Category MALICIOUS IP: 217.106.230.143 Infected with CONFICKER Botnet & Dictionary Attacker CBL Listed (Russian Federation)

The IP Address 217.106.230.143 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-06-01 09:00 GMT (+/- 30 minutes), approximately 3 hours ago.

This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.

---------------------------------------------------------------------------------------------------------------------------------------------

IP:

http://217.106.230.143/

• https://www.virustotal.com/de/url/2eec4640667c218ae8a6a9da97422083720b4477387dfcc59e569bd0d014d424/analysis/1401473689/

• https://www.virustotal.com/de/ip-address/217.106.230.143/information/

Listed at SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=217.106.230.143

Listed at CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=217.106.230.143

Listed at Weighted Private Block List:

• http://www.wpbl.info/cgi-bin/detail.cgi?ip=217.106.230.143

Listed NiX-Spam

• http://www.dnsbl.manitu.net/?language=en

Dictionary Attacker & SPAM Sender:

SPAM MAILS SENT FROM THIS IP: 3.233

• https://www.projecthoneypot.org/ip_217.106.230.143 

SEE ALSO:

• http://zulu.zscaler.com/submission/show/dddc53f4ec74d5076fc8be59977acc69
• http://www.senderbase.org/lookup/?search_string=217.106.230.143
• http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Category MALICIOUS IP: 203.153.99.142 (cds-id.com , dart.co.id) "This IP is infected with a spam or malware forwarding link. In other words the site has been hacked."SPAMBOT & DICTIONARY ATTACKER3 "Hacked" entries 46 "SPAM" entries (INDONESIA)

The IP Address 203.153.99.142 is listed in the CBL (Composite Blocking List). This web site (IP) has a redirect that takes the user's browser to a spam or malware site. It's mainly fake russian pills or pornography.

The web server's host name is "www.dart.co.id", and this link has an example of the redirect: "http://www.dart.co.id/stylish.html?dijupiho".

http://www.dart.co.id/

• https://www.virustotal.com/de/url/032f38a47d19c6c6e68793600ee7bdc011a82459e1a416079b208381566a4133/analysis/1398254023/

http://www.dart.co.id/stylish.html?dijupiho

• https://www.virustotal.com/de/url/6f6fe170ab65546d0ee38ba507e945373c52e12d9de1b4edde3858dae7455fdd/analysis/1398254023/

Infected servers are usually shared web hosting environments running Cpanel, Plesk, Joomla or Wordpress CMS software that have become compromised either through a vulnerability (meaning the CMS software is out of date and needs patching), or users account information (userids/passwords) have been compromised, and malicious software/files are being uploaded by ftp or ssl.

We believe that these specific infections are frequently done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.

It probable that the change was made via SSL or ftp login using userid/password stolen from the "owner" of the hostname/domain. They should run anti-virus tools on their computers, and the password they use to access the web site should be changed immediately.

If you do not recognize the hostname www.dart.co.id as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of www.dart.co.id can fix it.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP FROM INDONESIA:

SPAMBOT, DICTIONARY ATTACKER

http://203.153.99.142/

• https://www.virustotal.com/de/url/3eed7d8163d563a7f2cee883ca1b0627e6af286dcf89a63831ee311b14cb0f2f/analysis/1398250732/

• https://www.virustotal.com/de/ip-address/203.153.99.142/information/

DOMAIN & HOSTNAME (See Senderbase as Reference):

http://cds-id.com/

• https://www.virustotal.com/de/url/d58f4bda3839bea826584e8f98e3b0b1ed3ebeb72508f400a53770f60c1238af/analysis/1398252129/

HTML (406 Not Acceptable)

• https://www.virustotal.com/de/file/390814aae53b4fe7b317f869b6bb97b242131cad27c8cdfd86e8ba70a677653f/analysis/1398252281/

NUMBER OF SPAM-MAILS RECEIVED FROM THIS IP: 174
DICTIONARY ATTACKS FROM THIS IP: 21

• https://www.projecthoneypot.org/ip_203.153.99.142

LISTED AT SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=203.153.99.142

LISTED AT CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=222.165.193.218&.pubmit=Lookup

LISTED AT SPAMCOP:

In the past 78.1 days, it has been listed 19 times for a total of 18.9 days

Causes of listing:

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

• http://spamcop.net/w3m?action=checkblock&ip=203.153.99.142

LISTED AT SORBS:

Current Listings (active)

• 3 "Hacked" entries (01:08:09 16 Apr 2013 GMT)

• 46 "Spam" entries (20:13:30 30 May 2013 GMT)

 

Historical Listings (inactive)

• 22 "Spamvertised" entries (21:37:31 22 Apr 2013 GMT)

http://www.au.sorbs.net/lookup.shtml

LISTED AT CISCO SENDERBASE:

Fwd/Rev DNS Match: NO
EMAIL REP.: POOR

• http://www.senderbase.org/lookup/?search_string=203.153.99.142

SEE ALSO:

NETCRAFT: 7/10

• http://toolbar.netcraft.com/site_report?url=203.153.99.142