18.104.22.168 was first reported to HostNOC/Burst, on July 2nd, both via e-mail and via telephone. When speaking to them on the phone, I was advised they'd give the customer a 24 hour warning.
Watching the new domains popping up each day, I continued to send them reports, and resorted to a second phone call last week (Sunday if memory serves), to be told yet again, they'd give the customer a 24 hour warning. I further sent them a plethora of data regarding cases related to it, suggesting they're most likely all from a single or single group, of resellers.
Today alas, the server was still active, and still spitting out the Renos trojan. Finally, I called them a third time, and I'm happy to report, they suspended the server whilst I was on the phone to them. The problem however, is the initial 24 hour warning they claimed they'd given the customer - what happened to it? what happened to the followup warnings?
More importantly, why did a 24 hour warning end up being a 4 day and 18 cases later, warning? Especially given I was told today that they had STILL not received a response from their customer to the first warning, let alone any followups.
HostNOC/Burst don't exactly have the best reputation when it comes to responses and actioning as it is, and this kind of behaviour isn't exactly making them look any better. So HostNOC/Burst - what's going on?
The files and domains, incase you're wondering, that were seen on this IP are;
And it's worth noting, the filename isn't static, the various filenames in the list above, would've worked for all of the domains, just as they've done on previous IPs/domains.
And predictably, they've moved to yet another HostNOC/Burst IP;
Part 5: Interserver, malware, and the Scottish weather
Part 4: Interserver, malware, and the Scottish weather
Part 3: Interserver, malware, and the Scottish weather
Part 2: Interserver, malware, and the Scottish weather
Interserver, malware, and the Scottish weather