I've reported the domain names to the Registry who is working with the Registrar to have them suspended. I'm sure they'll register more, but they may have to go back and update their iframe code. So it at least slows them down.
On Tue, Mar 11, 2008 at 8:46 PM, Paul Ferguson <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Forward: > > I have repeatedly notified both Layered Technologies and SoftLayer on > malicious (and criminal) activities occurring in their IP address space > (their hosting facilities), but it continues to happen on a regular basis > (for over a year). Apparently, they don't seem to police their own > backyards, so it might be worthwhile to consider blocking these IP blocks > until they clean up their act. > > I'm sick of hosting providers simply taking the money and turning > a blind eye. > > If you're curious on some of the background on these hosting > providers, I would suggest reading "back" in Dancho Danchev's > blog a few posts and getting a better idea of what I'm talking > about here. > > - From today's post: > > [snip] > > Apparently, a little more in-depth research acts as public pressure, > especially when they're lazy enough to have a great deal of malware > variants "phone back home" to their promotional domain. > > However, the current one responding to 67.228.69.191 is hosted by > SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered > Technologies again confirming the Russian Business Network connection > since, both, Layered Technologies and SoftLayer are known to have been and > continue providing services to the RBN, knowingly or unknowingly. Moreover, > the malware infected counter at the stats section continues reporting new > additions. > > [snip] > > More: > http://ddanchev.blogspot.com/2008/03/loadsccs-ddos-for-hire-service.html > > Details [warning: active malicious URLs]: > > bentham-mps.org/mansoor/cgi/index.php (205.234.186.26) > 5fera.cn/adp/index.php (72.233.60.90) > ls-al.biz/1/index.php (78.109.22.245) > iwrx.com/images/index.php (74.53.174.34) > pizda.cc/in.htm (78.109.19.226) > ugl.vrlab.org/www/index.php (91.123.28.32) > eastcourier.com/reff/index.php (91.195.124.20) > thelobanoff.com/myshop/test/index.php (64.191.78.229) > 203.117.170.40/~whyme/my/index.php > 195.93.218.25/us/index.php > 195.93.218.25/kam/index.php > 85.255.116.206/ax5/index.php > > Details below. > > > > AS | IP | AS Name > 23352 | 205.234.186.26 | SERVERCENTRAL - Server Central Network > 13767 | 72.233.60.90 | DBANK - DataBank Holdings, Ltd. > 41665 | 78.109.22.245 | HOSTING-AS National Hosting Provider, > Hosting.UA > 21844 | 74.53.174.34 | THEPLANET-AS - THE PLANET > 41665 | 78.109.19.226 | HOSTING-AS National Hosting Provider, > Hosting.UA > 42011 | 91.123.28.32 | TRCODINTSOVO-AS TRC Odintsovo > 41947 | 91.195.124.20 | WEBALTA-AS WEBALTA / Internet Search Company > 21788 | 64.191.78.229 | NOC - Network Operations Center Inc. > 4657 | 203.117.170.40 | STARHUBINTERNET-AS Starhub Internet, Singapore > 44394 | 195.93.218.25 | BUILDHOUSE-AS Buildhouse Ltd. > 27595 | 85.255.116.206 | INTERCAGE - InterCage, Inc. > > > > > Detailed IP allocation info: > > > 205.234.186.26: > > Server Central Network SCN-4 (NET-205-234-128-0-1) > 205.234.128.0 - 205.234.255.255 > HostForWeb Inc. SCNET-205-234-186 (NET-205-234-186-0-1) > 205.234.186.0 - 205.234.187.255 > > OrgName: HostForWeb Inc. > OrgID: HOSTF-1 > Address: PO BOX 1164 > City: Chicago > StateProv: IL > PostalCode: 60690 > Country: US > > NetRange: 205.234.186.0 - 205.234.187.255 > CIDR: 205.234.186.0/23 > NetName: SCNET-205-234-186 > NetHandle: NET-205-234-186-0-1 > Parent: NET-205-234-128-0-1 > NetType: Reallocated > Comment: > RegDate: 2007-07-12 > Updated: 2007-07-12 > > OrgTechHandle: ADMIN240-ARIN > OrgTechName: Administrator > OrgTechPhone: +1-312-343-4678 > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2008-03-11 19:10 > # Enter ? for additional hints on searching ARIN's WHOIS database. > > > 72.233.60.90: > > OrgName: Layered Technologies, Inc. > OrgID: LAYER-3 > Address: 5085 W Park Blvd > Address: Suite 700 > City: Plano > StateProv: TX > PostalCode: 75093 > Country: US > > ReferralServer: rwhois://rwhois.layeredtech.com:4321 > > NetRange: 72.232.0.0 - 72.233.127.255 > CIDR: 72.232.0.0/16, 72.233.0.0/17 > NetName: LAYERED-TECH- > NetHandle: NET-72-232-0-0-1 > Parent: NET-72-0-0-0-0 > NetType: Direct Allocation > NameServer: NS1.LAYEREDTECH.COM > NameServer: NS2.LAYEREDTECH.COM > Comment: Please send all abuse complaints to > Comment: [EMAIL PROTECTED] > RegDate: 2005-09-07 > Updated: 2007-02-27 > > RTechHandle: JPS66-ARIN > RTechName: Suo-Anttila, Jeremy Paul > RTechPhone: +1-972-398-7998 > RTechEmail: [EMAIL PROTECTED] > > OrgAbuseHandle: LAT-ARIN > OrgAbuseName: LT Abuse Team > OrgAbusePhone: +1-972-398-7998 > OrgAbuseEmail: [EMAIL PROTECTED] > > OrgNOCHandle: LIT-ARIN > OrgNOCName: LT IP-Network Team > OrgNOCPhone: +1-972-398-7998 > OrgNOCEmail: [EMAIL PROTECTED] > > OrgTechHandle: LNT3-ARIN > OrgTechName: LT NOC Team > OrgTechPhone: +1-972-398-7998 > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2008-03-11 19:10 > # Enter ? for additional hints on searching ARIN's WHOIS database. > > > 78.109.22.245: > > % Information related to '78.109.22.240 - 78.109.22.247' > > inetnum: 78.109.22.240 - 78.109.22.247 > netname: atata > descr: atata - Maxim Perlov > country: UA > admin-c: MP5124-RIPE > tech-c: MP5124-RIPE > status: ASSIGNED PA > mnt-by: MNT-HOSTINGUA > source: RIPE # Filtered > > person: Maxim Perlov > address: Kazakhstan, Almatu, Lenina h.13b > phone: +381234567 > nic-hdl: MP5124-RIPE > abuse-mailbox: [EMAIL PROTECTED] > source: RIPE # Filtered > > % Information related to '78.109.16.0/20AS41665' > > route: 78.109.16.0/20 > descr: Datacenter Hosting.UA > origin: AS41665 > mnt-by: MNT-HOSTINGUA > source: RIPE # Filtered > > > > 74.53.174.34: > > OrgName: ThePlanet.com Internet Services, Inc. > OrgID: TPCM > Address: 315 Capitol > Address: Suite 205 > City: Houston > StateProv: TX > PostalCode: 77002 > Country: US > > ReferralServer: rwhois://rwhois.theplanet.com:4321 > > NetRange: 74.52.0.0 - 74.55.255.255 > CIDR: 74.52.0.0/14 > NetName: NETBLK-THEPLANET-BLK-14 > NetHandle: NET-74-52-0-0-1 > Parent: NET-74-0-0-0-0 > NetType: Direct Allocation > NameServer: NS1.THEPLANET.COM > NameServer: NS2.THEPLANET.COM > Comment: > RegDate: 2006-02-17 > Updated: 2008-02-28 > > RTechHandle: PP46-ARIN > RTechName: Pathos, Peter > RTechPhone: +1-214-782-7800 > RTechEmail: [EMAIL PROTECTED] > > OrgAbuseHandle: ABUSE271-ARIN > OrgAbuseName: The Planet Abuse > OrgAbusePhone: +1-281-714-3560 > OrgAbuseEmail: [EMAIL PROTECTED] > > OrgNOCHandle: THEPL-ARIN > OrgNOCName: The Planet NOC > OrgNOCPhone: +1-281-714-3555 > OrgNOCEmail: [EMAIL PROTECTED] > > OrgTechHandle: TECHN33-ARIN > OrgTechName: Technical Support > OrgTechPhone: +1-214-782-7800 > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2008-03-11 19:10 > # Enter ? for additional hints on searching ARIN's WHOIS database. > > > > 78.109.19.226 > > % Information related to '78.109.19.224 - 78.109.19.231' > > inetnum: 78.109.19.224 - 78.109.19.231 > netname: hoster > descr: hoster - Aleksandr Pavlov > country: UA > admin-c: PAV5-RIPE > tech-c: PAV5-RIPE > status: ASSIGNED PA > mnt-by: MNT-HOSTINGUA > source: RIPE # Filtered > > person: Pavlov Aleksandr V > address: Guta Bank. Komsomola, 41 > address: 195009, Sankt Petersburg > address: Russia > phone: +7 812 3241525 > fax-no: +7 812 3241503 > e-mail: [EMAIL PROTECTED] > nic-hdl: PAV5-RIPE > source: RIPE # Filtered > > % Information related to '78.109.16.0/20AS41665' > > route: 78.109.16.0/20 > descr: Datacenter Hosting.UA > origin: AS41665 > mnt-by: MNT-HOSTINGUA > source: RIPE # Filtered > > > > > 91.123.28.32: > > % Information related to '91.123.16.0 - 91.123.31.255' > > inetnum: 91.123.16.0 - 91.123.31.255 > netname: TRCODINTSOVO-NET > descr: TRC Odintsovo > country: RU > org: ORG-MCtO1-RIPE > admin-c: AYO8-RIPE > tech-c: AYO8-RIPE > status: ASSIGNED PI > mnt-by: TRCODINTSOVO-MNT > mnt-by: RIPE-NCC-HM-PI-MNT > mnt-lower: RIPE-NCC-HM-PI-MNT > mnt-routes: TRCODINTSOVO-MNT > mnt-domains: TRCODINTSOVO-MNT > source: RIPE # Filtered > > organisation: ORG-MCtO1-RIPE > org-name: MUP Center teleradiocompany Odintsovo > org-type: OTHER > descr: MUP Center teleradiocompany Odintsovo > address: 10, Govorova str., > address: Odintsovo, Moscow district > address: Russian Federation > phone: +7 495 5907235 > fax-no: +7 495 5907000 > e-mail: [EMAIL PROTECTED] > admin-c: AYO8-RIPE > tech-c: AYO8-RIPE > mnt-ref: TRCODINTSOVO-MNT > mnt-by: TRCODINTSOVO-MNT > source: RIPE # Filtered > > person: Andrew Y. Ostrouhov > address: 10, Govorova str., > address: Odintsovo city, Moscow district > address: Russian Federation > phone: +7 495 5907355 > fax-no: +7 495 5907000 > e-mail: [EMAIL PROTECTED] > nic-hdl: AYO8-RIPE > mnt-by: TRCODINTSOVO-MNT > source: RIPE # Filtered > > % Information related to '91.123.16.0/20AS42011' > > route: 91.123.16.0/20 > descr: TRC Odintsovo > origin: AS42011 > mnt-by: TRCODINTSOVO-MNT > source: RIPE # Filtered > > > > 91.195.124.20: > > % Information related to '91.195.124.0 - 91.195.125.255' > > inetnum: 91.195.124.0 - 91.195.125.255 > netname: LEADERHOST2-NET > descr: LiderHost Ltd. > country: RU > org: ORG-LL27-RIPE > admin-c: AVM23-RIPE > tech-c: AVM23-RIPE > status: ASSIGNED PI > mnt-by: LEADERHOST-MNT > mnt-by: RIPE-NCC-HM-PI-MNT > mnt-lower: RIPE-NCC-HM-PI-MNT > mnt-routes: LEADERHOST-MNT > mnt-routes: RU-WEBALTA-MNT > mnt-domains: LEADERHOST-MNT > source: RIPE # Filtered > > organisation: ORG-LL27-RIPE > org-name: LeaderHost Ltd. > org-type: OTHER > descr: LeaderHost Ltd. > address: 1, Aivazovskogo str., > address: Moscow, Russia > phone: +7 495 5895552 > fax-no: +7 495 5895552 > e-mail: [EMAIL PROTECTED] > admin-c: AVM23-RIPE > tech-c: AVM23-RIPE > mnt-ref: LEADERHOST-MNT > mnt-by: LEADERHOST-MNT > source: RIPE # Filtered > > person: Andrey V Matveev > address: 1, Aivazovskogo str., > address: Moscow, Russia > phone: +7 495 5895552 > fax-no: +7 495 5895552 > e-mail: [EMAIL PROTECTED] > nic-hdl: AVM23-RIPE > mnt-by: LEADERHOST-MNT > source: RIPE # Filtered > > % Information related to '91.195.124.0/23AS41947' > > route: 91.195.124.0/23 > descr: LeaderHost > origin: AS41947 > mnt-by: RU-WEBALTA-MNT > source: RIPE # Filtered > > > > 64.191.78.229: > > OrgName: Network Operations Center Inc. > OrgID: NOC > Address: PO Box 591 > City: Scranton > StateProv: PA > PostalCode: 18501-0591 > Country: US > > ReferralServer: rwhois://rwhois.hostnoc.net:4321/ > > NetRange: 64.191.0.0 - 64.191.127.255 > CIDR: 64.191.0.0/17 > NetName: HOSTNOC-3BLK > NetHandle: NET-64-191-0-0-1 > Parent: NET-64-0-0-0-0 > NetType: Direct Allocation > NameServer: NS1.HOSTNOC.NET > NameServer: NS2.HOSTNOC.NET > Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE > RegDate: 2002-05-31 > Updated: 2003-08-08 > > RTechHandle: SMA4-ARIN > RTechName: Arcus, S. Matthew > RTechPhone: +1-570-343-8551 > RTechEmail: [EMAIL PROTECTED] > > OrgTechHandle: SMA4-ARIN > OrgTechName: Arcus, S. Matthew > OrgTechPhone: +1-570-343-8551 > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2008-03-11 19:10 > # Enter ? for additional hints on searching ARIN's WHOIS database. > > > > 203.117.170.40: > > % [whois.apnic.net node-2] > % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html > > inetnum: 203.117.0.0 - 203.117.255.255 > netname: STARHUBINTERNET-SG > descr: root > country: SG > admin-c: NS110-AP > tech-c: NS110-AP > mnt-by: MAINT-AS4657-AP > status: ALLOCATED NON-PORTABLE > changed: [EMAIL PROTECTED] 20070605 > source: APNIC > > person: NOC SHI > nic-hdl: NS110-AP > e-mail: [EMAIL PROTECTED] > address: 19 TaiSeng Drive > address: Singapore 535222 > phone: +65 6825 7878 > fax-no: +65 6821 6012 > country: SG > changed: [EMAIL PROTECTED] 20060607 > mnt-by: MAINT-AS4657-AP > source: APNIC > > > > 195.93.218.25: > > % Information related to '195.93.218.0 - 195.93.219.255' > > inetnum: 195.93.218.0 - 195.93.219.255 > netname: BUILDHOUSE-NET > descr: Buildhouse Ltd. > country: RU > org: ORG-BL54-RIPE > admin-c: TIO4-RIPE > tech-c: TIO4-RIPE > status: ASSIGNED PI > remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > remarks: Routing issues: [EMAIL PROTECTED] > remarks: DNS issues: [EMAIL PROTECTED] > remarks: Mail issues: [EMAIL PROTECTED] > remarks: SPAM&SCAN issues (PLEASE ONLY TO): [EMAIL PROTECTED] > remarks: News issues: [EMAIL PROTECTED] > remarks: Customer support: [EMAIL PROTECTED] > remarks: Commercial issues: [EMAIL PROTECTED] > remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > mnt-by: RIPE-NCC-HM-PI-MNT > mnt-by: MNT-BUILDHOUSE > mnt-lower: RIPE-NCC-HM-PI-MNT > mnt-routes: MNT-BUILDHOUSE > mnt-domains: MNT-BUILDHOUSE > source: RIPE # Filtered > > organisation: ORG-BL54-RIPE > org-name: Buildhouse Ltd. > org-type: OTHER > address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15 > e-mail: [EMAIL PROTECTED] > mnt-ref: MNT-BUILDHOUSE > mnt-by: MNT-BUILDHOUSE > source: RIPE # Filtered > > person: Tsheptyev Igor Olegovich > address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15 > phone: +7 495 5684114 > nic-hdl: TIO4-RIPE > source: RIPE # Filtered > > % Information related to '195.93.218.0/23AS44394' > > route: 195.93.218.0/23 > descr: Buildhouse Ltd. > origin: AS44394 > mnt-by: MNT-BUILDHOUSE > source: RIPE # Filtered > > > 85.255.116.206: > > % Information related to '85.255.112.0 - 85.255.127.255' > > inetnum: 85.255.112.0 - 85.255.127.255 > netname: UkrTeleGroup > descr: UkrTeleGroup Ltd. > admin-c: UA481-RIPE > tech-c: UA481-RIPE > country: UA > org: ORG-UL25-RIPE > status: ASSIGNED PI > mnt-by: RIPE-NCC-HM-PI-MNT > mnt-lower: RIPE-NCC-HM-PI-MNT > mnt-by: UKRTELE-MNT > mnt-routes: UKRTELE-MNT > mnt-domains: UKRTELE-MNT > source: RIPE # Filtered > > organisation: ORG-UL25-RIPE > org-name: UkrTeleGroup Ltd. > org-type: LIR > address: UkrTeleGroup Ltd. > Mechnikova 58/5 > 65029 Odessa > Ukraine > phone: +380487311011 > fax-no: +380487502499 > mnt-ref: UKRTELE-MNT > mnt-ref: RIPE-NCC-HM-MNT > mnt-by: RIPE-NCC-HM-MNT > source: RIPE # Filtered > > person: Andrew Sotov > address: Mechnikova 58/5 65029 Odessa > abuse-mailbox: [EMAIL PROTECTED] > phone: +380631508855 > nic-hdl: UA481-RIPE > source: RIPE # Filtered > > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFH11Hoq1pz9mNUZTMRAp4pAJ9NszAJMEchAUSjNC2q1lWJeqdvWwCfcrwb > gaAVfYoBHitYQsv0brcFJrI= > =xuiI > -----END PGP SIGNATURE----- > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
