Blog for hpHosts, and whatever else I feel like writing about ....

Monday 27 June 2011

Part 5: Interserver, malware, and the Scottish weather

Ever get the feeling HostNOC/Burst aren't taking this seriously? They took 3 years to boot these guys the first time, and now all they're doing, is jumping across different IPs on the HostNOC/Burst AS.

The new IP they're using as of today, 173.212.255.31

Filenames occasionally change (new ones: New-Video-Addon.40028.exe, FlashPlayer.40028.exe, old ones produce fake 404s), but the infection certainly doesn't.

Based on what I'm seeing on the rest of the /24 (still to be confirmed, so no details yet folks), I'd personally recommend blackholing it. Then again, and perhaps I'm being overly harsh here (who knows, maybe it'll force HostNOC/Burst to pull their finger out), it may be an idea to blackhole their entire AS.

References

Part 4: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-4-interserver-malware-and-scottish.html

Part 3: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-3-interserver-malware-and-scottish.html

Part 2: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-2-interserver-malware-and-scottish.html

Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html

No comments: