.org |
| forumbusy.org |
| forumcalm.org |
| forumcold.org |
| forumcute.org |
| forumdamp.org |
| frailwin.com |
| frequentwin.com |
| gcocgle.com |
| goodworkdns.com |
| goodworkdns.com |
| googletrackgeo.com |
| hotmailbox.com |
| ibtable.com |
| ibtable.com |
| imageacid.org |
| imagebad.org |
| imagebent.org |
| imagefipe.org |
| imagelue.org |
| install-internet.com |
| ipbestdns.com |
| IpCodesNet.com |
| IpInternetExplorer.com |
| ipmagicnet.com |
| ipnetworklegal.com |
| ipsecurityuse.com |
| ip-tracing.com |
| IpWebDirectory.com |
| koxtable.com |
| lizamoon.com |
| m0o0.com |
| malineip.com |
| milapop.com |
| netlinksgo.com |
| networkdnstrust.com |
| nondeip.com |
| op0o.com |
| ottomip.com |
| ottomip.com |
| phlorip.com |
| pornootrada.com |
| portalkey.org |
| s0po.com |
| searchabout.org |
| searchact.org |
| searchadorable.org |
| searchadvice.org |
| searchaffect.org |
| searchafternoon.org |
| searchago.org |
| searchairplane.org |
| searchalaska.org |
| searchalice.org |
| searchalike.org |
| searchallow.org |
| searchaloud.org |
| searchalphabet.org |
| searchalready.org |
| searchalready.org |
| searchalso.org |
| searchalso.org |
| searchalthough.org |
| searcham.org |
| searchamount.org |
| searchamusement.org |
| searchand.org |
| searchangle.org |
| searchanimal.org |
| searchanswer.org |
| searchant.org |
| searchapparatus.org |
| searcharound.org |
| searcharrange.org |
| searcharrow.org |
| searchas.org |
| searchaside.org |
| searchask.org |
| searchasleep.org |
| searchaswe.org |
| searchat.org |
| searchate.org |
| searchatlantic.org |
| searchatmosphere.org |
| searchatom.org |
| searchatomic.org |
| searchattached.org |
| searchattention.org |
| searchbad.org |
| searchbase.org |
| searchbat.org |
| searchbattery.org |
| searchbattle.org |
| searchbegan.org |
| searchbeginning.org |
| searchbegun.org |
| searchbehavior.org |
| searchbehind.org |
| searchbet.org |
| searchbetsy.org |
| searchbeyond.org |
| searchbigger.org |
| searchbiggest.org |
| searchbilly.org |
| searchbirth.org |
| searchborn.org |
| searchbottle.org |
| searchbound.org |
| searchbow.org |
| searchbowl.org |
| searchbread.org |
| searchbreak.org |
| searchbreathe.org |
| searchbreathing.org |
| searchbreeze.org |
| searchbreeze.org |
| searchbrick.org |
| searchbrick.org |
| searchbrief.org |
| searchclumsy.com |
| searchcruel.org |
| searchdead.com |
| searchdear.org |
| searchdepressed.org |
| searchdrab.com |
| searchdrab.org |
| searchdull.com |
| searchelated.org |
| searchfertile.org |
| searchfindestablish.org |
| searchfindfix.org |
| searchfindfund.org |
| searchfoggy.org |
| searchgrieving.org |
| searchhuge.org |
| searchhumid.org |
| searchhushed.org |
| searchjewel.org |
| searchlarge.org |
| searchlazy.org |
| searchmany.org |
| searchmeat.org |
| searchmedical.org |
| searchmemory.org |
| searchmetal.org |
| searchmilk.org |
| searchminiature.org |
| searchmisty.org |
| searchmixed.org |
| searchmodern.org |
| searchnumber.org |
| searchodd.org |
| searchof.org |
| searchplant.org |
| searchrelieved.org |
| searchways.org |
| seardall.org |
| static-ipdns.com |
| t02j.com |
| tadygus.com |
| trafficjoyous.com |
| u98i.com |
| ultradnshost.com |
Friday, 23 September 2011
dfrgcc.com injection attack in progress
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com
These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.
Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.
Subscribe to:
Posts (Atom)