Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 12 October 2008

Russian Business Network fun in Italy, still present - and worse than originally thought

I'm sorry to say, I've had absolutely no response from the site owner, or hosting company for the site I mentioned previously that was hacked (obiettivorisarcimento.it). The injected code is still present, as can be seen by the following vURL query;

http://vurl.mysteryfcm.co.uk/?url=133808

Even worse however, is that it doesn't appear this is limited to just the one site. Checking other sites on the same IP block, shows the same injected code, for example;

www.gielle.org
http://vurl.mysteryfcm.co.uk/?url=133809

www.nicoli.com
http://vurl.mysteryfcm.co.uk/?url=133813

www.srlsistema.it
http://vurl.mysteryfcm.co.uk/?url=133814

The following is a list of sites on the same IP block (194.242.61.128).

www.gielle.org
www.fratres-brozzi.org
www.sagisrl.org
www.ceispt.org
www.cartotecnicadelgarda.com
www.centralboxitalia.com
www.tecno-weld.com
www.proteoediservice.com
www.piramideverde.com
www.orientalcaffe.com
www.2emmeforniture.com
www.nicoli.com
www.zaiti.com
www.giannicasti.com
www.edil-sistem.com
orodesign.com
www.orodesign.com
www.deborahligorio.com
www.marcomodernariato.com
www.lasocietadelprogetto.com
www.casacaminetto.com
www.fiorellogroup.com
www.dmacomputer.com
happyrent.com
www.turin-gallery.com
www.audiodigitale.net
www.italmeccanica.it
www.eliorapida.it
www.rovida.it
www.lanuovamodisteria.it
www.vezzola.it
www.srlsistema.it
www.studiocasazza.it
www.federicibb.it
www.trapperoffroad.it
www.centralfluid.it
www.selcod.it
www.associazionealice.it
www.edil-nike.it
www.edilnike.it
www.esagonale.it
www.aldofronterre.it
www.lanificiocecchi.it
www.minicostruzioni.it
www.stangalinocostruzioni.it
www.plastampi.it
www.rehamedical.it
www.studiozulian.it
www.spinoneitaliano.it
www.giovannagranno.it
www.obiettivorisarcimento.it
www.petrotto.it
www.bondishepherds.it
www.pengs.it
www.teolis.it
fenu.it


It's worth noting that not all of the above hosts are showing the injected code as being present. Whether this indicates a network wide issue, or the affected sites are just on the same server, is anyone's guess.

Until this is cleaned up however, I'd strongly recommend blacklisting this IP block.

In the meantime, if anyone reading this, happens to live in Italy and would like to try and get hold of the hosting company, their details are as follows;

inetnum: 194.242.61.0 - 194.242.61.255
netname: GENESYS-NET
descr: HostingSolutions.it
country: IT
admin-c: LC1294-RIPE
tech-c: EF1473-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: AS1267-MNT
mnt-routes: AS1267-MNT
mnt-domains: AS1267-MNT
source: RIPE # Filtered

person: Luigi Corbacella
address: Via de Cattani, 224/18
address: 50145 Firenze (FI)
phone: +39 55 308189
fax-no: +39 55 301394
e-mail: info@genesysinformatica.it
nic-hdl: LC1294-RIPE
source: RIPE # Filtered

person: Emil Fikl
address: Via de Cattani, 224-18
address: I-50145 Firenze (FI)
address: Italy
phone: +39 55 308189
fax-no: +39 55 301394
e-mail: emil@gif.it
nic-hdl: EF1473-RIPE
source: RIPE # Filtered

:: Information related to '194.242.61.0/24AS24994'

route: 194.242.61.0/24
descr: Genesys Informatica S.r.l.
origin: AS24994
remarks: GENESYS-NET announce
mnt-by: AS1267-MNT
source: RIPE # Filtered


Thus far, attempts to contact them both via e-mail and via telephone, have failed miserably.

/edit Monday 13th October

I'd like to make clear, following a note on the forums, that it is only the single IP (194.242.61.128) I recommend blocking, and not HostingSolutions.it entire net-range.

No comments: