Re: Danchev: More Russian Criminal Activity in The Usual Places

["John LaCour" <johnlacour () gmail com>]

I've reported the domain names to the Registry who is working with the
Registrar to have them suspended.
I'm sure they'll register more, but they may have to go back and
update their iframe code.  So it at least
slows them down.

On Tue, Mar 11, 2008 at 8:46 PM, Paul Ferguson <fergdawg () netzero net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  Forward:
>
>  I have repeatedly notified both Layered Technologies and SoftLayer on
>  malicious (and criminal) activities occurring in their IP address space
>  (their hosting facilities), but it continues to happen on a regular basis
>  (for over a year). Apparently, they don't seem to police their own
>  backyards, so it might be worthwhile to consider blocking these IP blocks
>  until they clean up their act.
>
>  I'm sick of hosting providers simply taking the money and turning
>  a blind eye.
>
>  If you're curious on some of the background on these hosting
>  providers, I would suggest reading "back" in Dancho Danchev's
>  blog a few posts and getting a better idea of what I'm talking
>  about here.
>
>  - From today's post:
>
>  [snip]
>
>  Apparently, a little more in-depth research acts as public pressure,
>  especially when they're lazy enough to have a great deal of malware
>  variants "phone back home" to their promotional domain.
>
>  However, the current one responding to 67.228.69.191 is hosted by
>  SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered
>  Technologies again confirming the Russian Business Network connection
>  since, both, Layered Technologies and SoftLayer are known to have been and
>  continue providing services to the RBN, knowingly or unknowingly. Moreover,
>  the malware infected counter at the stats section continues reporting new
>  additions.
>
>  [snip]
>
>  More:
>  http://ddanchev.blogspot.com/2008/03/loadsccs-ddos-for-hire-service.html
>
>  Details [warning: active malicious URLs]:
>
>  bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
>  5fera.cn/adp/index.php (72.233.60.90)
>  ls-al.biz/1/index.php (78.109.22.245)
>  iwrx.com/images/index.php (74.53.174.34)
>  pizda.cc/in.htm (78.109.19.226)
>  ugl.vrlab.org/www/index.php (91.123.28.32)
>  eastcourier.com/reff/index.php (91.195.124.20)
>  thelobanoff.com/myshop/test/index.php (64.191.78.229)
>  203.117.170.40/~whyme/my/index.php
>  195.93.218.25/us/index.php
>  195.93.218.25/kam/index.php
>  85.255.116.206/ax5/index.php
>
>  Details below.
>
>
>
>  AS      | IP               | AS Name
>  23352   | 205.234.186.26   | SERVERCENTRAL - Server Central Network
>  13767   | 72.233.60.90     | DBANK - DataBank Holdings, Ltd.
>  41665   | 78.109.22.245    | HOSTING-AS National Hosting Provider,
>  Hosting.UA
>  21844   | 74.53.174.34     | THEPLANET-AS - THE PLANET
>  41665   | 78.109.19.226    | HOSTING-AS National Hosting Provider,
>  Hosting.UA
>  42011   | 91.123.28.32     | TRCODINTSOVO-AS TRC Odintsovo
>  41947   | 91.195.124.20    | WEBALTA-AS WEBALTA / Internet Search Company
>  21788   | 64.191.78.229    | NOC - Network Operations Center Inc.
>  4657    | 203.117.170.40   | STARHUBINTERNET-AS Starhub Internet, Singapore
>  44394   | 195.93.218.25    | BUILDHOUSE-AS Buildhouse Ltd.
>  27595   | 85.255.116.206   | INTERCAGE - InterCage, Inc.
>
>
>
>
>  Detailed IP allocation info:
>
>
>  205.234.186.26:
>
>  Server Central Network SCN-4 (NET-205-234-128-0-1)
>  205.234.128.0 - 205.234.255.255
>  HostForWeb Inc. SCNET-205-234-186 (NET-205-234-186-0-1)
>  205.234.186.0 - 205.234.187.255
>
>  OrgName: HostForWeb Inc.
>  OrgID: HOSTF-1
>  Address: PO BOX 1164
>  City: Chicago
>  StateProv: IL
>  PostalCode: 60690
>  Country: US
>
>  NetRange: 205.234.186.0 - 205.234.187.255
>  CIDR: 205.234.186.0/23
>  NetName: SCNET-205-234-186
>  NetHandle: NET-205-234-186-0-1
>  Parent: NET-205-234-128-0-1
>  NetType: Reallocated
>  Comment:
>  RegDate: 2007-07-12
>  Updated: 2007-07-12
>
>  OrgTechHandle: ADMIN240-ARIN
>  OrgTechName: Administrator
>  OrgTechPhone: +1-312-343-4678
>  OrgTechEmail: alex.k () hostforweb com
>
>  # ARIN WHOIS database, last updated 2008-03-11 19:10
>  # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
>  72.233.60.90:
>
>  OrgName: Layered Technologies, Inc.
>  OrgID: LAYER-3
>  Address: 5085 W Park Blvd
>  Address: Suite 700
>  City: Plano
>  StateProv: TX
>  PostalCode: 75093
>  Country: US
>
>  ReferralServer: rwhois://rwhois.layeredtech.com:4321
>
>  NetRange: 72.232.0.0 - 72.233.127.255
>  CIDR: 72.232.0.0/16, 72.233.0.0/17
>  NetName: LAYERED-TECH-
>  NetHandle: NET-72-232-0-0-1
>  Parent: NET-72-0-0-0-0
>  NetType: Direct Allocation
>  NameServer: NS1.LAYEREDTECH.COM
>  NameServer: NS2.LAYEREDTECH.COM
>  Comment: Please send all abuse complaints to
>  Comment: abuse () layeredtech com
>  RegDate: 2005-09-07
>  Updated: 2007-02-27
>
>  RTechHandle: JPS66-ARIN
>  RTechName: Suo-Anttila, Jeremy Paul
>  RTechPhone: +1-972-398-7998
>  RTechEmail: jps () layeredtech com
>
>  OrgAbuseHandle: LAT-ARIN
>  OrgAbuseName: LT Abuse Team
>  OrgAbusePhone: +1-972-398-7998
>  OrgAbuseEmail: abuse () layeredtech com
>
>  OrgNOCHandle: LIT-ARIN
>  OrgNOCName: LT IP-Network Team
>  OrgNOCPhone: +1-972-398-7998
>  OrgNOCEmail: ipnet () layeredtech com
>
>  OrgTechHandle: LNT3-ARIN
>  OrgTechName: LT NOC Team
>  OrgTechPhone: +1-972-398-7998
>  OrgTechEmail: ipnet () layeredtech com
>
>  # ARIN WHOIS database, last updated 2008-03-11 19:10
>  # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
>  78.109.22.245:
>
>  % Information related to '78.109.22.240 - 78.109.22.247'
>
>  inetnum: 78.109.22.240 - 78.109.22.247
>  netname: atata
>  descr: atata - Maxim Perlov
>  country: UA
>  admin-c: MP5124-RIPE
>  tech-c: MP5124-RIPE
>  status: ASSIGNED PA
>  mnt-by: MNT-HOSTINGUA
>  source: RIPE # Filtered
>
>  person: Maxim Perlov
>  address: Kazakhstan, Almatu, Lenina h.13b
>  phone: +381234567
>  nic-hdl: MP5124-RIPE
>  abuse-mailbox: i.am () padonaque info
>  source: RIPE # Filtered
>
>  % Information related to '78.109.16.0/20AS41665'
>
>  route: 78.109.16.0/20
>  descr: Datacenter Hosting.UA
>  origin: AS41665
>  mnt-by: MNT-HOSTINGUA
>  source: RIPE # Filtered
>
>
>
>  74.53.174.34:
>
>  OrgName: ThePlanet.com Internet Services, Inc.
>  OrgID: TPCM
>  Address: 315 Capitol
>  Address: Suite 205
>  City: Houston
>  StateProv: TX
>  PostalCode: 77002
>  Country: US
>
>  ReferralServer: rwhois://rwhois.theplanet.com:4321
>
>  NetRange: 74.52.0.0 - 74.55.255.255
>  CIDR: 74.52.0.0/14
>  NetName: NETBLK-THEPLANET-BLK-14
>  NetHandle: NET-74-52-0-0-1
>  Parent: NET-74-0-0-0-0
>  NetType: Direct Allocation
>  NameServer: NS1.THEPLANET.COM
>  NameServer: NS2.THEPLANET.COM
>  Comment:
>  RegDate: 2006-02-17
>  Updated: 2008-02-28
>
>  RTechHandle: PP46-ARIN
>  RTechName: Pathos, Peter
>  RTechPhone: +1-214-782-7800
>  RTechEmail: admins () theplanet com
>
>  OrgAbuseHandle: ABUSE271-ARIN
>  OrgAbuseName: The Planet Abuse
>  OrgAbusePhone: +1-281-714-3560
>  OrgAbuseEmail: abuse () theplanet com
>
>  OrgNOCHandle: THEPL-ARIN
>  OrgNOCName: The Planet NOC
>  OrgNOCPhone: +1-281-714-3555
>  OrgNOCEmail: noc () theplanet com
>
>  OrgTechHandle: TECHN33-ARIN
>  OrgTechName: Technical Support
>  OrgTechPhone: +1-214-782-7800
>  OrgTechEmail: admins () theplanet com
>
>  # ARIN WHOIS database, last updated 2008-03-11 19:10
>  # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
>
>  78.109.19.226
>
>  % Information related to '78.109.19.224 - 78.109.19.231'
>
>  inetnum: 78.109.19.224 - 78.109.19.231
>  netname: hoster
>  descr: hoster - Aleksandr Pavlov
>  country: UA
>  admin-c: PAV5-RIPE
>  tech-c: PAV5-RIPE
>  status: ASSIGNED PA
>  mnt-by: MNT-HOSTINGUA
>  source: RIPE # Filtered
>
>  person: Pavlov Aleksandr V
>  address: Guta Bank. Komsomola, 41
>  address: 195009, Sankt Petersburg
>  address: Russia
>  phone: +7 812 3241525
>  fax-no: +7 812 3241503
>  e-mail: postmaster () guta spb ru
>  nic-hdl: PAV5-RIPE
>  source: RIPE # Filtered
>
>  % Information related to '78.109.16.0/20AS41665'
>
>  route: 78.109.16.0/20
>  descr: Datacenter Hosting.UA
>  origin: AS41665
>  mnt-by: MNT-HOSTINGUA
>  source: RIPE # Filtered
>
>
>
>
>  91.123.28.32:
>
>  % Information related to '91.123.16.0 - 91.123.31.255'
>
>  inetnum: 91.123.16.0 - 91.123.31.255
>  netname: TRCODINTSOVO-NET
>  descr: TRC Odintsovo
>  country: RU
>  org: ORG-MCtO1-RIPE
>  admin-c: AYO8-RIPE
>  tech-c: AYO8-RIPE
>  status: ASSIGNED PI
>  mnt-by: TRCODINTSOVO-MNT
>  mnt-by: RIPE-NCC-HM-PI-MNT
>  mnt-lower: RIPE-NCC-HM-PI-MNT
>  mnt-routes: TRCODINTSOVO-MNT
>  mnt-domains: TRCODINTSOVO-MNT
>  source: RIPE # Filtered
>
>  organisation: ORG-MCtO1-RIPE
>  org-name: MUP Center teleradiocompany Odintsovo
>  org-type: OTHER
>  descr: MUP Center teleradiocompany Odintsovo
>  address: 10, Govorova str.,
>  address: Odintsovo, Moscow district
>  address: Russian Federation
>  phone: +7 495 5907235
>  fax-no: +7 495 5907000
>  e-mail: info () trc-odintsovo ru
>  admin-c: AYO8-RIPE
>  tech-c: AYO8-RIPE
>  mnt-ref: TRCODINTSOVO-MNT
>  mnt-by: TRCODINTSOVO-MNT
>  source: RIPE # Filtered
>
>  person: Andrew Y. Ostrouhov
>  address: 10, Govorova str.,
>  address: Odintsovo city, Moscow district
>  address: Russian Federation
>  phone: +7 495 5907355
>  fax-no: +7 495 5907000
>  e-mail: ao () trc-odintsovo ru
>  nic-hdl: AYO8-RIPE
>  mnt-by: TRCODINTSOVO-MNT
>  source: RIPE # Filtered
>
>  % Information related to '91.123.16.0/20AS42011'
>
>  route: 91.123.16.0/20
>  descr: TRC Odintsovo
>  origin: AS42011
>  mnt-by: TRCODINTSOVO-MNT
>  source: RIPE # Filtered
>
>
>
>  91.195.124.20:
>
>  % Information related to '91.195.124.0 - 91.195.125.255'
>
>  inetnum: 91.195.124.0 - 91.195.125.255
>  netname: LEADERHOST2-NET
>  descr: LiderHost Ltd.
>  country: RU
>  org: ORG-LL27-RIPE
>  admin-c: AVM23-RIPE
>  tech-c: AVM23-RIPE
>  status: ASSIGNED PI
>  mnt-by: LEADERHOST-MNT
>  mnt-by: RIPE-NCC-HM-PI-MNT
>  mnt-lower: RIPE-NCC-HM-PI-MNT
>  mnt-routes: LEADERHOST-MNT
>  mnt-routes: RU-WEBALTA-MNT
>  mnt-domains: LEADERHOST-MNT
>  source: RIPE # Filtered
>
>  organisation: ORG-LL27-RIPE
>  org-name: LeaderHost Ltd.
>  org-type: OTHER
>  descr: LeaderHost Ltd.
>  address: 1, Aivazovskogo str.,
>  address: Moscow, Russia
>  phone: +7 495 5895552
>  fax-no: +7 495 5895552
>  e-mail: admin () leaderhost ru
>  admin-c: AVM23-RIPE
>  tech-c: AVM23-RIPE
>  mnt-ref: LEADERHOST-MNT
>  mnt-by: LEADERHOST-MNT
>  source: RIPE # Filtered
>
>  person: Andrey V Matveev
>  address: 1, Aivazovskogo str.,
>  address: Moscow, Russia
>  phone: +7 495 5895552
>  fax-no: +7 495 5895552
>  e-mail: admin () leaderhost ru
>  nic-hdl: AVM23-RIPE
>  mnt-by: LEADERHOST-MNT
>  source: RIPE # Filtered
>
>  % Information related to '91.195.124.0/23AS41947'
>
>  route: 91.195.124.0/23
>  descr: LeaderHost
>  origin: AS41947
>  mnt-by: RU-WEBALTA-MNT
>  source: RIPE # Filtered
>
>
>
>  64.191.78.229:
>
>  OrgName: Network Operations Center Inc.
>  OrgID: NOC
>  Address: PO Box 591
>  City: Scranton
>  StateProv: PA
>  PostalCode: 18501-0591
>  Country: US
>
>  ReferralServer: rwhois://rwhois.hostnoc.net:4321/
>
>  NetRange: 64.191.0.0 - 64.191.127.255
>  CIDR: 64.191.0.0/17
>  NetName: HOSTNOC-3BLK
>  NetHandle: NET-64-191-0-0-1
>  Parent: NET-64-0-0-0-0
>  NetType: Direct Allocation
>  NameServer: NS1.HOSTNOC.NET
>  NameServer: NS2.HOSTNOC.NET
>  Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>  RegDate: 2002-05-31
>  Updated: 2003-08-08
>
>  RTechHandle: SMA4-ARIN
>  RTechName: Arcus, S. Matthew
>  RTechPhone: +1-570-343-8551
>  RTechEmail: nic () hostnoc net
>
>  OrgTechHandle: SMA4-ARIN
>  OrgTechName: Arcus, S. Matthew
>  OrgTechPhone: +1-570-343-8551
>  OrgTechEmail: nic () hostnoc net
>
>  # ARIN WHOIS database, last updated 2008-03-11 19:10
>  # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
>
>  203.117.170.40:
>
>  % [whois.apnic.net node-2]
>  % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
>
>  inetnum: 203.117.0.0 - 203.117.255.255
>  netname: STARHUBINTERNET-SG
>  descr: root
>  country: SG
>  admin-c: NS110-AP
>  tech-c: NS110-AP
>  mnt-by: MAINT-AS4657-AP
>  status: ALLOCATED NON-PORTABLE
>  changed: admin_ipdb () starhub com 20070605
>  source: APNIC
>
>  person: NOC SHI
>  nic-hdl: NS110-AP
>  e-mail: noc () starhub com
>  address: 19 TaiSeng Drive
>  address: Singapore 535222
>  phone: +65 6825 7878
>  fax-no: +65 6821 6012
>  country: SG
>  changed: ipadmin () starhub com 20060607
>  mnt-by: MAINT-AS4657-AP
>  source: APNIC
>
>
>
>  195.93.218.25:
>
>  % Information related to '195.93.218.0 - 195.93.219.255'
>
>  inetnum: 195.93.218.0 - 195.93.219.255
>  netname: BUILDHOUSE-NET
>  descr: Buildhouse Ltd.
>  country: RU
>  org: ORG-BL54-RIPE
>  admin-c: TIO4-RIPE
>  tech-c: TIO4-RIPE
>  status: ASSIGNED PI
>  remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>  remarks: Routing issues: ipadm () airhouse su
>  remarks: DNS issues: nsmaster () airhouse su
>  remarks: Mail issues: postmaster () airhouse su
>  remarks: SPAM&SCAN issues (PLEASE ONLY TO): abuse () airhouse su
>  remarks: News issues: postmaster () airhouse su
>  remarks: Customer support: helpdesk () airhouse su
>  remarks: Commercial issues: sp () airhouse su
>  remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>  mnt-by: RIPE-NCC-HM-PI-MNT
>  mnt-by: MNT-BUILDHOUSE
>  mnt-lower: RIPE-NCC-HM-PI-MNT
>  mnt-routes: MNT-BUILDHOUSE
>  mnt-domains: MNT-BUILDHOUSE
>  source: RIPE # Filtered
>
>  organisation: ORG-BL54-RIPE
>  org-name: Buildhouse Ltd.
>  org-type: OTHER
>  address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15
>  e-mail: info () airhouse su
>  mnt-ref: MNT-BUILDHOUSE
>  mnt-by: MNT-BUILDHOUSE
>  source: RIPE # Filtered
>
>  person: Tsheptyev Igor Olegovich
>  address: 109240, Russia, Moscow, Radischevskaya verhnyaya str., h. 13/15
>  phone: +7 495 5684114
>  nic-hdl: TIO4-RIPE
>  source: RIPE # Filtered
>
>  % Information related to '195.93.218.0/23AS44394'
>
>  route: 195.93.218.0/23
>  descr: Buildhouse Ltd.
>  origin: AS44394
>  mnt-by: MNT-BUILDHOUSE
>  source: RIPE # Filtered
>
>
>  85.255.116.206:
>
>  % Information related to '85.255.112.0 - 85.255.127.255'
>
>  inetnum: 85.255.112.0 - 85.255.127.255
>  netname: UkrTeleGroup
>  descr: UkrTeleGroup Ltd.
>  admin-c: UA481-RIPE
>  tech-c: UA481-RIPE
>  country: UA
>  org: ORG-UL25-RIPE
>  status: ASSIGNED PI
>  mnt-by: RIPE-NCC-HM-PI-MNT
>  mnt-lower: RIPE-NCC-HM-PI-MNT
>  mnt-by: UKRTELE-MNT
>  mnt-routes: UKRTELE-MNT
>  mnt-domains: UKRTELE-MNT
>  source: RIPE # Filtered
>
>  organisation: ORG-UL25-RIPE
>  org-name: UkrTeleGroup Ltd.
>  org-type: LIR
>  address: UkrTeleGroup Ltd.
>  Mechnikova 58/5
>  65029 Odessa
>  Ukraine
>  phone: +380487311011
>  fax-no: +380487502499
>  mnt-ref: UKRTELE-MNT
>  mnt-ref: RIPE-NCC-HM-MNT
>  mnt-by: RIPE-NCC-HM-MNT
>  source: RIPE # Filtered
>
>  person: Andrew Sotov
>  address: Mechnikova 58/5 65029 Odessa
>  abuse-mailbox: abuse () ukrtelegroup com ua
>  phone: +380631508855
>  nic-hdl: UA481-RIPE
>  source: RIPE # Filtered
>
>
>  - - ferg
>
>  -----BEGIN PGP SIGNATURE-----
>  Version: PGP Desktop 9.6.3 (Build 3017)
>
>  wj8DBQFH11Hoq1pz9mNUZTMRAp4pAJ9NszAJMEchAUSjNC2q1lWJeqdvWwCfcrwb
>  gaAVfYoBHitYQsv0brcFJrI=
>  =xuiI
>  -----END PGP SIGNATURE-----
>
>
>
>  --
>  "Fergie", a.k.a. Paul Ferguson
>   Engineering Architecture for the Internet
>   fergdawg(at)netzero.net
>   ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>  _______________________________________________
>  Fun and Misc security discussion for OT posts.
>  https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>  Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.