Web Security And Awareness towards Cybercriminals: CBL Listed

Posts mit dem Label CBL Listed werden angezeigt. Alle Posts anzeigen

6/07/2014

MALICIOUS UKRAINIAN BLOG VISITOR TO THIS SITE:
Domain: www.trustcombat.com
IP: 193.169.86.16
Both listed at SPAMHAUS (CBL & DBL)
Darkmailer, DirectMailer, r57shell

MALICIOUS UKRAINIAN BLOG VISITOR
DOMAIN:

http://www.trustcombat.com/

https://www.virustotal.com/de/url/2cf65d9d85697456c083934f86a3ff2ebe33957bdeb4a46bfcfade3757943dba/analysis/1402156166/

https://www.virustotal.com/de/file/7c480e29f808effb1f06aa2dfd0a97a3192fc649293ecb39679716f16c000a1a/analysis/1402155972/

SPECIFIC VISITING LINK:

http://www.trustcombat.com/faq.htm

https://www.virustotal.com/de/url/f82e2bab033491836777d7b66c735884473f12a8f2bc05cb94994411ab0729cc/analysis/

https://www.virustotal.com/de/file/dac8b8d3f068796c7eda0e4fc1e529c151fc069f0788ac2992f166f47a47b944/analysis/1402155861/

LISTED AT SPAMHAUS (DBL):

http://www.spamhaus.org/query/domain/trustcombat.com

SEE ALSO:

http://zulu.zscaler.com/submission/show/3c2cb0b556a921a810249fdbc9203e5a-1402155759

https://www.mywot.com/en/scorecard/trustcombat.com

ALSO:

Nginx Server SOFTWARE OUTDATED. VULNERABLE !

IP:

http://193.169.86.16/

https://www.virustotal.com/de/url/71b23f991cac80f7ca367f2d91c835c62b6b6bdb1e15965813640c1172e91429/analysis/1402157283/

https://www.virustotal.com/de/file/2c16cd2a73dd803fda6f64ad50e507d0d6e72474036008c13e01bbd188f22a75/analysis/1402157590/

https://www.virustotal.com/de/ip-address/193.169.86.16/information/

The IP Address 193.169.86.16 (IP LOCATION: Ukraine) is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy and/or some other form of botnet. It was last detected at 2014-06-06 07:00 GMT (+/- 30 minutes), approximately 1 days, 9 hours, 29 minutes ago.

It has been relisted following a previous removal at 2014-06-01 06:17 GMT (6 days, 10 hours, 21 minutes ago).

This IP is sending email in such a way to indicate that it is, or is NATting for a web server that is infected with a spam sending script, like Darkmailer, DirectMailer, r57shell, or some analogous Perl, PHP or CGI script.

IP LISTED AT SPAMHAUS (CBL):

http://www.spamhaus.org/query/bl?ip=193.169.86.16

http://cbl.abuseat.org/lookup.cgi?ip=193.169.86.16

EMAIL REP: POOR

http://www.senderbase.org/lookup/?search_string=193.169.86.16

6/01/2014

Category MALICIOUS IP: 217.106.230.143
Infected with CONFICKER Botnet & Dictionary Attacker
CBL Listed (Russian Federation)

The IP Address 217.106.230.143 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-06-01 09:00 GMT (+/- 30 minutes), approximately 3 hours ago.

This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.

---------------------------------------------------------------------------------------------------------------------------------------------

IP:

http://217.106.230.143/

https://www.virustotal.com/de/url/2eec4640667c218ae8a6a9da97422083720b4477387dfcc59e569bd0d014d424/analysis/1401473689/

https://www.virustotal.com/de/ip-address/217.106.230.143/information/

Listed at SPAMHAUS (CBL):

http://www.spamhaus.org/query/bl?ip=217.106.230.143

Listed at CBL:

http://cbl.abuseat.org/lookup.cgi?ip=217.106.230.143

Listed at Weighted Private Block List:

http://www.wpbl.info/cgi-bin/detail.cgi?ip=217.106.230.143

Listed NiX-Spam

http://www.dnsbl.manitu.net/?language=en

Dictionary Attacker & SPAM Sender:

SPAM MAILS SENT FROM THIS IP: 3.233

https://www.projecthoneypot.org/ip_217.106.230.143

SEE ALSO:

http://zulu.zscaler.com/submission/show/dddc53f4ec74d5076fc8be59977acc69
http://www.senderbase.org/lookup/?search_string=217.106.230.143
http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

5/20/2014

SSH Rootkit Ebury
Category MALICIOUS IP: 203.153.108.227 (INDONESIA)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 203.153.108.227 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-05-20 07:00 GMT (+/- 30 minutes), approximately 10 hours ago.

Screenshot of 203.153.108.227

We have detected that this IP is NATting for, or is infected itself, with a Linux (or possibly some other Unix-like system such as FreeBSD) Trojan spam mailer script. This is no joke. This infection is extremely dangerous as it can download anything it wishes, and needs to be removed ASAP.

We do not know how the malware got installed onto the machine, but we know a lot of what it does. The main thing we've seen it doing is sending staggering large volumes of email spam. But it can do a lot more than that, and that is the real danger.

NEW

Of late some of these infections are facilitiated by a SSH Rootkit called "ebury". See this link for more detail.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page. If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

For further Info, please read the Screenshots made earlier in the Day (at the End of this Post).

----------------------------------------------------------------------------------------------------------------------------------------------

Analysis:

MALICIOUS IP (PHISH RISK: RouterOS router configuration page):

Heuristic.LooksLike.HTML.Suspicious-URL.E

http://203.153.108.227/

https://www.virustotal.com/de/url/0a964415fc55b5cdc18c0d36636601c5510eb3646d5ecf9a7513698add2a9817/analysis/1400587343/

Heuristic.LooksLike.HTML.Suspicious-URL.E

https://www.virustotal.com/de/file/e23ec81b12a8af1412ab02d126086162b758908f1cf3e26a3f9797c3da242a74/analysis/1400587434/

http://quttera.com/detailed_report/203.153.108.227

http://zulu.zscaler.com/submission/show/4b322c1b6dd9f1d6b3f50243c20b5c37-1400587353

http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.108.227

SPAMSERVER & DICTIONARY ATTACKER:

https://www.projecthoneypot.org/ip_203.153.108.227

http://www.senderbase.org/lookup/?search_string=203.153.108.227

LISTED AT SPAMHAUS (CBL):

http://www.spamhaus.org/query/bl?ip=203.153.108.227

CBL LISTED:

http://cbl.abuseat.org/lookup.cgi?ip=203.153.108.227

OTHER MALICIOUS FILE:

http://203.153.108.227/winbox/winbox.exe

https://www.virustotal.com/de/url/d2563f5885fbe8174154ed20d776233135b80220e97d21b3b42b231c38e69311/analysis/1400602467/

https://www.virustotal.com/de/file/dcc31d4643e17d31db636c8ccc7e34d004876f18b5d48828ea37e2e8e5e19bcf/analysis/1400068690/

----------------------------------------------------------------------------------------------------------------------------------------------

4/18/2014

Category MALICIOUS IP: 203.153.100.82

Infected with a spam sending trojan, proxy or some other form of botnet.
It HELOs as a bare IP address
(INDONESIA)

The IP Address 203.153.100.82 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-04-18 18:00 GMT (+/- 30 minutes), approximately 1 hours ago.

It has been relisted following a previous removal at 2014-04-09 01:07 GMT (9 days, 17 hours, 55 minutes ago).

The listing of this IP is because it HELOs as a bare IP address (A bare ip address looks like: "54.33.33.5"). It is not HELO'ing as itself ("203.153.100.82"). Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection.

These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often/var/log/auth.log) for logins from unusual IP addresses not normally associated with that login id. If you find any, secure the associated account. This usually means changing the password or disabling the account.

If it's a mail server, see naming problems for details on how to diagnose and fix the problem. If you are running Symantec Protection Center, this appeared to be a known issue in the past. See this Knowlege Base item. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. The KB item indicates that the problem will be resolved in a "future build", but no ETA was provided. If you have SPC's email notification feature turned on, we recommend checking through the Knowledge Base item to see if your version has this issue fixed. If not we recommend turning SPC's notification feature off before delisting your IP address as a temporary workaround.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP:

Heuristic.LooksLike.HTML.Suspicious-URL.K

SPAMBOTSERVER, COMMENT SPAMMER, DICTIONARY ATTACKER, MALWARE

http://203.153.100.82/

https://www.virustotal.com/de/url/4d0bf7e41c8dceaebbafa1bf0c70c8b1560a49ce397a92df5a1913a979f70f37/analysis/1397848027/

https://www.virustotal.com/de/ip-address/203.153.100.82/information/

Heuristic.LooksLike.HTML.Suspicious-URL.K

https://www.virustotal.com/de/file/8822bad3d62e9fbc8dc272644c42f81e4fec540ef7f05c9fd7bcaa26aee7a61b/analysis/

HOSTNAME:

http://ip-82-100-static.velo.net.id/

https://www.virustotal.com/de/url/85f9e6aa401e85da826c0d9590b8b671a24afac3000580f79754982b0f9ffadf/analysis/1397850756/

IP BLACKLISTED AT:

1) SPAMHAUS (CBL):

http://www.spamhaus.org/query/ip/203.153.100.82

2) COMPOSITE BLOCKING LIST:

http://cbl.abuseat.org/lookup.cgi?ip=203.153.100.82

3) SPAMCOP:

http://www.spamcop.net/w3m?action=checkblock&ip=203.153.100.82

4) CISCO SENDERBASE:

http://www.senderbase.org/lookup/?search_string=203.153.100.82

5) BLOCKLIST.DE:

http://www.blocklist.de/en/view.html?ip=203.153.100.82

6) PSBL.ORG:

http://psbl.org/listing?ip=203.153.100.82

7) WPBL.INFO:

http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.100.82

8) PROJECT HONEYPOT:

https://www.projecthoneypot.org/ip_203.153.100.82

9) SORBS:

http://www.au.sorbs.net/lookup.shtml

10) NiX SPAM:

http://www.dnsbl.manitu.net/lookup.php?language=en&value=203.153.100.82

------------------------------------------

SEE ALSO:

https://urlquery.net/report.php?id=1397848399616

http://zulu.zscaler.com/submission/show/0d60892bc9e925ace8bf7a1c422b7358-1397848147

http://203.153.100.82/winbox/winbox.exe

https://www.virustotal.com/de/url/2e48031a59a5f99f23b91508988285232203405cb8640f3c8c40c24e1a702284/analysis/1397848218/

https://www.virustotal.com/de/file/eabfa1fd55a53367b901364486f5a5607b9ab04ad94403b7d0fc12509ad85321/analysis/

4/13/2014

Category MALICIOUS IP: Cutwail Spambot on IP 213.144.13.74 (Karlsruhe, GERMANY)
Pushdo Malware and Zeus Botnet - Dictionary Attacker

The IP Address 213.144.13.74 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-04-10 13:00 GMT (+/- 30 minutes), approximately 2 days, 23 hours, 29 minutes ago.

This IP is infected (or NATting for a computer that is infected) with the Cutwail Spambot. In other words, it's participating in a botnet.

Cutwail is a complex infection and requires a number of steps to ensure that it's eradicated.

First, Cutwail spams out very high volumes, and is one of the the largest vectors of malware on the Internet, and almost every cutwail infection also has a copy of the Pushdo (DDOS by web transaction) malware and/or the Zeus botnet. The Zeus botnet controls the Cutwail/Pushdo pair as well as does information stealing/keyboard logging. Hence, this is a very severe threat - not just to the owner of the infected computer, the other members of your internal network (if you have one) but the rest of the Internet too.

Second, there are two methods for detecting cutwail. One of the methods is by detecting the spams that cutwail sends. The other method does not work that way. This means that even if you block outbound port 25 from non-mail-servers on your local network, you can still detect a cutwail infection on your local network. This means that if you implement port 25 restrictions, you should implement logging so that you can detect what internal machines are being blocked by it and are thereby probably cutwail infections.

TO READ THE REST OF THIS ARTICLE, go to:

http://cbl.abuseat.org/lookup.cgi?ip=213.144.13.74

As well Listed at SORBS:

http://www.au.sorbs.net/lookup.shtml

Listed at SPAMRATS:

http://www.spamrats.com/lookup.php?ip=213.144.13.74

A small report on this IP can be seen by clicking the .txt. Icon:

3/15/2014

Category MALICIOUS IP: Cutwail Spambot on IP 194.176.111.154 (Kyrgyzstan)
Pushdo Malware and Zeus Botnet - Dictionary Attacker

The IP Address 194.176.111.154 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-03-15 04:00 GMT (+/- 30 minutes), approximately 5 hours ago.

This IP is infected (or NATting for a computer that is infected) with the Cutwail Spambot. In other words, it's participating in a botnet.

3/11/2014

Category MALICIOUS IP: 177.55.96.212 (BRAZIL)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 177.55.96.212 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-03-04 14:00 GMT (+/- 30 minutes), approximately 6 days, 21 hours ago.

CBL has detected that this IP is infected with (or NATting for) a spambot that attempts to break into other systems using stolen or compromised credentials and sends VERY VERY large volumes of spam. The infected machine is probably Linux, FreeBSD or some other form of UNIX, but sometimes Windows machines are infected. CBL has zero tolerance for reinfections.

Of late some of these infections are facilitiated by a SSH Rootkit. See this link for more details.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page.

If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

One way of finding the user that is infected and spewing spam is to use the "lsof" (list open files) utility. "lsof" is available for most versions of UNIX-like systems such as Linux as part of the official distribution, but may not be installed by default. So first, make sure you have it installed. On many systems such as Ubuntu, you can install it by:

TO READ THE REST OF THIS ARTICLE, go to:

http://cbl.abuseat.org/lookup.cgi?ip=177.55.96.212

An example of a Malicious Domain hosted in this IP is for example:

http://jatrol.com.br/

To see the full Report of this Domain, click the .txt Icon:

Translate