Criminals: AS56860 ELETTROGRAF SC ELETTROGRAF SRL

What do you do when you need lots of IPs to house your fake meds and other criminal sites? Use botnets? compromised sites/servers? That's certainly what the bad guys involved in exploits, malware and other badness like to do.Of course, another favourite of the bad guys, is to set up their own ASNs, complete with batches of IPs and IP ranges, to house their criminal activities. This is exactly...

Read More

Alert: Exploits on 78.111.51.100

If you've not already done so, you'll want to block 78.111.51.100 asap. It's currently housing a plethora of domains that are serving malware via exploit.Payloads are coming from paths such as;thujkdswg.tld.tc/k.php?f=20&e=3-> about.exe--> 3c6d68ea89512089df0cd7629439c378You'll no doubt notice the usual suspects as far as the ccTLD branches (redirection services serving off of ccTLDs such as ....

Read More

Part 5a: Interserver, malware, and the Scottish weather

Looks like HostNOC/Burst, finally pulled their finger out. Over the past 24 hours, they've now moved to a bulletproof host (193.105.171.70, AS50669 COOLVDS-as FOP Kutcevol Maksum Mukolaevich). If you've not already, you may want to consider blackholing the following;91.218.120.0/22193.105.171.0/24Registrars used haven't changed, still using DirectI resellers, DomainContext and UK2. Thankfully,...

Read More

Part 5: Interserver, malware, and the Scottish weather

Ever get the feeling HostNOC/Burst aren't taking this seriously? They took 3 years to boot these guys the first time, and now all they're doing, is jumping across different IPs on the HostNOC/Burst AS.The new IP they're using as of today, 173.212.255.31Filenames occasionally change (new ones: New-Video-Addon.40028.exe, FlashPlayer.40028.exe, old ones produce fake 404s), but the infection...

Read More

Faking reviews? You should fret about more than illegality

Opinion A recent newspaper investigation uncovered evidence that companies are paying agencies to create false online reviews for their services. But what those companies may not realise is that this is illegal and could ruin their businesses.The practice is called astroturfing, because it fakes grass-roots support, and it is not only ethically questionable, it is illegal. And if the law doesn't...

Read More

Part 4: Interserver, malware, and the Scottish weather

Well that didn't take them long. They're back to .in domains, and have moved to the well known SwiftWay (AS35017).New payload URL;rhyzilch.in/FlashPlayer.40028.exeIP: 46.21.159.228PTR: 228.159.21.46.inferno.nameMD5: 42a61ad4f894d9d21434cc5d5819aaefThis /24 of course, as with all SwiftWay ranges, is no stranger to malicious content, having hosted everything from fake AVs to trojans, and even fake...

Read More

Part 3: Interserver, malware, and the Scottish weather

Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still onl...

Read More

hpHosts move completed

The move to the new server has now completed. DNS propogation should be complete for most, but if you're still seeing the old 208. address, please refresh your DNS cache.Please let me know if you notice any proble...

Read More

hpHosts moving to new server

Tip: don't get your hair stuck in the car window when closing it - it hurts like hell!Just a note folks, the hpHosts website and forums, are in the process of being moved to a new server, so will be down for around an hour or so.My apologies for any inconvenien...

Read More

Part 2: Interserver, malware, and the Scottish weather

Not surprisingly, since my last post, they've switched the latest ones back to HostNOC/Burst.Net (same company that took 3 years to boot them last time). Registrars are primarily DirectI and UK2 (who don't seem to be replying ....). DirectI have been shutting down those I've found, within 30 mins of their being reported.I've likely missed quite a few since my sleeping meds knocked me out for...

Read More

Interserver, malware, and the Scottish weather

They say, if you don't like the Scottish weather, wait 20 mins. That's all I've got on that one.In the last few weeks alone, 2 specific IPs have racked up a count of over 2000 malicious domains, most through just a handful of registrars (all those through DirectI have been suspended within around 20 mins on average, of being discovered, with DirectI suspending several thousand more related...

Read More

Oh dear, someone isn't reading properly

I get a few of these, and they always make me laugh. Seems some people don't bother reading or researching, what hpHosts actually is, before e-mailing me.Name: HugoE-mail: {REMOVED}How did you find us?: Other... Other: Not providedSite navigation: Very easyComments: Please add my site to your database. I've removed his e-mail address to save him some embarrassment, but little hint to those of ...

Read More

Info: Google to stop supporting Firefox 3.5, Internet Explorer 7, and Safari 3

For web applications to spring even farther ahead of traditional software, our teams need to make use of new capabilities available in modern browsers. For example, desktop notifications for Gmail and drag-and-drop file upload in Google Docs require advanced browsers that support HTML5. Older browsers just don’t have the chops to provide you with the same high-quality experience.For this reason,...

Read More