Friday, 2 March 2012

Alert: 199.19.215.0/24

People often ask me what I do to try and escape or get a break from work, and I always give the same answer - I don't get time for breaks - too much to do (thought I had 3,000 active cases, turns out it's over 600,000 and growing daily). The latest ones involve not surprisingly, the Blackhole exploit kit.

A friend dropped me a note due to something that had been found and he's needing analysis. I did that, then scanned the rest of the range looking for more, and found a second server involved.

199.19.215.133
199.19.215.19

Both of these are on Vexxhost' IP space, and Vexxhost are being completely unresponsive (were sent an e-mail etc 2 days ago).

Filenames are a little different from last time, code is still stupidly easy to decode though (see previous blogs on that). In this case, the files are at;

hxxp://199.19.215.133/stats/content/jav2.jar
hxxp://199.19.215.133/stats/files/18
hxxp://199.19.215.133/stats/files/19
hxxp://199.19.215.133/stats/files/23
hxxp://199.19.215.133/stats/files/24

hxxp://199.19.215.19/stats/content/jav2.jar
hxxp://199.19.215.19/stats/files/18
hxxp://199.19.215.19/stats/files/19
hxxp://199.19.215.19/stats/files/23
hxxp://199.19.215.19/stats/files/24
at

1 comment:

  1. Kafeine4 March 2012 at 05:33

    Take a look at these ips :

    109.235.49.23
    128.204.202.35
    146.185.244.14
    146.185.244.25
    188.190.98.162
    188.190.98.163
    190.123.200.110
    195.189.226.50
    199.255.236.212
    208.115.205.41
    209.135.132.62
    31.184.237.23
    46.37.186.134
    46.37.186.135
    62.122.74.105
    62.122.74.150
    66.151.138.230
    66.151.244.101
    77.79.13.88
    78.111.51.123
    79.137.237.66
    83.69.233.102
    83.69.233.17
    83.69.233.214
    83.69.233.76
    85.114.134.161
    85.192.45.75
    85.192.45.75
    85.192.45.80
    85.192.45.80
    85.192.45.81
    85.192.45.81
    91.196.216.100
    91.196.216.102
    91.196.216.152
    91.196.216.53
    91.196.216.98
    91.205.74.23
    91.213.8.222
    91.218.37.236
    91.218.38.157
    91.218.38.167
    91.218.38.168
    91.218.38.173
    91.218.38.246
    91.218.38.250
    91.218.38.251
    91.218.39.167
    91.218.39.168
    91.218.39.173
    91.232.199.100
    91.232.199.101
    91.232.199.102
    91.232.199.103
    91.232.199.104
    91.232.199.105
    91.232.199.106
    91.232.199.107
    91.232.199.108
    91.232.199.109
    91.232.199.110
    91.232.199.111
    91.232.199.112
    91.232.199.120
    91.232.199.83
    91.232.199.87
    91.232.199.88
    91.232.199.89
    91.232.199.90
    91.232.199.92
    91.232.199.93
    91.232.199.94
    91.232.199.95
    91.232.199.97
    91.232.199.98
    91.232.199.99
    95.143.193.183
    95.163.67.205
    95.163.89.229
    96.41.64.177

    All hosting BH EK.
    91.232.199.0/24
    Regards :)

    ReplyDelete