Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 23 July 2009

DirectI: A return to old form?

UPDATE: http://hphosts.blogspot.com/2009/07/directi-update.html

Have DirectI returned to old form again, or is this just a coincidence?

http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The screenshot above left, shows a domain used in an exploit campaign, registered via DirectI. Then of course, there's this lot (all exploit domains so DO NOT LOAD IN A BROWSER!), all of which resolve to:

IP: 78.47.25.168
PTR: static.168.25.47.78.clients.your-server.de
Desc: FastVPS Ltd, St Petersburg, Russia

bigtopstats.cn
gqil.in
gzpf.in
lzwn.in
q0a.in
q0c.in
q0i.in
q0j.in
q0k.in
q0l.in
q0u.in
q0v.in
q0w.in
q0x.in
q1b.in
q1d.in
q1e.in
q1f.in
q1l.in
q1m.in
q1u.in
q1v.in
q1w.in
q3b.in
q3c.in
q3n.in
q3o.in
q3s.in
q5a.in
q5c.in
q5k.in
q5l.in
q5m.in
q5u.in
q5v.in
q5x.in
thehomename.cn
u0c.in
u0e.in
u0s.in
u0t.in
u1a.in
u1b.in
u1l.in
u1m.in
u1w.in
u1x.in
u1y.in
u3h.in
u3j.in
u3m.in
u3v.in
u3y.in
u4w.in
u5c.in
u5d.in
u5e.in
u5k.in
u5l.in
u5m.in
u5t.in
u5v.in
u5w.in
u6c.in
u6d.in
u6l.in
u6n.in
u6v.in
u6x.in
u7e.in
u7f.in
u7g.in
u7o.in
u7p.in
u7z.in
u8b.in
u8i.in
u8j.in
u8t.in
u8v.in
u9b.in
u9c.in
u9i.in
u9j.in
u9k.in
www.q0a.in
www.q0c.in
www.q0i.in
www.q0j.in
www.q0k.in
www.q0l.in
www.q0u.in
www.q0v.in
www.q0w.in
www.q0x.in
www.q1b.in
www.q1d.in
www.q1e.in
www.q1f.in
www.q1k.in
www.q1l.in
www.q1m.in
www.q1n.in
www.q1u.in
www.q1v.in
www.q1w.in
www.q3b.in
www.q3c.in
www.q3e.in
www.q3n.in
www.q3o.in
www.q3s.in
www.q5a.in
www.q5c.in
www.q5k.in
www.q5l.in
www.q5m.in
www.q5u.in
www.q5v.in
www.q5x.in
www.thehomename.cn
www.u0c.in
www.u0e.in
www.u0t.in
www.u1a.in
www.u1b.in
www.u1j.in
www.u1l.in
www.u1m.in
www.u1w.in
www.u1x.in
www.u1y.in
www.u3h.in
www.u3j.in
www.u3m.in
www.u3v.in
www.u3y.in
www.u4w.in
www.u5c.in
www.u5d.in
www.u5e.in
www.u5k.in
www.u5l.in
www.u5m.in
www.u5t.in
www.u5v.in
www.u5w.in
www.u6c.in
www.u6d.in
www.u6l.in
www.u6n.in
www.u6v.in
www.u6x.in
www.u7e.in
www.u7f.in
www.u7g.in
www.u7o.in
www.u7p.in
www.u7z.in
www.u8b.in
www.u8i.in
www.u8j.in
www.u8t.in
www.u8v.in
www.u9b.in
www.u9c.in
www.u9i.in
www.u9j.in
www.u9k.in
www.x0b.in
www.x0c.in
www.x0q.in
www.x0v.in
www.x1h.in
www.x1i.in
www.x1v.in
www.x3a.in
www.x3b.in
www.x3y.in
www.x5o.in
www.x6h.in
www.x6i.in
www.x6q.in
www.x6r.in
www.x7b.in
www.x7c.in
www.x7d.in
www.x7k.in
www.x7l.in
www.x7o.in
www.x8c.in
www.x8e.in
www.x8f.in
www.x8m.in
www.x8n.in
www.x8o.in
www.x8u.in
www.x8v.in
www.x8w.in
www.x8y.in
www.x9d.in
www.x9e.in
www.x9f.in
www.x9g.in
www.x9m.in
www.x9n.in
www.x9o.in
www.x9p.in
www.x9u.in
www.x9v.in
www.x9w.in
www.x9y.in
x0b.in
x0c.in
x0q.in
x0v.in
x1h.in
x1i.in
x3a.in
x3b.in
x3y.in
x5o.in
x6h.in
x6i.in
x6q.in
x6r.in
x7c.in
x7d.in
x7l.in
x7o.in
x8c.in
x8e.in
x8f.in
x8m.in
x8n.in
x8o.in
x8v.in
x8w.in
x8y.in
x9d.ru
x9e.in
x9f.in
x9g.in
x9m.in
x9n.in
x9n.ru
x9o.in
x9p.in
x9v.in
x9w.in
x9y.in


inetnum: 78.47.25.128 - 78.47.25.191
netname: FASTVPS-LTD
descr: FastVPS Ltd
country: DE
admin-c: OL203-RIPE
tech-c: OL203-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered

person: Oleg Lyubimov
address: Leninskiy pr. 96-1-128
address: 198332 Saint-Petersburg
address: RUSSIAN FEDERATION
phone: +79219707212
fax-no: +79219707212
e-mail: oleg.lyubimov@gmail.com
nic-hdl: OL203-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

:: Information related to '78.46.0.0/15AS24940'

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: RB1502-RIPE
admin-c: SK2374-RIPE
admin-c: DM93-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered


But we're not done yet. We're also seeing these resolve to additional IP's:

79.170.89.217 - netvibe.xlshosting.net
80.93.90.88 - 8442hd90088.ikexpress.com
91.121.167.41 - ks361128.kimsufi.com
91.121.174.19 - vidpic3.com
213.251.176.169 - ks35069.kimsufi.com

These contain yet more malicious domains, some also registered via DirectI, such as the one in the screenshot at the top of this post!.

Wonder what their excuse for this will be? (already fired off an e-mail as I'm dying to see them try and worm their way out of this one - surely they knew we'd be monitoring them?).

References:

MalwareURL - 78.47.25.168
http://www.malwareurl.com/search.php?domain=&s=78.47.25.168&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 79.170.89.217
http://www.malwareurl.com/search.php?domain=&s=79.170.89.217&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 80.93.90.88
http://www.malwareurl.com/search.php?domain=&s=80.93.90.88&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 91.121.
http://www.malwareurl.com/search.php?domain=&s=91.121&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 213.251.176.169
http://www.malwareurl.com/search.php?domain=&s=213.251.176.169&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

Update re digitalspy.co.uk
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

Russian Business Network Updates
http://temerc.com/forums/viewtopic.php?f=4&t=3888

ALERT: please be extremely cautious when visiting digitalspy.co.uk
http://msmvps.com/blogs/spywaresucks/archive/2009/07/20/1703278.aspx

DirectI and HostFresh still supporting criminals!
http://hphosts.blogspot.com/2008/10/directi-and-hostfresh-still-supporting.html

No comments: