Banned ip.

[WebSam]

Hi.

Can you remove this ip from the black list please?

67.212.88.42

One of our computer has been accidentally infected with a virus and all php files were rewritten with shura.pl link...

We have clean all the files on the server and there is no more infection on this ip.

This server contains a lot of important projects and there is no spam or anything malware there.

Thanks

Sam.

[MysteryFCM]

Sorry for taking so long.

This IP is on a Netelligent IP range, which is why it is blocked.

[WebSam]

Sorry for taking so long.

This IP is on a Netelligent IP range, which is why it is blocked.

Neteligent is only a optic fiber provider for the hosting company where the server is...

So why block an entire hosting company plus a range of honest business just for the connection company?

I really don't understand why...

[MysteryFCM]

The problem is, Netelligent are continuing to provide hosting to criminals. After being alerted to such, they have failed to respond, let alone cease providing such, because of this, they have been blocked until such time as they cease provisions to criminals.

[thibot]

The problem is, Netelligent are continuing to provide hosting to criminals. After being alerted to such, they have failed to respond, let alone cease providing such, because of this, they have been blocked until such time as they cease provisions to criminals.

Hello,

Can you please give me a list of domains and IP's that are responsible for this block ? Last I checked we removed every offending domains on our network.

Thank you,

[MysteryFCM]

The following are the active cases from the last 7 days or so;

209.44.111.59	Failed resolution	secure.paysecureorder.com	http://secure.paysecureorder.com/order?agree=on&prodid=2&r=1.0&butt=
209.44.108.236	vm2.r4l.com	www.yoga0400.biz	http://www.yoga0400.biz/r57.txt
209.44.108.236	vm2.r4l.com	yoga0400.biz	http://yoga0400.biz/c99.txt
209.44.108.236	vm2.r4l.com	yoga0400.biz	http://yoga0400.biz/r57.txt
209.44.126.22	Failed resolution	bodyscanonline.com	http://bodyscanonline.com/hitin.php
209.44.126.152	Failed resolution	goscansome.com	http://goscansome.com
209.44.126.152	Failed resolution	namearra.info	http://namearra.info
209.44.126.152	Failed resolution	namearra.info	http://namearra.info/download/install.php
209.44.126.36	Failed resolution	scanriteweb.com	http://scanriteweb.com/index.php?affid=19000
209.44.126.36	Failed resolution	scanonlinedirect.com	http://scanonlinedirect.com/download.php?affid=00000
209.44.111.57	Failed resolution	analyticsadvanced.com	http://analyticsadvanced.com/counter/bins/81l.exe
209.44.111.57	Failed resolution	analyticsadvanced.com	http://analyticsadvanced.com/counter/
209.44.111.57	Failed resolution	analyticsadvanced.com	http://analyticsadvanced.com/counter/ab.pdf
209.44.111.57	Failed resolution	analyticsadvanced.com	http://analyticsadvanced.com/counter/load.php
209.44.126.81	Failed resolution	securitytestavailable.com	http://securitytestavailable.com
209.44.126.102	Failed resolution	goscanedge.com	http://goscanedge.com/?uid=12401
209.44.126.81	Failed resolution	securitytestavailable.com	http://securitytestavailable.com:80/index.php?affid=20200
209.44.126.22	Failed resolution	bodyscanguide.com	http://bodyscanguide.com/index.php?affid=11500
209.44.126.36	Failed resolution	scanonlinedirect.com	http://scanonlinedirect.com/download.php?affid=26900
209.44.126.22	Failed resolution	bodyscanguide.com	http://bodyscanguide.com/download.php?affid=00000
209.44.126.152	Failed resolution	dirfile.info	http://dirfile.info/download/install.php
209.44.126.41	Failed resolution	209.44.126.41	http://209.44.126.41/.ex/nafig.exe
209.44.115.203	Failed resolution	aamo.net	http://aamo.net/
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/adnsub.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/Album_Tokyo_Panasonic_2008.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/announcement.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/conf.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/contact.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/curviceprresident.html
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/default.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/edp.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/evolution.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/exchange.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/feedback.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/journal.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/listofaamomembers.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/listofaamopresident.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/mci.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/newsletter.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/president.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/publications.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/research.htm
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/download.php?
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/download.php?affid=19000
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/download.php
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/install/ws.exe
209.44.126.16	Failed resolution	systemsecuritysite.com	http://systemsecuritysite.com/install/wscleaner.exe
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/install/ws.exe
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/index.php
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/scan.php
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/in.php
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/download.php?affid=20100
209.44.126.81	Failed resolution	securitytoolsite.com	http://securitytoolsite.com/index.php?affid=20100
209.44.126.81	Failed resolution	securityproductsupply.com	http://securityproductsupply.com/index.php?affid=04811
209.44.126.81	Failed resolution	securityproductsupply.com	http://securityproductsupply.com/download.php?affid=00000
209.44.126.81	Failed resolution	securityproductsupply.com	http://securityproductsupply.com/hitin.php?land=20&affid=26700
209.44.126.81	Failed resolution	securitytoolonline.com	http://securitytoolonline.com
209.44.126.81	Failed resolution	securitytoolonline.com	http://securitytoolonline.com/index.php?affid=18900
209.44.126.81	Failed resolution	securitytoolonline.com	http://securitytoolonline.com/download.php?affid=26700
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/Album_Tokyo_Chinese_2008.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/Album_Tokyo_Conference_2008.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/Album_Tokyo_Korea_2008.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/Album_Tokyo_Symposium_2008.htm
209.44.115.203	Failed resolution	www.aamo.net	http://www.aamo.net/jj_irani.htm
209.44.117.62	Failed resolution	209.44.117.62	http://209.44.117.62/server/npopup/dnl/11.exe
209.44.126.30	Failed resolution	209.44.126.30	http://209.44.126.30/exses.exe
209.44.126.30	Failed resolution	209.44.126.30	http://209.44.126.30/ghbb.bin
209.44.126.30	Failed resolution	209.44.126.30	http://209.44.126.30/unsecurity/load.php?id=19663
209.44.126.16	Failed resolution	systemsecurityonline.com	http://systemsecurityonline.com/download.php
209.44.126.81	Failed resolution	www.securitytoolonline.com	http://www.securitytoolonline.com/
209.44.126.30	Failed resolution	209.44.126.30	http://209.44.126.30/herwam.exe

I'm currently processing those in the hpHosts database to see which are still active, I'll post the results once they're done.

[MysteryFCM]

An example of why this has escalated to this proportion, aside from my never receiving a single response to an abuse report (nor to my knowledge, have any of my collegues), can be found here (little old now, but should give an idea);

http://hphosts.blogspot.com/2009/05/google...es-and-250.html

I've also got 70 on one of your other ranges (67.212.*), as have Clean-MX (alot of those on Clean-MX are marked as dead now);

http://support.clean-mx.de/clean-mx/viruse...?sort=firstseen desc&as=AS10929

http://hosts-file.net/pest.asp?show=67.212.

And as have MalwareURL;

http://www.malwareurl.com/search.php?s=AS10929&match=0

And as have Malware Domain List;

http://www.malwaredomainlist.com/mdl.php?s...amp;quantity=50

http://www.malwaredomainlist.com/mdl.php?s...amp;quantity=50

[MysteryFCM]

These are the recent cases from my offline database, on your 67.212.* range;

67.212.71.196	Failed resolution	gagtemple.info	http://gagtemple.info/download/install.php
67.212.71.196	Failed resolution	strelyk.info	http://strelyk.info/download/install.php
67.212.71.196	Failed resolution	gagtemple.info	http://gagtemple.info/download/install.php
67.212.71.196	Failed resolution	in5id.com	http://in5id.com/download/file.exe
67.212.71.196	Failed resolution	resuma.info	http://resuma.info/download/install.php
67.212.71.196	Failed resolution	cascas.info	http://cascas.info
67.212.71.196	Failed resolution	goscantune.com	http://goscantune.com
67.212.71.196	Failed resolution	gotunescan.com	http://gotunescan.com
67.212.185.202	web15.justhost.com	www.computeradroit.com	http://www.computeradroit.com
67.212.81.29	Failed resolution	scan-spyware-now.com	http://scan-spyware-now.com
67.212.65.41	Failed resolution	babyruthie.com	http://babyruthie.com/
67.212.80.121	Failed resolution	xtraff.cn	http://xtraff.cn/scr/in.cgi?5
67.212.71.196	Failed resolution	gobackscan.com	http://gobackscan.com/?uid=151
67.212.71.196	Failed resolution	pitchy.info	http://pitchy.info/22/?uid=151
67.212.162.250	web59.justhost.com	www.hotlife.us	http://www.hotlife.us/mediastream/components/SecureLiveVideo.exe
67.212.162.250	web59.justhost.com	www.hotlife.us	http://www.hotlife.us/mediastream/components/SecureLiveVideo.exe
67.212.71.196	Failed resolution	unmoan.info	http://unmoan.info/common/destrub.js
67.212.80.125	Failed resolution	wwwworldweb.com	http://wwwworldweb.com/pdf.php?id=1706
67.212.80.125	Failed resolution	wwwworldweb.com	http://wwwworldweb.com/pdf.php?id=1706&vis=1
67.212.65.41	Failed resolution	www.babyruthie.com	http://www.babyruthie.com/
67.212.65.41	Failed resolution	www.babyruthie.com	http://www.babyruthie.com/CCBill/index.htm
67.212.81.69	Failed resolution	gpt0.ru	http://gpt0.ru/b3/b3.exe
67.212.176.82	redhotservers.com	support.redhotservers.com	http://support.redhotservers.com
67.212.166.154	web13.justhost.com	jumpyjunction.com	http://jumpyjunction.com
67.212.166.146	web12.justhost.com	performerscity.com	http://performerscity.com

/edit

See also;

http://safebrowsing.clients.google.com/saf...p;site=AS:10929

[thibot]

Hi MysteryFCM,

Thanks for taking the time to get back to us. What emails were you sending us complaints from. We have responded to every complaint regarding these specific IPs and we have the record in our abuse ticketing system. I will lookover the records if you can give me the email.

Moving on, I've looked over most of the IPs you've included. Alot of them are outdated.

All the 209.44.126.xx and 67.212.71.xx were blocked over a month ago.

You can also check http://www.maliciousnetworks.org/chart.php?as=AS10929 for the activity on our networking showing a significant drop. And thats in beginning of August. They should be updating soon with more recent data which should show us at a much healthier level as proof of the cleansing of these hosts.

These aren't our IPs

67.212.185.202	web15.justhost.com	www.computeradroit.com	[url="http://www.computeradroit.com"]http://www.computeradroit.com[/url]
67.212.162.250	web59.justhost.com	www.hotlife.us	[url="http://www.hotlife.us/mediastream/components/SecureLiveVideo.exe"]http://www.hotlife.us/mediastream/componen...reLiveVideo.exe[/url]
67.212.162.250	web59.justhost.com	www.hotlife.us	[url="http://www.hotlife.us/mediastream/components/SecureLiveVideo.exe"]http://www.hotlife.us/mediastream/componen...reLiveVideo.exe[/url]
67.212.166.154	web13.justhost.com	jumpyjunction.com	[url="http://jumpyjunction.com"]http://jumpyjunction.com[/url]
67.212.166.146	web12.justhost.com	performerscity.com	[url="http://performerscity.com"]http://performerscity.com[/url]

67.212.176.82 redhotservers.com support.redhotservers.com http://support.redhotservers.com

We will check on the following.

67.212.80.121	Failed resolution	xtraff.cn	[url="http://xtraff.cn/scr/in.cgi?5"]http://xtraff.cn/scr/in.cgi?5[/url]
67.212.80.125	Failed resolution	wwwworldweb.com	[url="http://wwwworldweb.com/pdf.php?id=1706"]http://wwwworldweb.com/pdf.php?id=1706[/url]
67.212.80.125	Failed resolution	wwwworldweb.com	[url="http://wwwworldweb.com/pdf.php?id=1706&vis=1"]http://wwwworldweb.com/pdf.php?id=1706&vis=1[/url]
67.212.65.41	Failed resolution	babyruthie.com	[url="http://babyruthie.com/"]http://babyruthie.com/[/url]
67.212.65.41	Failed resolution	www.babyruthie.com	[url="http://www.babyruthie.com/"]http://www.babyruthie.com/[/url]
67.212.65.41	Failed resolution	www.babyruthie.com	[url="http://www.babyruthie.com/CCBill/index.htm"]http://www.babyruthie.com/CCBill/index.htm[/url]
67.212.81.69	Failed resolution	gpt0.ru	[url="http://gpt0.ru/b3/b3.exe"]http://gpt0.ru/b3/b3.exe[/url]

[MysteryFCM]

All e-mails I sent were sent from services @ it-mate.co.uk

The results I mentioned earlier are now ready, and a few are still showing as resolving to your IP ranges;

http://hosts-file.net/misc/hpObserver_-_209.44.html

[thibot]

Hi Mystery,

Great list. Most of them are defunct though. All the 209.44.126.xx have been removed completely. That whole /24 was killed off.

Checking the others.

[MysteryFCM]

Thanks for letting me know.

Can you tell me what measures you're taking to prevent this re-appearing on your network?

I've not had a chance to process todays URL's yet, but will post any from your network that show up once they've been processed.

[thibot]

Hi!

Well the biggest problem in these things propping up on our network is that were mainly relying on nothing more than complaints that arrive to our abuse department. So although that is useful in most cases, it's not helpful in detecting outbreaks on a more consistent basis. What we have been doing over the past several weeks is to pro-actively search out our name in forums like this one to see whats the word on "the street", as well as using links such as the ones I provided in one of my earlier posts. Hopefully this will help us remove all offending content in the future.