Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 2 July 2011

Criminals part 2: AS56927 GOLDENIDEAS SC GoldenIdeas SRL

This was never intended to be multipart, but I figured after part 1, I may as well do the other IPs they're using. As it happens, one of the other IP ranges they've got is through AS56927.

The /24 in question, similar to the previous one, is What's curious here, is that AS records show something interesting - an invisible link (AS52366 that AS records says doesn't exist. If we follow this, we see the /24 is leased to AS44872 TOPONLINE-AS JSC TOPONLINE, but again, the upstream is shown as "--No Registry Entry--", so who are they?. Perhaps we can do a simple tracert to find out? Lets pick a random IP on the /24 and see shall we?

Tracing route to over a maximum of 30 hops

5 35 ms 34 ms 35 ms []
6 34 ms 35 ms 35 ms []
7 35 ms 34 ms 36 ms []
8 60 ms 35 ms 35 ms []
9 36 ms 43 ms 35 ms []
10 35 ms 35 ms 35 ms []
11 52 ms 54 ms 52 ms []
12 91 ms 98 ms 125 ms []
13 * * * Request timed out.
14 82 ms 82 ms 83 ms []
15 90 ms 119 ms 82 ms []
16 84 ms 85 ms 85 ms []
17 174 ms 165 ms 163 ms

Trace complete.

Well this shows the immediate upstream, is, but they're shown as GOLDENIDEAS upstream, with a completely different ASN (AS44088 DORINEX-AS SC Dorinex Pord SRL).

Is it possible that are the missing ASN after all? They've certainly had their share of Zbot, fake casino software, fake meds etc recently. At this point it's unclear, but I suspect, given there appears to be a relation to NETSERV, the answer lies with and Dorinex. If you can shed light on AS52366, please do get in touch.

In the meantime, the following are some of the fake meds etc sites I've found on this /24, alot of which thanks to Domi at, have been suspended (I'm working on identifying the rest of them). You'll no doubt notice quite a few have moved to another Romanian ASN (, AS29568 LogicNet Telecom SRL / COMTEL-AS), itself a fan of fake meds and other badness it seems.    -    -    -    -    -    -    -    -    -

Rest assured, I'll be coming back to this in the future.



No comments: