Translate

5/23/2014

Potentially Malicious Host IP: 216.40.47.17
Combined attack from Part of Botnet
Toronto, Canada

Potentially Malicious IP:
  • See Comments Below: https://www.projecthoneypot.org/ip_216.40.47.17

ATTEMPTED ADMIN EXPLOIT HACK
(Attempt to access non existing admin area using known exploit)
Combined attack from Part of Botnet:

216.40.47.17 - Canada - Tucows International - Domain: theblackberrydiaries.com
216.154.213.199 - United States - Strategic Systems Consulting - Hostname: babygo.zeebu.com - Domain: zeebu.com - Resolve Host: brennix.com ,northernartglass.com, ryersontennisclub.com, megamenus.com, kathybuckworth.com, centos5.brennix.com, epixus.com,

COMMON USER-AGENT:
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

SMALL SAMPLE:
theblackberrydiaries.com - - [16/Jan/2012:10:16:44 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 435 "-"
theblackberrydiaries.com - - [16/Jan/2012:10:16:44 +0000] "GET /ixxx/admin/xxx HTTP/1.1" 403 437 "-"
northernartglass.com - - [16/Jan/2012:10:16:44 +0000] "GET /admin/xxx HTTP/1.1" 403 411 "-"
ryersontennisclub.com - - [16/Jan/2012:10:16:44 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"
megamenus.com - - [16/Jan/2012:10:16:45 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 429 "-"
kathybuckworth.com - - [16/Jan/2012:10:16:45 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 427 "-"
centos5.brennix.com - - [16/Jan/2012:10:17:03 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 437 "-"
brennix.com - - [16/Jan/2012:10:17:04 +0000] "GET /admin/xxx HTTP/1.1" 403 411 "-"
epixus.com - - [16/Jan/2012:10:17:04 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 439 "-"
demo.northernartglass.com - - [16/Jan/2012:10:17:04 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 435 "-"
demo.brennix.com - - [16/Jan/2012:10:17:05 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"
old.northernartglass.com - - [16/Jan/2012:10:17:06 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 437 "-"
new.northernartglass.com - - [16/Jan/2012:10:25:20 +0000] "GET /xxx/admin/xxx HTTP/1.1" 403 439 "-"
m.brennix.com - - [16/Jan/2012:10:25:21 +0000] "GET /admin/xxx HTTP/1.1" 403 413 "-"

-----------------------------------------------------------------------------------------------------

The domain lvchildcareconnection.com is spamming really heavy pleas flag this IP as a dangerous IP.

-----------------------------------------------------------------------------------------------------
http://216.40.47.17/ 
  • https://www.virustotal.com/de/url/bc9a5dc68621a1bbff0dcd909b5519b839459e17816845554c105c06aa0e7e8f/analysis/1400862995/
  • https://www.virustotal.com/de/ip-address/216.40.47.17/information/
  • http://www.senderbase.org/lookup/?search_string=216.40.47.17

5/21/2014

Snowshoe Spam & PHISHING from
hintcontrol.com

"Recevez vos 2222Eur de B0nus" ("Receive a 2222 Euro Bonus)
Hamilton, CANADA IP: 68.66.63.47 (Listed at SPAMHAUS)


Recevez vos 2222€ de

bienvenue maintenant!

En plus de cela, nous offrons des bonus gratuits speciaux.

 Voici comment recevoir vos 2222€:

• Ouvrez un compte

• Allez sur le chat en direct en cliquant ici et ecrivez le code suivant: 2222

• Selectionnez un jeu auquel vous aimeriez jouer depuis les options disponibles

• Vous avez 48 heures pour prendre le bonus

Contactez-nous pour reclamer vos 2222€.

L'equipe chaleureuse du support est disponible 24/7.

Soyez rapide - Cette offre est valable pour une periode limitee!

Cordialement,
John F.

MAIL SCREENSHOT
 --------------------------------------------------------------------------------------------------------------------------------------------

PHISHING, SPAM & SCAM DOMAIN:
http://hintcontrol.com/
  • https://www.virustotal.com/de/url/d08035f592b89fcc08f095f6223461b8398777c25df0021def4233588d6d0577/analysis/1400676550/
OTHER LINKS IN THE MAIL:
http://hintcontrol.com/link.php
  • https://www.virustotal.com/de/url/a4e0ade9db3e028e094bf4969ce3b7cb80783d9d3f6ecf1478f780aae2dc235c/analysis/1400676704/
  • https://www.virustotal.com/de/file/22fc373d3b3ab36009613adfd7bb60f7135a4f510aa31808856e721dd5799d0c/analysis/1391621840/
http://hintcontrol.com/open.php
  • https://www.virustotal.com/de/url/7da87cb951f0d660fc77ec4729444510a0306b278147b9baeef07553f0b39f58/analysis/1400676746/
  • https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1400396318/
http://hintcontrol.com/unsubscribe.php
  • https://www.virustotal.com/de/url/4b68e4d1860ce9b98bbf19294b988dede6aa7c34ef59a64241698795940def92/analysis/1400676787/
  • https://www.virustotal.com/de/file/fb18ec2dc45858efd8a69d17873eb1a92801a4af8e6b6a44b03e9e7a69d11ffd/analysis/1391621799/
BLACKLISTS:
  • http://www.spamhaus.org/query/domain/hintcontrol.com
  • https://www.mywot.com/en/scorecard/hintcontrol.com
  • http://www.surbl.org/lists
  • http://zulu.zscaler.com/submission/show/4e639b2311aa3e474bcb1eba327a1e3a-1400676384
DOMAIN-IP (ANALYSIS MOMENT):
http://68.66.63.47/
  • https://www.virustotal.com/de/url/fc053947e300bbe62a101a18295c553058b0ff9912a9c414cb539a19f512d509/analysis/1400677067/
  • https://www.virustotal.com/de/ip-address/68.66.63.47/information/
SNOWSHOE SPAM BLACKLISTED AT:
  • http://www.spamhaus.org/query/bl?ip=68.66.63.47
  • http://www.spamhaus.org/sbl/query/SBL218662
  • http://www.spamhaus.org/sbl/listings/networxhosting.com
  • http://networxhosting.com/
  • https://www.virustotal.com/de/url/7d49824dde2a6c1f3bf7794240fb4638a87c1c1e420a2a65720a791662f96543/analysis/1400677424/
  • http://www.senderbase.org/lookup/?search_string=68.66.63.47
  • http://zulu.zscaler.com/submission/show/ec6dd530622db7ec31301159b81b7e9c-1400676906
MAIL ORIGINATING IP(s):
http://14.4.22.14/ (SOUTH KOREA)
  • https://www.virustotal.com/de/url/b4587224cb226aefacab1ed4e70d2e0695db607469fdb4c0f5c2084182957e5b/analysis/1400677788/
LISTED AT SPAMHAUS (SBL & DROP)
  • http://www.spamhaus.org/query/ip/14.4.22.14
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.senderbase.org/lookup/?search_string=14.4.22.14
http://68.66.63.122/
  • https://www.virustotal.com/de/url/379fe4b9d56b57279031e9cf4f00f5452269914c30abdc837c567845c0dd49cb/analysis/1400678183/
LISTED AT SPAMHAUS (SBL):
  • http://www.spamhaus.org/query/bl?ip=68.66.63.122
  • http://www.spamhaus.org/sbl/query/SBL218662
  • http://www.senderbase.org/lookup/?search_string=68.66.63.122

IP RANGE INCLUDES THE FOLLOWING BLACKLISTED DOMAINS (IPs):
68.66.63.2    sightsetup.com    listed
68.66.63.3    setuplevel.com    listed
68.66.63.4    setupidea.com    listed
68.66.63.5    setupgrade.com    listed
68.66.63.6    directsetup.com    listed
68.66.63.7    setuphint.com    listed
68.66.63.8    ranklevel.com    listed
68.66.63.9    hintrank.com    listed
68.66.63.10    sightbusiness.com listed
68.66.63.11    officelevel.com    listed
68.66.63.12    sortideas.com    listed
68.66.63.13    steadysort.com    listed
68.66.63.14    guidehint.com    listed
68.66.63.15    sightlead.com    listed
68.66.63.16    steadylead.com    listed
68.66.63.17    leadsetup.com    listed
68.66.63.18    setuplead.com    listed
68.66.63.19    managesight.com    listed
68.66.63.20    managestatus.com listed
68.66.63.21    managesetup.com    listed
68.66.63.22    hintcontrol.com    listed
68.66.63.23    controlimage.com listed
68.66.63.24    pointsteady.com    listed
68.66.63.25    setupoint.com    listed
68.66.63.26    channelidea.com    listed
68.66.63.27    sightsetup.com    listed
68.66.63.28    setuplevel.com    listed
68.66.63.29    setupidea.com    listed
68.66.63.30    setupgrade.com    listed
68.66.63.31    directsetup.com    listed
68.66.63.32    setuphint.com    listed
68.66.63.33    ranklevel.com    listed
68.66.63.34    hintrank.com    listed
68.66.63.35    sightbusiness.com listed
68.66.63.36    officelevel.com    listed
68.66.63.37    sortideas.com    listed
68.66.63.38    steadysort.com    listed
68.66.63.39    guidehint.com    listed
68.66.63.40    sightlead.com    listed
68.66.63.41    steadylead.com    listed
68.66.63.42    leadsetup.com    listed
68.66.63.43    setuplead.com    listed
68.66.63.44    managesight.com    listed
68.66.63.45    managestatus.com listed
68.66.63.46    managesetup.com    listed
68.66.63.47    hintcontrol.com    listed
68.66.63.48    controlimage.com listed
68.66.63.49    pointsteady.com    listed
68.66.63.50    setupoint.com    listed
68.66.63.51    channelidea.com    listed
68.66.63.52    sightsetup.com    listed
68.66.63.53    setuplevel.com    listed
68.66.63.54    setupidea.com    listed
68.66.63.55    setupgrade.com    listed
68.66.63.56    directsetup.com    listed
68.66.63.57    setuphint.com    listed
68.66.63.58    ranklevel.com    listed
68.66.63.59    hintrank.com    listed
68.66.63.60    sightbusiness.com listed
68.66.63.61    officelevel.com    listed
68.66.63.62    sortideas.com    listed
68.66.63.63    steadysort.com    listed
68.66.63.64    guidehint.com    listed
68.66.63.65    sightlead.com    listed
68.66.63.66    steadylead.com    listed
68.66.63.67    leadsetup.com    listed
68.66.63.68    setuplead.com    listed
68.66.63.69    managesight.com    listed
68.66.63.70    managestatus.com listed
68.66.63.71    managesetup.com    listed
68.66.63.72    hintcontrol.com    listed
68.66.63.73    controlimage.com listed
68.66.63.74    pointsteady.com    listed
68.66.63.75    setupoint.com    listed
68.66.63.76    channelidea.com    listed
68.66.63.77    sightsetup.com    listed
68.66.63.78    setuplevel.com    listed
68.66.63.79    setupidea.com    listed
68.66.63.80    setupgrade.com    listed
68.66.63.81    directsetup.com    listed
68.66.63.82    setuphint.com    listed
68.66.63.83    ranklevel.com    listed
68.66.63.84    hintrank.com    listed
68.66.63.85    sightbusiness.com listed
68.66.63.86    officelevel.com    listed
68.66.63.87    sortideas.com    listed
68.66.63.88    steadysort.com    listed
68.66.63.89    guidehint.com    listed
68.66.63.90    sightlead.com    listed
68.66.63.91    steadylead.com    listed
68.66.63.92    leadsetup.com    listed
68.66.63.93    setuplead.com    listed
68.66.63.94    managesight.com    listed
68.66.63.95    managestatus.com listed
68.66.63.96    managesetup.com    listed
68.66.63.97    hintcontrol.com    listed
68.66.63.98    controlimage.com listed
68.66.63.99    pointsteady.com    listed
68.66.63.100    setupoint.com    listed
68.66.63.101    channelidea.com    listed
68.66.63.102    sightsetup.com    listed
68.66.63.103    setuplevel.com    listed
68.66.63.104    setupidea.com    listed
68.66.63.105    setupgrade.com    listed
68.66.63.106    directsetup.com    listed
68.66.63.107    setuphint.com    listed
68.66.63.108    ranklevel.com    listed
68.66.63.109    hintrank.com    listed
68.66.63.110    sightbusiness.com listed
68.66.63.111    officelevel.com    listed
68.66.63.112    sortideas.com    listed
68.66.63.113    steadysort.com    listed
68.66.63.114    guidehint.com    listed
68.66.63.115    sightlead.com    listed
68.66.63.116    steadylead.com    listed
68.66.63.117    leadsetup.com    listed
68.66.63.118    setuplead.com    listed
68.66.63.119    managesight.com    listed
68.66.63.120    managestatus.com listed
68.66.63.121    managesetup.com    listed
68.66.63.122    hintcontrol.com    listed
68.66.63.123    controlimage.com listed
68.66.63.124    pointsteady.com    listed
68.66.63.125    setupoint.com    listed
68.66.63.126    channelidea.com    listed

5/20/2014

SSH Rootkit Ebury
Category MALICIOUS IP: 203.153.108.227 (INDONESIA)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 203.153.108.227 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-05-20 07:00 GMT (+/- 30 minutes), approximately 10 hours ago.

Screenshot of 203.153.108.227


We have detected that this IP is NATting for, or is infected itself, with a Linux (or possibly some other Unix-like system such as FreeBSD) Trojan spam mailer script. This is no joke. This infection is extremely dangerous as it can download anything it wishes, and needs to be removed ASAP.

We do not know how the malware got installed onto the machine, but we know a lot of what it does. The main thing we've seen it doing is sending staggering large volumes of email spam. But it can do a lot more than that, and that is the real danger.

NEW

Of late some of these infections are facilitiated by a SSH Rootkit called "ebury". See this link for more detail.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page. If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

For further Info, please read the Screenshots made earlier in the Day (at the End of this Post).

----------------------------------------------------------------------------------------------------------------------------------------------

Analysis:

MALICIOUS IP (PHISH RISK: RouterOS router configuration page):

Heuristic.LooksLike.HTML.Suspicious-URL.E
http://203.153.108.227/
  • https://www.virustotal.com/de/url/0a964415fc55b5cdc18c0d36636601c5510eb3646d5ecf9a7513698add2a9817/analysis/1400587343/
Heuristic.LooksLike.HTML.Suspicious-URL.E
  • https://www.virustotal.com/de/file/e23ec81b12a8af1412ab02d126086162b758908f1cf3e26a3f9797c3da242a74/analysis/1400587434/
  • http://quttera.com/detailed_report/203.153.108.227
  • http://zulu.zscaler.com/submission/show/4b322c1b6dd9f1d6b3f50243c20b5c37-1400587353
  • http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.108.227

SPAMSERVER & DICTIONARY ATTACKER:
  • https://www.projecthoneypot.org/ip_203.153.108.227
  • http://www.senderbase.org/lookup/?search_string=203.153.108.227
LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=203.153.108.227
CBL LISTED:
  • http://cbl.abuseat.org/lookup.cgi?ip=203.153.108.227
OTHER MALICIOUS FILE:
http://203.153.108.227/winbox/winbox.exe
  • https://www.virustotal.com/de/url/d2563f5885fbe8174154ed20d776233135b80220e97d21b3b42b231c38e69311/analysis/1400602467/
  • https://www.virustotal.com/de/file/dcc31d4643e17d31db636c8ccc7e34d004876f18b5d48828ea37e2e8e5e19bcf/analysis/1400068690/
----------------------------------------------------------------------------------------------------------------------------------------------