-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forward:
I have repeatedly notified both Layered Technologies and SoftLayer on malicious (and criminal) activities occurring in their IP address space (their hosting facilities), but it continues to happen on a regular basis (for over a year). Apparently, they don't seem to police their own backyards, so it might be worthwhile to consider blocking these IP blocks until they clean up their act. I'm sick of hosting providers simply taking the money and turning a blind eye. If you're curious on some of the background on these hosting providers, I would suggest reading "back" in Dancho Danchev's blog a few posts and getting a better idea of what I'm talking about here. - From today's post: [snip] Apparently, a little more in-depth research acts as public pressure, especially when they're lazy enough to have a great deal of malware variants "phone back home" to their promotional domain. However, the current one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered Technologies again confirming the Russian Business Network connection since, both, Layered Technologies and SoftLayer are known to have been and continue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected counter at the stats section continues reporting new additions. [snip] More: http://ddanchev.blogspot.com/2008/03/loadsccs-ddos-for-hire-service.html Details [warning: active malicious URLs]: bentham-mps.org/mansoor/cgi/index.php (205.234.186.26) 5fera.cn/adp/index.php (72.233.60.90) ls-al.biz/1/index.php (78.109.22.245) iwrx.com/images/index.php (74.53.174.34) pizda.cc/in.htm (78.109.19.226) ugl.vrlab.org/www/index.php (91.123.28.32) eastcourier.com/reff/index.php (91.195.124.20) thelobanoff.com/myshop/test/index.php (64.191.78.229) 203.117.170.40/~whyme/my/index.php 195.93.218.25/us/index.php 195.93.218.25/kam/index.php 85.255.116.206/ax5/index.php Details below. AS | IP | AS Name 23352 | 205.234.186.26 | SERVERCENTRAL - Server Central Network 13767 | 72.233.60.90 | DBANK - DataBank Holdings, Ltd. 41665 | 78.109.22.245 | HOSTING-AS National Hosting Provider, Hosting.UA 21844 | 74.53.174.34 | THEPLANET-AS - THE PLANET 41665 | 78.109.19.226 | HOSTING-AS National Hosting Provider, Hosting.UA 42011 | 91.123.28.32 | TRCODINTSOVO-AS TRC Odintsovo 41947 | 91.195.124.20 | WEBALTA-AS WEBALTA / Internet Search Company 21788 | 64.191.78.229 | NOC - Network Operations Center Inc. 4657 | 203.117.170.40 | STARHUBINTERNET-AS Starhub Internet, Singapore 44394 | 195.93.218.25 | BUILDHOUSE-AS Buildhouse Ltd. 27595 | 85.255.116.206 | INTERCAGE - InterCage, Inc. Detailed IP allocation info: 205.234.186.26: Server Central Network SCN-4 (NET-205-234-128-0-1) 205.234.128.0 - 205.234.255.255 HostForWeb Inc. SCNET-205-234-186 (NET-205-234-186-0-1) 205.234.186.0 - 205.234.187.255 OrgName: HostForWeb Inc. OrgID: HOSTF-1 Address: PO BOX 1164 City: Chicago StateProv: IL PostalCode: 60690 Country: US NetRange: 205.234.186.0 - 205.234.187.255 CIDR: 205.234.186.0/23 NetName: SCNET-205-234-186 NetHandle: NET-205-234-186-0-1 Parent: NET-205-234-128-0-1 NetType: Reallocated Comment: RegDate: 2007-07-12 Updated: 2007-07-12 OrgTechHandle: ADMIN240-ARIN OrgTechName: Administrator OrgTechPhone: +1-312-343-4678 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2008-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 72.233.60.90: OrgName: Layered Technologies, Inc. OrgID: LAYER-3 Address: 5085 W Park Blvd Address: Suite 700 City: Plano StateProv: TX PostalCode: 75093 Country: US ReferralServer: rwhois://rwhois.layeredtech.com:4321 NetRange: 72.232.0.0 - 72.233.127.255 CIDR: 72.232.0.0/16, 72.233.0.0/17 NetName: LAYERED-TECH- NetHandle: NET-72-232-0-0-1 Parent: NET-72-0-0-0-0 NetType: Direct Allocation NameServer: NS1.LAYEREDTECH.COM NameServer: NS2.LAYEREDTECH.COM Comment: Please send all abuse complaints to Comment: [EMAIL PROTECTED] RegDate: 2005-09-07 Updated: 2007-02-27 RTechHandle: JPS66-ARIN RTechName: Suo-Anttila, Jeremy Paul RTechPhone: +1-972-398-7998 RTechEmail: [EMAIL PROTECTED] OrgAbuseHandle: LAT-ARIN OrgAbuseName: LT Abuse Team OrgAbusePhone: +1-972-398-7998 OrgAbuseEmail: [EMAIL PROTECTED] OrgNOCHandle: LIT-ARIN OrgNOCName: LT IP-Network Team OrgNOCPhone: +1-972-398-7998 OrgNOCEmail: [EMAIL PROTECTED] OrgTechHandle: LNT3-ARIN OrgTechName: LT NOC Team OrgTechPhone: +1-972-398-7998 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2008-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 78.109.22.245: % Information related to '78.109.22.240 - 78.109.22.247' inetnum: 78.109.22.240 - 78.109.22.247 netname: atata descr: atata - Maxim Perlov country: UA admin-c: MP5124-RIPE tech-c: MP5124-RIPE status: ASSIGNED PA mnt-by: MNT-HOSTINGUA source: RIPE # Filtered person: Maxim Perlov address: Kazakhstan, Almatu, Lenina h.13b phone: +381234567 nic-hdl: MP5124-RIPE abuse-mailbox: [EMAIL PROTECTED] source: RIPE # Filtered % Information related to '78.109.16.0/20AS41665' route: 78.109.16.0/20 descr: Datacenter Hosting.UA origin: AS41665 mnt-by: MNT-HOSTINGUA source: RIPE # Filtered 74.53.174.34: OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 315 Capitol Address: Suite 205 City: Houston StateProv: TX PostalCode: 77002 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 74.52.0.0 - 74.55.255.255 CIDR: 74.52.0.0/14 NetName: NETBLK-THEPLANET-BLK-14 NetHandle: NET-74-52-0-0-1 Parent: NET-74-0-0-0-0 NetType: Direct Allocation NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM Comment: RegDate: 2006-02-17 Updated: 2008-02-28 RTechHandle: PP46-ARIN RTechName: Pathos, Peter RTechPhone: +1-214-782-7800 RTechEmail: [EMAIL PROTECTED] OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: The Planet Abuse OrgAbusePhone: +1-281-714-3560 OrgAbuseEmail: [EMAIL PROTECTED] OrgNOCHandle: THEPL-ARIN OrgNOCName: The Planet NOC OrgNOCPhone: +1-281-714-3555 OrgNOCEmail: [EMAIL PROTECTED] OrgTechHandle: TECHN33-ARIN OrgTechName: Technical Support OrgTechPhone: +1-214-782-7800 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2008-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 78.109.19.226 % Information related to '78.109.19.224 - 78.109.19.231' inetnum: 78.109.19.224 - 78.109.19.231 netname: hoster descr: hoster - Aleksandr Pavlov country: UA admin-c: PAV5-RIPE tech-c: PAV5-RIPE status: ASSIGNED PA mnt-by: MNT-HOSTINGUA source: RIPE # Filtered person: Pavlov Aleksandr V address: Guta Bank. Komsomola, 41 address: 195009, Sankt Petersburg address: Russia phone: +7 812 3241525 fax-no: +7 812 3241503 e-mail: [EMAIL PROTECTED] nic-hdl: PAV5-RIPE source: RIPE # Filtered % Information related to '78.109.16.0/20AS41665' route: 78.109.16.0/20 descr: Datacenter Hosting.UA origin: AS41665 mnt-by: MNT-HOSTINGUA source: RIPE # Filtered 91.123.28.32: % Information related to '91.123.16.0 - 91.123.31.255' inetnum: 91.123.16.0 - 91.123.31.255 netname: TRCODINTSOVO-NET descr: TRC Odintsovo country: RU org: ORG-MCtO1-RIPE admin-c: AYO8-RIPE tech-c: AYO8-RIPE status: ASSIGNED PI mnt-by: TRCODINTSOVO-MNT mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: TRCODINTSOVO-MNT mnt-domains: TRCODINTSOVO-MNT source: RIPE # Filtered organisation: ORG-MCtO1-RIPE org-name: MUP Center teleradiocompany Odintsovo org-type: OTHER descr: MUP Center teleradiocompany Odintsovo address: 10, Govorova str., address: Odintsovo, Moscow district address: Russian Federation phone: +7 495 5907235 fax-no: +7 495 5907000 e-mail: [EMAIL PROTECTED] admin-c: AYO8-RIPE tech-c: AYO8-RIPE mnt-ref: TRCODINTSOVO-MNT mnt-by: TRCODINTSOVO-MNT source: RIPE # Filtered person: Andrew Y. Ostrouhov address: 10, Govorova str., address: Odintsovo city, Moscow district address: Russian Federation phone: +7 495 5907355 fax-no: +7 495 5907000 e-mail: [EMAIL PROTECTED] nic-hdl: AYO8-RIPE mnt-by: TRCODINTSOVO-MNT source: RIPE # Filtered % Information related to '91.123.16.0/20AS42011' route: 91.123.16.0/20 descr: TRC Odintsovo origin: AS42011 mnt-by: TRCODINTSOVO-MNT source: RIPE # Filtered 91.195.124.20: % Information related to '91.195.124.0 - 91.195.125.255' inetnum: 91.195.124.0 - 91.195.125.255 netname: LEADERHOST2-NET descr: LiderHost Ltd. country: RU org: ORG-LL27-RIPE admin-c: AVM23-RIPE tech-c: AVM23-RIPE status: ASSIGNED PI mnt-by: LEADERHOST-MNT mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: LEADERHOST-MNT mnt-routes: RU-WEBALTA-MNT mnt-domains: LEADERHOST-MNT source: RIPE # Filtered organisation: ORG-LL27-RIPE org-name: LeaderHost Ltd. org-type: OTHER descr: LeaderHost Ltd. address: 1, Aivazovskogo str., address: Moscow, Russia phone: +7 495 5895552 fax-no: +7 495 5895552 e-mail: [EMAIL PROTECTED] admin-c: AVM23-RIPE tech-c: AVM23-RIPE mnt-ref: LEADERHOST-MNT mnt-by: LEADERHOST-MNT source: RIPE # Filtered person: Andrey V Matveev address: 1, Aivazovskogo str., address: Moscow, Russia phone: +7 495 5895552 fax-no: +7 495 5895552 e-mail: [EMAIL PROTECTED] nic-hdl: AVM23-RIPE mnt-by: LEADERHOST-MNT source: RIPE # Filtered % Information related to '91.195.124.0/23AS41947' route: 91.195.124.0/23 descr: LeaderHost origin: AS41947 mnt-by: RU-WEBALTA-MNT source: RIPE # Filtered 64.191.78.229: OrgName: Network Operations Center Inc. OrgID: NOC Address: PO Box 591 City: Scranton StateProv: PA PostalCode: 18501-0591 Country: US ReferralServer: rwhois://rwhois.hostnoc.net:4321/ NetRange: 64.191.0.0 - 64.191.127.255 CIDR: 64.191.0.0/17 NetName: HOSTNOC-3BLK NetHandle: NET-64-191-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.HOSTNOC.NET NameServer: NS2.HOSTNOC.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2002-05-31 Updated: 2003-08-08 RTechHandle: SMA4-ARIN RTechName: Arcus, S. Matthew RTechPhone: +1-570-343-8551 RTechEmail: [EMAIL PROTECTED] OrgTechHandle: SMA4-ARIN OrgTechName: Arcus, S. Matthew OrgTechPhone: +1-570-343-8551 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2008-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 203.117.170.40: % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 203.117.0.0 - 203.117.255.255 netname: STARHUBINTERNET-SG descr: root country: SG admin-c: NS110-AP tech-c: NS110-AP mnt-by: MAINT-AS4657-AP status: ALLOCATED NON-PORTABLE changed: [EMAIL PROTECTED] 20070605 source: APNIC person: NOC SHI nic-hdl: NS110-AP e-mail: [EMAIL PROTECTED] address: 19 TaiSeng Drive address: Singapore 535222 phone: +65 6825 7878 fax-no: +65 6821 6012 country: SG changed: [EMAIL PROTECTED] 20060607 mnt-by: MAINT-AS4657-AP source: APNIC 195.93.218.25: % Information related to '195.93.218.0 - 195.93.219.255' inetnum: 195.93.218.0 - 195.93.219.255 netname: BUILDHOUSE-NET descr: Buildhouse Ltd. country: RU org: ORG-BL54-RIPE admin-c: TIO4-RIPE tech-c: TIO4-RIPE status: ASSIGNED PI remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - remarks: Routing issues: [EMAIL PROTECTED] remarks: DNS issues: [EMAIL PROTECTED] remarks: Mail issues: [EMAIL PROTECTED] remarks: SPAM&SCAN issues (PLEASE ONLY TO): [EMAIL PROTECTED] remarks: News issues: [EMAIL PROTECTED] remarks: Customer support: [EMAIL PROTECTED] remarks: Commercial issues: [EMAIL PROTECTED] remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: MNT-BUILDHOUSE mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: MNT-BUILDHOUSE mnt-domains: MNT-BUILDHOUSE source: RIPE # Filtered organisation: ORG-BL54-RIPE org-name: Buildhouse Ltd. org-type: OTHER address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15 e-mail: [EMAIL PROTECTED] mnt-ref: MNT-BUILDHOUSE mnt-by: MNT-BUILDHOUSE source: RIPE # Filtered person: Tsheptyev Igor Olegovich address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15 phone: +7 495 5684114 nic-hdl: TIO4-RIPE source: RIPE # Filtered % Information related to '195.93.218.0/23AS44394' route: 195.93.218.0/23 descr: Buildhouse Ltd. origin: AS44394 mnt-by: MNT-BUILDHOUSE source: RIPE # Filtered 85.255.116.206: % Information related to '85.255.112.0 - 85.255.127.255' inetnum: 85.255.112.0 - 85.255.127.255 netname: UkrTeleGroup descr: UkrTeleGroup Ltd. admin-c: UA481-RIPE tech-c: UA481-RIPE country: UA org: ORG-UL25-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: UKRTELE-MNT mnt-routes: UKRTELE-MNT mnt-domains: UKRTELE-MNT source: RIPE # Filtered organisation: ORG-UL25-RIPE org-name: UkrTeleGroup Ltd. org-type: LIR address: UkrTeleGroup Ltd. Mechnikova 58/5 65029 Odessa Ukraine phone: +380487311011 fax-no: +380487502499 mnt-ref: UKRTELE-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered person: Andrew Sotov address: Mechnikova 58/5 65029 Odessa abuse-mailbox: [EMAIL PROTECTED] phone: +380631508855 nic-hdl: UA481-RIPE source: RIPE # Filtered - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFH11Hoq1pz9mNUZTMRAp4pAJ9NszAJMEchAUSjNC2q1lWJeqdvWwCfcrwb gaAVfYoBHitYQsv0brcFJrI= =xuiI -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
