Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 December 2009

nit99.biz: When is a forum not a forum? ....

... When it's an exploit of course!

This URL (vURL results, PDF);

nit99.biz/myy/viewtopic.php?s=bec8f62472

wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.

And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;

PDF file
nit99.biz/myy/myreadme.php

SWF (flash) file
nit99.biz/myy//i.swf

These files have one purpose - to deliver the payload. The payload itself comes from;

nit99.biz/myy/post.php?e=6&

The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;

http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1261915184

I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;

http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1262196998

The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").

I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;

....HKLM\System\CurrentControlSet\Services\AsyncMac


I did however, notice the following bit of confusion, when looking at the file in FileInsight;

....But where would he sleep?...He could be taller the..But where would he sleep?...No one wou..Imagine a pet dinosaur that live....when we played hid..and my pet would pass up th.He could be talle...pterodactyl instead.and the fences squashed ....M..[I0d have to spend ..I wouldn0...I wouldn0t have to worry....It would ...A pet dinosaur would be won.at my house and.and then another and t..Wouldn0t it be fan..While he stood in t.While he st.b.CB


Nope, I've no idea what that's about either.

The site resides at 115.100.250.104, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;

20091216205416          115.100.250.107          Failed resolution          tt.allowjobs.cn          hxxp://tt.allowjobs.cn/

20091216205423          115.100.250.107          Failed resolution          tt.allowjobs.cn          hxxp://tt.allowjobs.cn/pdf.php?spl=pdf_ie2

20091216220940          115.100.250.107          Failed resolution          www.atatata.org          hxxp://www.atatata.org/777/sysmona.exe

20091218035413          115.100.250.72          Failed resolution          115.100.250.72          hxxp://115.100.250.72/server-status

20091218035420          115.100.250.107          Failed resolution          115.100.250.107          hxxp://115.100.250.107/server-status

20091218035427          115.100.250.115          Failed resolution          115.100.250.115          hxxp://115.100.250.115/server-status

20091218035433          115.100.250.116          Failed resolution          115.100.250.116          hxxp://115.100.250.116/server-status

20091218035440          115.100.250.119          Failed resolution          115.100.250.119          hxxp://115.100.250.119/server-status

20091219231238          115.100.250.107          Failed resolution          www.grobin1.cn          hxxp://www.grobin1.cn/pol/alwaysA.pdf

20091220000111          115.100.250.107          Failed resolution          chinaoilfactory.cn          hxxp://chinaoilfactory.cn/cp/build.exe

20091220000119          115.100.250.107          Failed resolution          chris25project.cn          hxxp://chris25project.cn/cp/bot.exe

20091220000340          115.100.250.107          Failed resolution          dia2.cn          hxxp://dia2.cn/123/ld.php?v=1&rs=13441600&n=1&uid=1

20091220001901          115.100.250.113          Failed resolution          online-counter.cn          hxxp://online-counter.cn/load.exe

20091220001908          115.100.250.113          Failed resolution          online-counter.cn          hxxp://online-counter.cn/stats/211/loadshow.php

20091220011435          115.100.250.119          Failed resolution          www.socks5servic.cn          hxxp://www.socks5servic.cn/zs/bot.exe

20091222194143          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net/ir/pack/exe.php?spl=MDAC

20091222194202          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/sdfg.jar

20091222194209          115.100.250.104          Failed resolution          client158.faster-hosting.com          hxxp://client158.faster-hosting.com/cache/homepage.exe

20091222194257          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net/ir/pack/exp/pdf.php

20091222194330          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/myreadme.php

20091222194337          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/files/leerydumbbunny.pdf

20091222194344          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/files/scamtodosomething.pdf

20091222194423          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/f.swf

20091222194438          115.100.250.105          Failed resolution          www.aolas.cn          hxxp://www.aolas.cn/Smilex/az-alliance/iereg.exe

20091222194451          115.100.250.104          Failed resolution          www.kimosimotuma.cn          hxxp://www.kimosimotuma.cn/777.exe

20091222194529          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/123132/New2.exe

20091222194536          115.100.250.104          Failed resolution          client158.faster-hosting.com          hxxp://client158.faster-hosting.com/cache/anime2/13.exe

20091222194543          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/loadjavad.php

20091222194607          115.100.250.107          Failed resolution          atatata.org          hxxp://atatata.org/123/file.php?upd

20091222194613          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/ad/file.php?upd

20091222194631          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/post.php?e=1&&

20091222194652          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/123132/your_exe.exe

20091222194759          115.100.250.107          Failed resolution          www.footballcappers.biz          hxxp://www.footballcappers.biz/exe.php

20091222194842          115.100.250.104          Failed resolution          www.kimosimotuma.cn          hxxp://www.kimosimotuma.cn/888.exe

20091223201100          115.100.250.105          Failed resolution          www.aolas.cn          hxxp://www.aolas.cn/az-hsbc/iereg.exe

20091223201217          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/exe.php

20091223201224          115.100.250.117          Failed resolution          westnorths.cn          hxxp://westnorths.cn/load.php?spl=mdac

20091229031704          115.100.250.107          Failed resolution          chris25project.cn          hxxp://chris25project.cn/cp/zsbcs.exe

20091229031807          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz

20091229032535          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz/exe.php

20091229032541          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz/load.exe

20091229032858          115.100.250.104          Failed resolution          not99.biz          hxxp://not99.biz/myy/post.php

20091229033818          115.100.250.115          Failed resolution          useranalyticsreporting.net          hxxp://useranalyticsreporting.net/ir/pack/exp/pdf.php

20091229034534          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id125/

20091229034555          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/index.php

20091229034658          115.100.250.104          Failed resolution          not99.biz          hxxp://not99.biz/myy/viewtopic.php?s=f6e678fe95

20091229034925          115.100.250.119          Failed resolution          wen.nei28.com          hxxp://wen.nei28.com/index.php

20091229035534          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/spl/pdf.pdf

20091229035919          115.100.250.104          Failed resolution          www.kotopes.cn          hxxp://www.kotopes.cn/forum/image/spl/pdf.pdf

20091229035932          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net:80/ir/pack/exp/pdf.php

20091229040137          115.100.250.107          Failed resolution          grobin1.cn          hxxp://grobin1.cn/pol/alwaysA.pdf

20091229040143          115.100.250.107          Failed resolution          grobin1.cn          hxxp://grobin1.cn/pol/update.php

20091229040331          115.100.250.117          Failed resolution          westnorths.cn          hxxp://westnorths.cn/index.php?spl=3&br=MSIE&vers=6.0&s=826f3bdce007009c5ceb6c26ccf638bc

20091229040853          115.100.250.104          Failed resolution          fopsl.cn          hxxp://fopsl.cn/forum/index.php

20091229041019          115.100.250.104          Failed resolution          nit99.biz          hxxp://nit99.biz/new/viewtopic.php?s=0ec9d1a063

20091229041204          115.100.250.117          Failed resolution          todaymaytomorrow.cn          hxxp://todaymaytomorrow.cn//load.php?spl=mdac

20091229042433          115.100.250.104          Failed resolution          www.nit99.biz          hxxp://www.nit99.biz/myy/viewtopic.php?s=bec8f62472

20091229044311          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id125/index.php

20091229044317          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com:80/id125/files/annonce.pdf

20091229044324          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com:80/id125/loadpdf.php

20091229044415          115.100.250.117          Failed resolution          ispugais.cn          hxxp://ispugais.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all

20091229044426          115.100.250.117          Failed resolution          kitaiclock.cn          hxxp://kitaiclock.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all

20091229044504          115.100.250.114          Failed resolution          macaples.in          hxxp://macaples.in/my_usa/index.php?spl=3&br=MSIE&vers=7.0&s=a514f2595261bcd6ebcb69320172f022

20091229044510          115.100.250.114          Failed resolution          macaples.in          hxxp://macaples.in/my_usa/load.php?spl=ActiveX_pack

20091229044552          115.100.250.104          Failed resolution          nit99.biz          hxxp://nit99.biz/new/viewtopic.php?s=62d4f4343c

20091229044633          115.100.250.121          Failed resolution          rasejo.cn          hxxp://rasejo.cn/thecompany/mk/er32.exe

20091229044738          115.100.250.117          Failed resolution          systemanalizerscom.cn          hxxp://systemanalizerscom.cn/load.php?s=2eafd76b775db4d941022df28348bfd1&spl=pdf_all

20091229212404          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id120/index.php

20091229212411          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id126/index.php

20091229212419          115.100.250.73          Failed resolution          tds-info.net          hxxp://tds-info.net/in.cgi?2

20091229212510          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id126/mdac.php


The /24 lies within a range (115.100.248.0/22) owned by;

ASN: 9803
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd

/edit 18:52

Sunbelt sandbox results
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12053994&cs=BFFBC294022DB10C44EE633BAC06CAF4

Microsoft Malware Protection Center (results will be here once analysis is finished)
https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=a06eea71-cb87-4af3-aafa-6ba621b248ac

/edit 19:06

The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);

Sunday, 27 December 2009

Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)

The topic today is blackhat SEO, fake AV's and phishing. The culprit responsible for this boatload of maliciousness, is Eveloz (AS27716).

Eveloz has 3 upstream providers, namely;

AS11556 PA-CAPA2-LACNIC Cable-Wireless Panama
AS14551 ALTERNET-SA-AS UUNET Technologies
AS23520 NEWWORLDNETWORK New World Network USA, Inc.

Eveloz is also directly related to Panamaservers.com, an ISP with a history of badness. This blog isn't appropriate for that however, so I'll go into that at a later date.

You'll note, I've blogged recently (as have others) about the blackhat SEO campaigns on Google (and there's similar campaigns on the other search engines). Most of these have one thing in common - the redirector. The most recent redirector or MITM (Man in the middle) is protectcareone.net, which resides at 200.63.46.130. This domain uses the following redirs;

/in.cgi?{NO}
/redirect/
/redirect2/
/redirect3/
/redirect4/

The redir you're taken to (1-4) seems to vary depending on the domain, but all 4 will take you to various infections (the target domain appears to change every 12-24 hours, so I'd suggest monitoring it constantly). At present, these are;

/redirect/
-> goscanmoth.com/?uid=13400
--> cunamot.cn/?uid=13400
---> cunamot.cn/download/install.php?uid=13400 (Internet Antivirus Pro)

IP: 193.169.235.5
ASN 32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST - GigeNET

IP: 193.169.235.6
ASN 32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST - GigeNET

/redirect2/
-> family2reunion.com/go.php?id=2004&key=ff0057594&d=1

IP: 66.232.102.67
ASN: 29802 66.232.102.0/19 HVC

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)

/redirect3/

-> new-proper.cn/?pid=283s01&sid=2a15a0

IP: 95.143.192.52
ASN: 49770 SERVERCONNECT-AS ServerConnect Sweden AB

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)

/redirect4/
-> onlinenonmalware.com/hitin.php?land=20&affid=92800
--> onlinenonmalware.com/index.php?affid=92800
---> onlinenonmalware.com/downloader.php?affid=92800 (System Security variant)

IP: 193.104.153.245
ASN: 5577 193.104.153.0/24 ROOT root eSolutions

Over the past couple of weeks or so, only the first and fourth have resulted in an actual payload being delivered for me, the second and third have failed (the second with what looks like a fake 404, suggesting they've got all of my IP's blocked, and the third keeps timing out).

Whilst quite obviously annoyed at Google and the likes, for not doing enough to remove the results from their indexes to begin with, I find myself increasingly annoyed with their upstreams for allowing this behaviour to continue.

Eveloz for example, if we look at just one of their ranges, doesn't have so much as a single legit domain - every single one is either delivering malware or phishing scams;

bootsame.com
cheap-uggs-boots.com
childrenuggboots.com
dior-boots.com
ghdhairtrade.com
girlsugg.com
gosafezone.net
guccichothes.com
guccisneaekrs.com
jewelleryvip.com
linksmvp.com
metallicuggboots.com
oklouisvuitton.com
pandora2010.com
protectcareone.net
replica-bags-sale.com
safetytripstyle.net
the-documentary.net
uggbestsell.com
uggbootsforkids.com
uggbroome.com
uggcrochetboots.com
uggerin.com
ugglow.com
uggminiboots.com
uggpinkboots.com
ugg-sandals.com
uggsaustralian.org
uggtasmina.com
uggwomensboots.com
womengucci.com
womenguccishoes.com
www.bootsame.com
www.cheap-uggs-boots.com
www.childrenuggboots.com
www.dior-boots.com
www.ghdhairtrade.com
www.girlsugg.com
www.gosafezone.net
www.guccichothes.com
www.guccisneaekrs.com
www.jewelleryvip.com
www.linksmvp.com
www.metallicuggboots.com
www.mgbcorporation.com
www.oklouisvuitton.com
www.pandora2010.com
www.protectcareone.net
www.replica-bags-sale.com
www.safetytripstyle.net
www.uggbestsell.com
www.uggbootsforkids.com
www.uggbroome.com
www.uggcrochetboots.com
www.uggerin.com
www.ugglow.com
www.uggminiboots.com
www.uggpinkboots.com
www.ugg-sandals.com
www.uggsaustralian.org
www.uggtasmina.com
www.uggwomensboots.com
www.womengucci.com
www.womenguccishoes.com
www.xnike.com
xnike.com


I've got a router to change over now however, so we'll come back to this later.

INFO: Upcoming service interruption

Just a note folks, I treat myself to a new Netgear WNR2000 N Router today (would've loved the MaxRange N router but couldn't afford it), which means the network will be unavailable later tonight, to allow for the current routers being replaced.

I'm planning on doing the replacement at approx midnight tonight (GMT), and it shouldn't take more than 15 mins or so (allows for disconnection, connection, config, testing and backup).

/edit 01:06 28-12-2009

I've had to ditch the router replacement idea folks. The new one doesn't have a modem built into it (could've bleedin told me on the box!)

Wednesday, 23 December 2009

Twitter spam: IAC WebFetti

I received an e-mail from a friend earlier, alterting me to possible malicious content over on Twitter (surprise surprise), and what I found actually did surprise me for a change.

This spam run didn't lead to a worm, trojan, virus or other infection - but to an IAC website, webfetti.com.

One thing they all have in common, aside from the IAC connection? Well, that would be Twivert. A site that advertises itself as a "Twitter advertising network". Quite why publishers such as IAC, who are presently trying to convince everyone they've gone legit, would think this kind of behaviour was a good thing, is beyond me.

You'll no doubt be surprised to learn, Twivert is run by an Indian based "company" (I'm beginning to wonder if there's so much as a single legit company over there, all of those I've come across have been involved in spam or phishing);

Registrant:
ISquare
280-A LLoyds Road
Gopalapuram
Chennai, Tamil Nadu 600086
India

Domain Name: TWIVERT.COM
Created on: 25-May-09
Expires on: 25-May-11
Last Updated on: 25-May-09

Administrative Contact:
Sundaresan, Vignesh vignesh.isquare@gmail.com
ISquare
280-A LLoyds Road
Gopalapuram
Chennai, Tamil Nadu 600086
India
00971554906134 Fax --

Technical Contact:
Sundaresan, Vignesh vignesh.isquare@gmail.com
ISquare
280-A LLoyds Road
Gopalapuram
Chennai, Tamil Nadu 600086
India
00971554906134 Fax --

Domain servers in listed order:
NS35.DOMAINCONTROL.COM
NS36.DOMAINCONTROL.COM


I highly suspect IAC will blame this on rogue affiliates, but personally, I'll not be convinced.

Crimeware friendly ISP's: RapidSwitch Ltd (AS29131)

Those of you reading this blog for any length of time, or specializing in the documentation of malicious domains, will no doubt already be aware of RapidSwitch's history, but here's a little refresher for you;

242 reasons to avoid 78.129.142.9 (RapidSwitch - AS29131)
http://hphosts.blogspot.com/2008/09/242-reasons-to-avoid-781291429.html

RapidSwitch customers still involved in SMS Fraud ......
http://hphosts.blogspot.com/2009/02/rapidswitch-customers-still-involved-in.html

Adobe9.0-PDF.com + Computer Solutions Group + 208.118.54.* + Xtreme Software Ltd + Saudi Arabia = Phishing and fraud network
http://hphosts.blogspot.com/2009/03/adobe90-pdfcom-computer-solutions-group.html

Zlkon.lv disconnected - but apparently not completely gone
http://hphosts.blogspot.com/2009/04/zlkonlv-disconnected-but-apparently-not.html

Fake malwarebytes site
http://www.malwarebytes.org/forums/index.php?showtopic=17213

Legitimate Software Typosquatted in SMS Micro-Payment Scam
http://ddanchev.blogspot.com/2009/07/legitimate-software-typosquatted-in-sms.html

RapidSwitch: UK webhosts in champagne throwing cat fight
http://hphosts.blogspot.com/2009/09/rapidswitch-uk-webhosts-in-champagne.html

LC Escrow & Consulting Fraud
http://www.bobbear.com/lcescrowandconsulting.html

Take your time, I'll wait.

Caught up? Good, lets begin shall we? We'll start by looking at what was there, as documented September last year. How many of these are still present? How many have moved? Well, the following contains the hpObserver validation results for those listed in hpHosts as residing on 78.129.*, which were done around an hour or so ago;

http://hosts-file.net/misc/hpObserver_results_-_RapidSwitch-231209.html

I believe the results speak for themselves - the majority are still present, and still involved in malicious activities.

Now, lets look at what's appeared over there in the last few months shall we? And I should point out, this only contains those recorded in my personal database (this database is not published online for varying reasons) and as such, is only a small example.

78.129.205.92        ns64.altervista.org        hacklabz.altervista.org/php.txt
78.129.205.94        ns65.altervista.org        prodef.altervista.org/dark.txt
78.129.205.94        ns65.altervista.org        prodef.altervista.org/id1.txt
78.129.166.98        bod98.i0waterford.net        antispyavailable.com/downloadsetup.php
78.129.205.62        ns50.altervista.org        orangegraphics.altervista.org
78.129.205.62        ns50.altervista.org        italianhom.altervista.org/home.htm
78.129.205.21        ns25.altervista.org        all4upload.altervista.org/
78.129.205.17        ns30.altervista.org        amoreterno.altervista.org/
78.129.205.29        ns3.altervista.org        angelaplatania.altervista.org/
78.129.205.19        ns2.altervista.org        bonesitalia.altervista.org/
78.129.205.19        ns2.altervista.org        bonesitalia.altervista.org/home.htm
78.129.205.19        ns2.altervista.org        casalbertone.altervista.org/index.php
78.129.157.185        ns3589.ukvpshosting.com        www.10pips.com/ca/download.php
78.129.205.62        ns50.altervista.org        orangegraphics.altervista.org/
78.129.166.98        bod98.i0waterford.net        altapcsecurity.com/downloadsetup.php
78.129.166.166        Failed resolution        top-pornnet.com/promo3/?aid=763&vname=flash_player.exe
78.129.166.175        Failed resolution        tubez4fun.net/download/present.exe
78.129.205.9        ns23.altervista.org        fatto.altervista.org/
78.129.205.88        ns63.altervista.org        joew.altervista.org/index.php?mod=materiale2
78.129.205.9        ns23.altervista.org        www.fatto.altervista.org/
78.129.205.9        ns23.altervista.org        www.fatto.altervista.org/
78.129.205.13        ns24.altervista.org        www.lorenzopravda.altervista.org/
78.129.205.13        ns24.altervista.org        www.lorenzopravda.altervista.org/index.html
78.129.221.11        gateway.simirna.com        brkweb.net/beestdwd
78.129.205.34        ns35.altervista.org        www.swingthing.altervista.org/
78.129.205.96        ns66.altervista.org        cr0j.altervista.org/dark.txt
78.129.205.76        ns57.altervista.org        giacomox.altervista.org/ciccio.txt
78.129.205.96        ns66.altervista.org        cr0j.altervista.org/id1.txt
78.129.205.96        ns66.altervista.org        cr0j.altervista.org/bovsp.txt
78.129.205.31        ns34.altervista.org        bhebhebhe.altervista.org/razor.txt
78.129.205.31        ns34.altervista.org        bhebhebhe.altervista.org/federico.txt
78.129.205.9        ns23.altervista.org        cinemiamo.altervista.org/
78.129.205.17        ns30.altervista.org        dbzmito.altervista.org/index.php
78.129.205.7        ns33.altervista.org        djandreaweb.altervista.org/
78.129.205.72        ns55.altervista.org        eventishoujo.altervista.org/index.php?sl=in_giappone/uscite_manga/archivio/2006/marzo/marzo.htm
78.129.205.15        ns29.altervista.org        frenkdjedanyk.altervista.org/photo28/index.html
78.129.205.2        ns32.altervista.org        graficnika.altervista.org/
78.129.205.40        ns37.altervista.org        hackerpsc.altervista.org/
78.129.205.21        ns25.altervista.org        home.metin2pedia.altervista.org/php5/home/home.php?browser=firefox
78.129.205.29        ns3.altervista.org        immobiliarerosa.altervista.org/cantieri/Nantoexscuole/index.htm
78.129.205.13        ns24.altervista.org        makkot.altervista.org/
78.129.205.13        ns24.altervista.org        makkot.altervista.org/index.htm
78.129.205.25        ns27.altervista.org        marasma74.altervista.org/KINO/-Miscellaneous/index.html
78.129.205.17        ns30.altervista.org        misterhide.altervista.org/elinks/_emulegay/index.html
78.129.205.17        ns30.altervista.org        misterhide.altervista.org/elinks/_emulegay/index2.html
78.129.205.88        ns63.altervista.org        moothunder.altervista.org/home.html
78.129.205.2        ns32.altervista.org        napoorsocapo.altervista.org/home.htm
78.129.205.13        ns24.altervista.org        pauraedeliriomp.altervista.org/
78.129.205.13        ns24.altervista.org        pinkshoujosite.altervista.org/
78.129.205.21        ns25.altervista.org        preda.altervista.org/
78.129.205.50        ns42.altervista.org        shadowdance.altervista.org/
78.129.205.72        ns55.altervista.org        soldier87.altervista.org/menu.htm
78.129.205.96        ns66.altervista.org        dosnetter.altervista.org/par-.txt
78.129.167.135        server135.gnxnetwork.com        spealman.net/go/on/
78.129.205.50        ns42.altervista.org        uggstaff.altervista.org/130609/indexfoto.htm
78.129.205.50        ns42.altervista.org        uggstaff.altervista.org/260507/indexfoto.htm
78.129.205.50        ns42.altervista.org        uggstaff.altervista.org/300509/indexfoto.htm
78.129.205.21        ns25.altervista.org        wantedlist2.altervista.org/
78.129.205.82        ns60.altervista.org        worldmarmalade.altervista.org/
78.129.205.82        ns60.altervista.org        worldmarmalade.altervista.org/home.htm
78.129.205.2        ns32.altervista.org        www.graficnika.altervista.org/
78.129.205.11        ns22.altervista.org        www.kssong.altervista.org/
78.129.166.5        bod5.i0waterford.net        78.129.166.5/~xqz/zw/ldr.exe
78.129.171.49        Failed resolution        78.129.171.49/doc/binor.exe
78.129.247.85        Failed resolution        78.129.247.85/~wwwhi5/images/view.php/image.php
78.129.149.37        backup.black-prophecy.org        black-prophecy.org/bot.exe
78.129.166.166        Failed resolution        security-components.com/promo3/get.php?aid=1361&vname=antivirus
78.129.205.13        ns24.altervista.org        www.pinkshoujosite.altervista.org/
78.129.205.50        ns42.altervista.org        www.uggstaff.altervista.org/020607/indexfoto.htm
78.129.205.50        ns42.altervista.org        www.uggstaff.altervista.org/200609/indexfoto.htm
78.129.205.50        ns42.altervista.org        www.uggstaff.altervista.org/230509/indexfoto.htm
78.129.205.50        ns42.altervista.org        www.uggstaff.altervista.org/280209/indexfoto.htm
78.129.205.50        ns42.altervista.org        www.uggstaff.altervista.org/rocciadisco/index.htm
78.129.205.48        ns41.altervista.org        www.utopia2007.altervista.org/
78.129.166.166        Failed resolution        antispyware-center.com/promo1/get.php
78.129.205.98        ns67.altervista.org        druido12.altervista.org/federico.txt
78.129.205.98        ns67.altervista.org        dig0z.altervista.org/bovsp.txt
78.129.166.178        Failed resolution        scanreporting.com/ping13.php?id=1&mid=qhc15dj0erc1&aid=1&type=2
78.129.166.178        Failed resolution        scanreporting.com/ping13.php?id=0&mid=qhc15dj0erc1&aid=1&type=2
78.129.166.98        bod98.i0waterford.net        securesoftwarebill.com/buy.php
78.129.205.98        ns67.altervista.org        babbudoiu.altervista.org/ciccio.txt
78.129.205.98        ns67.altervista.org        sospendipure.altervista.org/sca/r0x-id.txt
78.129.221.11        gateway.simirna.com        brkweb.net/mmyfi1ms
78.129.205.15        ns29.altervista.org        iffty1.altervista.org
78.129.157.22        Failed resolution        templates.rightconsultant.com
78.129.142.235        Failed resolution        thegimp-full.info/bin/3962/fr/GIFAnimator.exe
78.129.178.133        Failed resolution        a-zme.com/kwdxc/pbzyb/authorized.php
78.129.205.68        ns53.altervista.org        gloverz.altervista.org/id2.txt
78.129.205.68        ns53.altervista.org        gloverz.altervista.org/id1.txt
78.129.205.68        ns53.altervista.org        monzetta.altervista.org/ciccio.txt
78.129.205.76        ns57.altervista.org        sgarufante.altervista.org/razor.txt
78.129.205.104        ns69.altervista.org        fr33z.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        fr33z.altervista.org/id1.txt
78.129.205.104        ns69.altervista.org        fr33z.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        drogs.altervista.org/x00x/infoz.txt
78.129.205.104        ns69.altervista.org        bring.altervista.org/bovsp.txt
78.129.205.104        ns69.altervista.org        bring.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        bring.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        bring.altervista.org/id1.txt
78.129.168.231        Failed resolution        dusecurity.com/shells/php/phpshell.txt
78.129.205.104        ns69.altervista.org        tr1p.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        tr1p.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        tr1p.altervista.org/id1.txt
78.129.205.104        ns69.altervista.org        c0c4.altervista.org/bovsp.txt
78.129.205.104        ns69.altervista.org        c0c4.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        c0c4.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        c0c4.altervista.org/id1.txt
78.129.205.104        ns69.altervista.org        pr0m0.altervista.org/bovsp.txt
78.129.205.104        ns69.altervista.org        pr0m0.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        pr0m0.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        pr0m0.altervista.org/id1.txt
78.129.166.98        bod98.i0waterford.net        system-tuner.net/downloadsetup.php
78.129.244.73                
                
                
Failed resolution                
                
                
clicks.totemcash.com        clicks.totemcash.com/?s=32857&p=21&pp=1        
78.129.178.202        server.centralservers.net        oilinvestconf.com/images/statement.exe
78.129.178.202        server.centralservers.net        signin.ebay.com.ws.ebayisapi.dll.ayvqppabvalabimvxkohzd.oilinvestconf.com/images/statement.exe
78.129.205.106        ns70.altervista.org        v2k1.altervista.org/pw.txt
78.129.205.106        ns70.altervista.org        v2k1.altervista.org/id2.txt
78.129.205.106        ns70.altervista.org        v2k1.altervista.org/dark.txt
78.129.205.106        ns70.altervista.org        v2k1.altervista.org/id1.txt
78.129.205.76        ns57.altervista.org        v1k1.altervista.org/id2.txt
78.129.205.76        ns57.altervista.org        v1k1.altervista.org/dark.txt
78.129.205.76        ns57.altervista.org        v1k1.altervista.org/id1.txt
78.129.205.68        ns53.altervista.org        vik9.altervista.org/bovsp.txt
78.129.205.68        ns53.altervista.org        vik9.altervista.org/id2.txt
78.129.205.68        ns53.altervista.org        vik9.altervista.org/dark.txt
78.129.205.68        ns53.altervista.org        vik9.altervista.org/id1.txt
78.129.205.68        ns53.altervista.org        vik8.altervista.org/id1.txt
78.129.205.68        ns53.altervista.org        vik8.altervista.org/pw.txt
78.129.205.68        ns53.altervista.org        vik8.altervista.org/id2.txt
78.129.205.68        ns53.altervista.org        vik8.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        vik6.altervista.org/bovsp.txt
78.129.205.104        ns69.altervista.org        marchetto43.altervista.org/federico.txt
78.129.205.104        ns69.altervista.org        vik6.altervista.org/id1.txt
78.129.205.104        ns69.altervista.org        vik6.altervista.org/id2.txt
78.129.205.104        ns69.altervista.org        vik6.altervista.org/dark.txt
78.129.205.104        ns69.altervista.org        vik6.altervista.org/echos.txt
78.129.205.96        ns66.altervista.org        vik5.altervista.org/id2.txt
78.129.205.96        ns66.altervista.org        vik5.altervista.org/dark.txt
78.129.205.96        ns66.altervista.org        vik5.altervista.org/id1.txt
78.129.205.104        ns69.altervista.org        luchetto45.altervista.org/federico.txt
78.129.139.185        server.harshainfotech.com        sigc.edu/ig/MBA_Complaince_report.my_doc.php
78.129.205.54        ns45.altervista.org        br1973.altervista.org/power4/small/down7.htm
78.129.166.176        Failed resolution        anysetupreports.com/go.php?afid=2473
78.129.166.176        Failed resolution        online-anti-malware-scanner.com/go.php?afid=2473
78.129.166.177        Failed resolution        online-bestfree-virus-scanner.com/go.php?afid=2473
78.129.166.179        Failed resolution        readyoutube.com/go.php?afid=2473
78.129.242.140        uk36.sayfa.net        salihlimousine.com/looks4/another/kind55.html
78.129.242.140        uk36.sayfa.net        salihlimousine.com/looks4/another/science30.html
78.129.166.178        Failed resolution        scanreporting.com/go.php?afid=2473
78.129.146.102        uk60.sayfa.net        yesilcam.gen.tr/even96/history/hard62.htm
78.129.146.102        uk60.sayfa.net        yesilcam.gen.tr/even96/history/view16.htm
78.129.146.102        uk60.sayfa.net        yesilcam.gen.tr/near25/just/found62.htm
78.129.146.102        uk60.sayfa.net        yesilcam.gen.tr/near25/just/upon12.htm
78.129.166.98        bod98.i0waterford.net        spyremoveronline.com/download.php
87.117.200.128        server.standupserver.com        freebingovouchers.co.uk/
78.129.205.27        ns31.altervista.org        passovizze1978.altervista.org
78.129.166.141        Failed resolution        activelayersecurity.cn/buy.php?id=139&subid=1
78.129.166.141        Failed resolution        78.129.166.141/malw.db
78.129.166.141        Failed resolution        78.129.166.141/buy.php?id=139&subid=1
78.129.166.141        Failed resolution        78.129.166.141/antimalware.exe
78.129.166.141        Failed resolution        78.129.166.141/uninstall.exe
78.129.166.141        Failed resolution        activelayersecurity.cn/antimalware.exe
78.129.166.141        Failed resolution        activelayersecurity.cn/uninstall.exe
78.129.205.96        ns66.altervista.org        sheridansfaces.altervista.org/965/?go
78.129.139.185        server.harshainfotech.com        imayamcollege.org/images/styles.php
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        security-utility.net/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        security-utility.net/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        security-utility.net/downloader.php?affid=92800
78.129.205.21        ns25.altervista.org        pesforlife.altervista.org/language/it/email/_images/lesbian-esthetique-salon/index.html
78.129.205.21        ns25.altervista.org        pesforlife.altervista.org/language/it/email/_images/lesbian-esthetique-salon/map.html
78.129.166.11        bod11.i0waterford.net        newsecuritytools.net/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        newsecuritytools.net/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        newsecuritytools.net/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        packagebusiness.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        packagebusiness.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        packagebusiness.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/downloader.php
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        essentialhealthpartners.com/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        createfinancialstability.com/hitin.php?land%253D20&affid%253D91107
78.129.166.11        bod11.i0waterford.net        packagebusiness.com/hitin.php
78.129.166.11        bod11.i0waterford.net        scanserviceworld.com/hitin.php?land%253D20
78.129.166.11        bod11.i0waterford.net        scanserviceworld.com/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com/downloader.php?affid=91107
83.142.226.125        lion.base360.com        mirror01.x264.nl/x264/64bit/revision1342/x264.exe
78.129.139.185        server.harshainfotech.com        envirodesal.com
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/downloader.php?affid=92400
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/hitin.php
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/hitin.php?land=20&affid=92400
78.129.166.11        bod11.i0waterford.net        pcmedicalbilling.com/downloader.php
78.129.166.11        bod11.i0waterford.net        pcmedicalbilling.com/hitin.php?land=20&affid=92400
78.129.166.11        bod11.i0waterford.net        security-utility.net/hitin.php?land=20&affid=92400
78.129.166.11        bod11.i0waterford.net        securitytoolsclick.net/hitin.php?land=20&affid=92400
78.129.166.11        bod11.i0waterford.net        securitytoolsclick.net/index.php?affid=90400
78.129.166.11        bod11.i0waterford.net        newsecuritytools.net/hitin.php?land=20&affid=92400
78.129.166.11        bod11.i0waterford.net        securitytoolsclick.net:80/hitin.php?land=20&affid=92600
78.129.166.175        Failed resolution        78.129.166.175/go.php
78.129.166.176        Failed resolution        78.129.166.176/go.php
78.129.166.177        Failed resolution        78.129.166.177/go.php
78.129.166.178        Failed resolution        78.129.166.178/go.php
78.129.166.179        Failed resolution        78.129.166.179/go.php
78.129.166.180        Failed resolution        78.129.166.180/go.php
78.129.166.177        Failed resolution        free-girls-xxx.net/go.php
78.129.166.11        bod11.i0waterford.net        securitytoolblog.net/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com/hitin.php?land=20&affid=92300
78.129.142.9        Failed resolution        www.div-x.ws/it/install_DivXInstaller.exe
78.129.166.11        bod11.i0waterford.net        countymove.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        countymove.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        countymove.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        essentialhealthpartners.com/downloader.php
78.129.166.11        bod11.i0waterford.net        packagebusiness.com/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        securitysoftcore.com
78.129.166.11        bod11.i0waterford.net        securitysoftcore.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitytoolnow.com/downloader.php?affid=91109
78.129.166.11        bod11.i0waterford.net        securitytoolstool.com
78.129.166.11        bod11.i0waterford.net        www.securitysoftcore.com/hitin.php?land=20&affid=92300
78.129.166.11        bod11.i0waterford.net        yourlegalprotection.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        yourlegalprotection.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        yourlegalprotection.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        securitysoftdrink.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        securitysoftdrink.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        securitysoftdrink.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        antivirussoftadult.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        antivirussoftadult.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        antivirussoftadult.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        theantyspywaretool.com/index.php?affid=92800
78.129.166.11        bod11.i0waterford.net        theantyspywaretool.com/downloader.php?affid=92800
78.129.166.11        bod11.i0waterford.net        theantyspywaretool.com/hitin.php?land=20&affid=92800
78.129.166.11        bod11.i0waterford.net        www.securitysoftcore.com/index.php?affid=00000
78.129.166.11        bod11.i0waterford.net        www.securitysoftcore.com/downloader.php?affid=00000
78.129.205.23        ns26.altervista.org        svn.altervista.org/477/?go
78.129.142.235        Failed resolution        aircrack-es.com/bin/7046/es/aircrack-ng-0.9.3-win.exe
78.129.205.54        ns45.altervista.org        pinomusik.altervista.org/
78.129.166.143        Failed resolution        activesecurityguard.cn/antimalware.exe


Here we see everything from RFI's, to fake AV's (these are the most common sighting within the RapidSwitch networks) and a spot of Koobface (e.g. svn.altervista.org/477, which as of a check a couple seconds ago, appears to have been cleaned up), with exploits such as those at pinomusik.altervista.org (see Wepawet results for details), thrown in for good measure.

I'm afraid, given this behaviour is continuing, and is in some measures, getting worse on the RS network, I believe it's safe to say RapidSwitch quite simply don't care. They ARE aware of the malicious traffic within their networks. How do I know? Well for starters, I'm not the only one to try and report it to them, and actually have them do something (I tried back in 2008, which was a complete waste of time, and have reported malicious content to them since then, with absolutely no reply (though given they blocked e-mail from me getting through to them (or so they claimed), I'm not really surprised)).

I do wonder however, how exactly they're explaining themselves to the legit customers they do actually have, and to their shareholders and whatnot (though given shareholders typically only care about profit, I doubt they care either). I suspect it's along the lines of "we're a large ISP and can't possible know about everything, and don't have access to customers servers, and ..... and ..... ", aka: excuses.

For those interested, you'll also find malicious content within the RapidSwitch networks, documented at;

MalwareURL
http://www.malwareurl.com/search.php?domain=&s=AS29131&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareDomainList
http://www.malwaredomainlist.com/mdl.php?search=29131&colsearch=All&quantity=50

Clean-MX
http://support.clean-mx.de/clean-mx/viruses.php?as=AS29131
http://support.clean-mx.de/clean-mx/phishing.php?as=AS29131

Until such time as RapidSwitch die a horrible death, or boot all of their current management/staff and hire people that actually care about more than profit, I'm personally continuing to blackhole their entire ranges, and strongly urge everyone else do the same (to those legit customers unfortunate enough to be hosted with RapidSwitch - MOVE ELSEWHERE!!!).

Tuesday, 22 December 2009

Oi! Google, WAKE UP!

After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.

As a quick example, I've just spent the last 10 mins or so, going through the results for hphosts for the past month, and found the following, all of which will, if fed a Google referer, infect the living daylights out of your computer;

mayafoods.com/zgrcn/authorized.php
ordonn.com/iheae/cadets.php
kafanov.com/ruagj/cadets.php
inlinea.co.uk/adnep/simple.php
camarosource.ca/xtedb/cadets.php
kovacsnet.hu/cfywk/authorized.php
ebim.drealentejo.pt/moodle/09g64/jxt/cadets.php
healthycranberry.com/images/educatio90/lenugeratt.html


The sites you're taken to that deliver the payload, or act as redirectors to the payload, include;

protectcareone.net/in.cgi?5
protectcareone.net/redirect/
protectcareone.net/redirect2/
protectcareone.net/redirect3/
protectcareone.net/redirect4/
webillcheck.com/hitin.php?land=20&affid=92800
webillcheck.com/index.php?affid=92800
webillcheck.com/downloader.php?affid=92800
bmwcarsrent.cn/go.php?id=2004&key=ff0057594&d=1
jytxeam.cn/?uid=13400
jytxeam.cn/download/install.php?uid=13400
fisps.it/vyy/74867.php
94.142.133.125/a/?l=searchable
onlineantispywaresolutions.com/hitin.php?land=20&affid=94400
onlineantispywaresolutions.com/index.php?affid=94400
onlineantispywaresolutions.com/downloader.php?affid=94400
7newyear.com/?pid=384&sid=31797c
justrags.com/Swatches/1106/jpg.php


Worse still, is many of these have been in the results for what is considered in the security world, as a long time (over 1 week for a fake AV site to stay alive, isn't very common, domains usually die anywhere within 6 - 72 hours).

Just one of the many sites listed above, is the typical fake AV site, pretending to scan your computer, and automagically find a plethora of infections, with the end results being to download an infection to your machine, and have you pay them for doing so.

You'll find the IP's and whatnot that are involved below, but suffice to say, the usual suspects are present (Hetzner, CSSGROUP, root eSolutions etc).

Given Google offer their "diagnostics", which points out sites containing infections, and given they have what is without a doubt, one of the largest indexes available, you'd have thought they'd have invested at least a small amount of time, on additional filtering that would enable them to scan a site and give it some sort of fingerprint - a fingerprint that could then be compared to, which would have very easily identified around 90% of the malware you can find via Google (and the above is less than 0.0000001%).

If I can identify this lot in around 10 minutes, and identify it MANUALLY (I have never been a fan of automation as there's too much to go wrong), imagine what Google could save you from if they bothered getting their backsides into gear (and yep, I know Google aren't the only engine affected by this - but they're the largest and most popular).

hpObserver results
http://hosts-file.net/misc/hpObserver_-_Blackhat_SEO_continued.html

Raw results
DOMAIN        IP        IP_PTR        ASN        ASN_CIDR        ASN_DESCRIPTION        URI_PATH
justrags.com        64.29.151.221        hostedc40.carrierzone.com        AS30447        64.29.144.0/20        INFB2-AS InternetNamesForBusiness.com        /Swatches/1106/jpg.php
7newyear.com        78.46.254.17        static.78-46-254-17.clients.your-server.de        AS24940        78.46.0.0/15        HETZNER-AS Hetzner Online AG RZ        /?pid=384&sid=31797c
healthycranberry.com        74.50.21.200        decima.lunarservers.com        AS15244        74.50.21.0/24        ADDD2NET-COM-INC-DBA-LUNARPAGES Lunar Pages        /images/educatio90/lenugeratt.html
onlineantispywaresolutions.com        193.106.32.10        Failed resolution        AS20473        193.106.32.0/22        AS-CHOOPA Choopa, LLC        /downloader.php?affid=94400
onlineantispywaresolutions.com        193.106.32.10        Failed resolution        AS20473        193.106.32.0/22        AS-CHOOPA Choopa, LLC        /index.php?affid=94400
onlineantispywaresolutions.com        193.106.32.10        Failed resolution        AS20473        193.106.32.0/22        AS-CHOOPA Choopa, LLC        /hitin.php?land=20&affid=94400
94.142.133.125        94.142.133.125        h-133-125.cssgroup.lv        AS48662        94.142.128.0/21        CSSGROUP-AS SIA _CSS GROUP_        /a/?l=searchable
fisps.it        72.29.86.251        server4.hostservicenet.com        AS33182        72.29.86.0/24        DIMENOC---HOSTDIME HostDime.com, Inc.        /vyy/74867.php
kovacsnet.hu        74.55.77.138        ns1.tmdhosting210.com        AS21844        74.52.0.0/14        THEPLANET-AS ThePlanet.com Internet Services, Inc.        /cfywk/authorized.php
bey12.com        174.136.2.218        Failed resolution        AS30496        174.136.0.0/18        COLO4 Colo4Dallas LP        /jltnu/cadets.php
camarosource.ca        66.147.227.195        Unassigned-66.147.227.195.hrwebservices.net        AS4323        66.147.224.0/20        TWTC tw telecom holdings,        inc.        /xtedb/cadets.php
inlinea.co.uk        213.230.203.86        web10.000025.net        AS33970        213.230.203.0/24        OPENHOSTING M247 Ltd        /adnep/simple.php
kafanov.com        216.120.233.229        host53.hrwebservices.net        AS4323        216.120.224.0/19        TWTC tw telecom holdings, inc.        /ruagj/cadets.php
ordonn.com        69.175.66.58        cl68.justhost.com        AS32475        69.175.0.0/17        SINGLEHOP-INC SingleHop        /iheae/cadets.php
jytxeam.cn        193.169.235.6        Failed resolution        AS32181        193.169.234.0/23        ASN-ECOMD-COLOQUEST GigeNET        /download/install.php?uid=13400
jytxeam.cn        193.169.235.6        Failed resolution        AS32181        193.169.234.0/23        ASN-ECOMD-COLOQUEST GigeNET        /?uid=13400
bmwcarsrent.cn        66.232.102.67        jones.xpserv300.com        AS29802        66.232.96.0/19        HVC-AS HIVELOCITY VENTURES CORP        /go.php?id=2004&key=ff0057594&d=1
webillcheck.com        193.104.153.245        Failed resolution        AS5577        193.104.153.0/24        ROOT root eSolutions        /downloader.php?affid=92800
webillcheck.com        193.104.153.245        Failed resolution        AS5577        193.104.153.0/24        ROOT root eSolutions        /index.php?affid=92800
webillcheck.com        193.104.153.245        Failed resolution        AS5577        193.104.153.0/24        ROOT root eSolutions        /hitin.php?land=20&affid=92800
protectcareone.net        200.63.46.130        Failed resolution        AS27716        200.63.46.0/24        Eveloz        /in.cgi?5
mayafoods.com        66.147.231.38        Failed resolution        AS4323        66.147.224.0/20        TWTC tw telecom holdings, inc.        /zgrcn/authorized.php