funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Danchev: More Russian Criminal Activity in The Usual Places

From: "Paul Ferguson" <fergdawg () netzero net>
Date: Wed, 12 Mar 2008 03:46:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forward:

I have repeatedly notified both Layered Technologies and SoftLayer on
malicious (and criminal) activities occurring in their IP address space
(their hosting facilities), but it continues to happen on a regular basis
(for over a year). Apparently, they don't seem to police their own
backyards, so it might be worthwhile to consider blocking these IP blocks
until they clean up their act.

I'm sick of hosting providers simply taking the money and turning
a blind eye.

If you're curious on some of the background on these hosting
providers, I would suggest reading "back" in Dancho Danchev's
blog a few posts and getting a better idea of what I'm talking
about here.

- From today's post:

[snip]

Apparently, a little more in-depth research acts as public pressure,
especially when they're lazy enough to have a great deal of malware
variants "phone back home" to their promotional domain.

However, the current one responding to 67.228.69.191 is hosted by
SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered
Technologies again confirming the Russian Business Network connection
since, both, Layered Technologies and SoftLayer are known to have been and
continue providing services to the RBN, knowingly or unknowingly. Moreover,
the malware infected counter at the stats section continues reporting new
additions.

[snip]

More:
http://ddanchev.blogspot.com/2008/03/loadsccs-ddos-for-hire-service.html

Details [warning: active malicious URLs]:

bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
5fera.cn/adp/index.php (72.233.60.90)
ls-al.biz/1/index.php (78.109.22.245)
iwrx.com/images/index.php (74.53.174.34)
pizda.cc/in.htm (78.109.19.226)
ugl.vrlab.org/www/index.php (91.123.28.32)
eastcourier.com/reff/index.php (91.195.124.20)
thelobanoff.com/myshop/test/index.php (64.191.78.229)
203.117.170.40/~whyme/my/index.php
195.93.218.25/us/index.php
195.93.218.25/kam/index.php
85.255.116.206/ax5/index.php

Details below.



AS      | IP               | AS Name
23352   | 205.234.186.26   | SERVERCENTRAL - Server Central Network
13767   | 72.233.60.90     | DBANK - DataBank Holdings, Ltd.
41665   | 78.109.22.245    | HOSTING-AS National Hosting Provider,
Hosting.UA
21844   | 74.53.174.34     | THEPLANET-AS - THE PLANET
41665   | 78.109.19.226    | HOSTING-AS National Hosting Provider,
Hosting.UA
42011   | 91.123.28.32     | TRCODINTSOVO-AS TRC Odintsovo
41947   | 91.195.124.20    | WEBALTA-AS WEBALTA / Internet Search Company
21788   | 64.191.78.229    | NOC - Network Operations Center Inc.
4657    | 203.117.170.40   | STARHUBINTERNET-AS Starhub Internet, Singapore
44394   | 195.93.218.25    | BUILDHOUSE-AS Buildhouse Ltd.
27595   | 85.255.116.206   | INTERCAGE - InterCage, Inc.




Detailed IP allocation info:


205.234.186.26:

Server Central Network SCN-4 (NET-205-234-128-0-1)
205.234.128.0 - 205.234.255.255
HostForWeb Inc. SCNET-205-234-186 (NET-205-234-186-0-1)
205.234.186.0 - 205.234.187.255

OrgName: HostForWeb Inc.
OrgID: HOSTF-1
Address: PO BOX 1164
City: Chicago
StateProv: IL
PostalCode: 60690
Country: US

NetRange: 205.234.186.0 - 205.234.187.255
CIDR: 205.234.186.0/23
NetName: SCNET-205-234-186
NetHandle: NET-205-234-186-0-1
Parent: NET-205-234-128-0-1
NetType: Reallocated
Comment:
RegDate: 2007-07-12
Updated: 2007-07-12

OrgTechHandle: ADMIN240-ARIN
OrgTechName: Administrator
OrgTechPhone: +1-312-343-4678
OrgTechEmail: alex.k () hostforweb com

# ARIN WHOIS database, last updated 2008-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database. 


72.233.60.90:

OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

ReferralServer: rwhois://rwhois.layeredtech.com:4321

NetRange: 72.232.0.0 - 72.233.127.255
CIDR: 72.232.0.0/16, 72.233.0.0/17
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment: abuse () layeredtech com
RegDate: 2005-09-07
Updated: 2007-02-27

RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail: jps () layeredtech com

OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: abuse () layeredtech com

OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail: ipnet () layeredtech com

OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail: ipnet () layeredtech com

# ARIN WHOIS database, last updated 2008-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


78.109.22.245:

% Information related to '78.109.22.240 - 78.109.22.247'

inetnum: 78.109.22.240 - 78.109.22.247
netname: atata
descr: atata - Maxim Perlov
country: UA
admin-c: MP5124-RIPE
tech-c: MP5124-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered

person: Maxim Perlov
address: Kazakhstan, Almatu, Lenina h.13b
phone: +381234567
nic-hdl: MP5124-RIPE
abuse-mailbox: i.am () padonaque info
source: RIPE # Filtered

% Information related to '78.109.16.0/20AS41665'

route: 78.109.16.0/20
descr: Datacenter Hosting.UA
origin: AS41665
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered



74.53.174.34:

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 74.52.0.0 - 74.55.255.255
CIDR: 74.52.0.0/14
NetName: NETBLK-THEPLANET-BLK-14
NetHandle: NET-74-52-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2006-02-17
Updated: 2008-02-28

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins () theplanet com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: The Planet Abuse
OrgAbusePhone: +1-281-714-3560
OrgAbuseEmail: abuse () theplanet com

OrgNOCHandle: THEPL-ARIN
OrgNOCName: The Planet NOC
OrgNOCPhone: +1-281-714-3555
OrgNOCEmail: noc () theplanet com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins () theplanet com

# ARIN WHOIS database, last updated 2008-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



78.109.19.226

% Information related to '78.109.19.224 - 78.109.19.231'

inetnum: 78.109.19.224 - 78.109.19.231
netname: hoster
descr: hoster - Aleksandr Pavlov
country: UA
admin-c: PAV5-RIPE
tech-c: PAV5-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered

person: Pavlov Aleksandr V
address: Guta Bank. Komsomola, 41
address: 195009, Sankt Petersburg
address: Russia
phone: +7 812 3241525
fax-no: +7 812 3241503
e-mail: postmaster () guta spb ru
nic-hdl: PAV5-RIPE
source: RIPE # Filtered

% Information related to '78.109.16.0/20AS41665'

route: 78.109.16.0/20
descr: Datacenter Hosting.UA
origin: AS41665
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered




91.123.28.32: 

% Information related to '91.123.16.0 - 91.123.31.255'

inetnum: 91.123.16.0 - 91.123.31.255
netname: TRCODINTSOVO-NET
descr: TRC Odintsovo
country: RU
org: ORG-MCtO1-RIPE
admin-c: AYO8-RIPE
tech-c: AYO8-RIPE
status: ASSIGNED PI
mnt-by: TRCODINTSOVO-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: TRCODINTSOVO-MNT
mnt-domains: TRCODINTSOVO-MNT
source: RIPE # Filtered

organisation: ORG-MCtO1-RIPE
org-name: MUP Center teleradiocompany Odintsovo
org-type: OTHER
descr: MUP Center teleradiocompany Odintsovo
address: 10, Govorova str.,
address: Odintsovo, Moscow district
address: Russian Federation
phone: +7 495 5907235
fax-no: +7 495 5907000
e-mail: info () trc-odintsovo ru
admin-c: AYO8-RIPE
tech-c: AYO8-RIPE
mnt-ref: TRCODINTSOVO-MNT
mnt-by: TRCODINTSOVO-MNT
source: RIPE # Filtered

person: Andrew Y. Ostrouhov
address: 10, Govorova str.,
address: Odintsovo city, Moscow district
address: Russian Federation
phone: +7 495 5907355
fax-no: +7 495 5907000
e-mail: ao () trc-odintsovo ru
nic-hdl: AYO8-RIPE
mnt-by: TRCODINTSOVO-MNT
source: RIPE # Filtered

% Information related to '91.123.16.0/20AS42011'

route: 91.123.16.0/20
descr: TRC Odintsovo
origin: AS42011
mnt-by: TRCODINTSOVO-MNT
source: RIPE # Filtered



91.195.124.20:

% Information related to '91.195.124.0 - 91.195.125.255'

inetnum: 91.195.124.0 - 91.195.125.255
netname: LEADERHOST2-NET
descr: LiderHost Ltd.
country: RU
org: ORG-LL27-RIPE
admin-c: AVM23-RIPE
tech-c: AVM23-RIPE
status: ASSIGNED PI
mnt-by: LEADERHOST-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: LEADERHOST-MNT
mnt-routes: RU-WEBALTA-MNT
mnt-domains: LEADERHOST-MNT
source: RIPE # Filtered

organisation: ORG-LL27-RIPE
org-name: LeaderHost Ltd.
org-type: OTHER
descr: LeaderHost Ltd.
address: 1, Aivazovskogo str.,
address: Moscow, Russia
phone: +7 495 5895552
fax-no: +7 495 5895552
e-mail: admin () leaderhost ru
admin-c: AVM23-RIPE
tech-c: AVM23-RIPE
mnt-ref: LEADERHOST-MNT
mnt-by: LEADERHOST-MNT
source: RIPE # Filtered

person: Andrey V Matveev
address: 1, Aivazovskogo str.,
address: Moscow, Russia
phone: +7 495 5895552
fax-no: +7 495 5895552
e-mail: admin () leaderhost ru
nic-hdl: AVM23-RIPE
mnt-by: LEADERHOST-MNT
source: RIPE # Filtered

% Information related to '91.195.124.0/23AS41947'

route: 91.195.124.0/23
descr: LeaderHost
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered



64.191.78.229:

OrgName: Network Operations Center Inc.
OrgID: NOC
Address: PO Box 591
City: Scranton
StateProv: PA
PostalCode: 18501-0591
Country: US

ReferralServer: rwhois://rwhois.hostnoc.net:4321/

NetRange: 64.191.0.0 - 64.191.127.255
CIDR: 64.191.0.0/17
NetName: HOSTNOC-3BLK
NetHandle: NET-64-191-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.HOSTNOC.NET
NameServer: NS2.HOSTNOC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-05-31
Updated: 2003-08-08

RTechHandle: SMA4-ARIN
RTechName: Arcus, S. Matthew
RTechPhone: +1-570-343-8551
RTechEmail: nic () hostnoc net

OrgTechHandle: SMA4-ARIN
OrgTechName: Arcus, S. Matthew
OrgTechPhone: +1-570-343-8551
OrgTechEmail: nic () hostnoc net

# ARIN WHOIS database, last updated 2008-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



203.117.170.40:

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 203.117.0.0 - 203.117.255.255
netname: STARHUBINTERNET-SG
descr: root
country: SG
admin-c: NS110-AP
tech-c: NS110-AP
mnt-by: MAINT-AS4657-AP
status: ALLOCATED NON-PORTABLE
changed: admin_ipdb () starhub com 20070605
source: APNIC

person: NOC SHI
nic-hdl: NS110-AP
e-mail: noc () starhub com
address: 19 TaiSeng Drive
address: Singapore 535222
phone: +65 6825 7878
fax-no: +65 6821 6012
country: SG
changed: ipadmin () starhub com 20060607
mnt-by: MAINT-AS4657-AP
source: APNIC



195.93.218.25:

% Information related to '195.93.218.0 - 195.93.219.255'

inetnum: 195.93.218.0 - 195.93.219.255
netname: BUILDHOUSE-NET
descr: Buildhouse Ltd.
country: RU
org: ORG-BL54-RIPE
admin-c: TIO4-RIPE
tech-c: TIO4-RIPE
status: ASSIGNED PI
remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
remarks: Routing issues: ipadm () airhouse su
remarks: DNS issues: nsmaster () airhouse su
remarks: Mail issues: postmaster () airhouse su
remarks: SPAM&SCAN issues (PLEASE ONLY TO): abuse () airhouse su
remarks: News issues: postmaster () airhouse su
remarks: Customer support: helpdesk () airhouse su
remarks: Commercial issues: sp () airhouse su
remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MNT-BUILDHOUSE
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MNT-BUILDHOUSE
mnt-domains: MNT-BUILDHOUSE
source: RIPE # Filtered

organisation: ORG-BL54-RIPE
org-name: Buildhouse Ltd.
org-type: OTHER
address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15
e-mail: info () airhouse su
mnt-ref: MNT-BUILDHOUSE
mnt-by: MNT-BUILDHOUSE
source: RIPE # Filtered

person: Tsheptyev Igor Olegovich
address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15
phone: +7 495 5684114
nic-hdl: TIO4-RIPE
source: RIPE # Filtered

% Information related to '195.93.218.0/23AS44394'

route: 195.93.218.0/23
descr: Buildhouse Ltd.
origin: AS44394
mnt-by: MNT-BUILDHOUSE
source: RIPE # Filtered


85.255.116.206:

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered

organisation: ORG-UL25-RIPE
org-name: UkrTeleGroup Ltd.
org-type: LIR
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
mnt-ref: UKRTELE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
abuse-mailbox: abuse () ukrtelegroup com ua
phone: +380631508855
nic-hdl: UA481-RIPE
source: RIPE # Filtered


- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFH11Hoq1pz9mNUZTMRAp4pAJ9NszAJMEchAUSjNC2q1lWJeqdvWwCfcrwb
gaAVfYoBHitYQsv0brcFJrI=
=xuiI
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: