Saturday, January 21, 2006

Block access to InterCage and Inhoster

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Use your firewall to block access. If you have no firewall, use route commands to divert traffic. Sample route commands (appropriate for some Windows users):
route -p add 69.50.160.0 mask 255.255.224.0 192.168.100.51
route -p add 85.255.112.0 mask 255.255.240.0 192.168.100.51

When the route command is successful there is no response. "192.168.100.51" is an arbitrarily selected and unused IP address on the local network. "192.168.0.51" or "192.168.1.51" may be more appropriate choices, depending upon the local network configuration. The "-p" (persistent) option is not available in Windows 95 or 98.

Why? InterCage and Inhoster are Internet Service Providers (ISPs) who permit malicious web activity. A SANS handler diary entry mentions this. ZDNet malware blog. Search Google Groups for either name. Search for an individual IP address using Google. One frightening malicious activity is the substitution of their name servers for the name servers supplied by the user's ISP's name servers.

Further information about browser attacks:
http://www.mnin.org/

Further information about routing:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx
http://spam.abuse.net/adminhelp/ip.shtml
http://www.linuxgazette.com/issue36/tag/a.html
http://www.hackfaq.org/null-route.shtml

Handy "netmask calculators"
http://jodies.de/ipcalc
http://www.csc.fi/english/funet/calc/laskin2.html

Handy network utilities, including a reverse IP lookup
domaintools.com

Inhoster IP addresses known to have been involved in malicious activities:














































85.255.112.5Name server
85.255.112.6Name server
85.255.112.7Name server
85.255.112.10Name server
85.255.112.11Name server
85.255.112.103Name server
85.255.112.116Name server
85.255.112.119Name server
85.255.112.120Name server
85.255.112.182Name server
85.255.112.200Name server
85.255.113.10/?to=nan82&from=in 
85.255.113.10/?to=zonder&from=in 
85.255.113.22/inc/nan82.htmlHTML_MHTREDIR.A
85.255.113.22/inc/trove.html 
85.255.113.100Name server
85.255.113.101Name server
85.255.113.134Name server
85.255.113.142Name server
85.255.113.149Name server
85.255.113.170/345/count3.gifBackdoor.Sdbot.gen
85.255.113.174/w/adult.wmfmalicious WMF file
85.255.113.212/5/s1s/image.gif 
85.255.113.212/5/wind/index.htmdistributes various exploits
85.255.113.212/5/i3.phpdistributes various exploits
85.255.113.212/5/sl/payload.aniTrojan-Downloader.Win32.Ani.b
85.255.113.212/5/s2t/tes.exeTrojan-Downloader.Win32.Zlob.cc
85.255.113.242/adv/057/count.jarExploit.Java.ByteVerify
85.255.114.54Name server
85.255.114.89Name server
85.255.114.99Name server
85.255.114.195Name server
85.255.115.3Name server
85.255.115.45Name server
85.255.115.53Name server
85.255.115.75Name server
85.255.115.98Name server
85.255.115.108Name server
85.255.115.154Name server
85.255.115.171/bt/7/wmf/wmf_dcode.wmfmalicious WMF file
85.255.115.171/pa/4/inp.php 
85.255.115.174 updatesecurity.comrogue anti-spyware application
85.255.115.226/1/gdnUS1402.exeSpyAxe rogue anti-spyware application
85.255.115.227/1/gdnUS1402.exeSpyAxe rogue anti-spyware application



85.255.115.227 is also 2awm.com, 2youx.net, awmgate.com, awmnet.com, check-wire.com, find-by-web.com, lab-wire.com, lipdolls.net, netvoine.biz, online-more.com, search4com, zlex.org, zllin.info, and ztrf.net
































zllin.info/e/us053/e.anrTROJ_ANICMOO.AD
zllin.info/e/us053/index1.php 
zllin.info/e/us053/Anima.class 
zllin.info/e/us053/jar.jar 
zllin.info/e/us053/index.php 
zllin.info/e/us24/e.anrTROJ_ANICMOO.AD
zllin.info/e/us24/jar.jar 
zllin.info/e/us24/Anima.class 
zllin.info/e/us24/index.php 
zllin.info/e/us24/index1.php 
zllin.info/e/us24//main.chmCHM_MINER.A
zllin.info/e/us26/e.anrTROJ_ANICMOO.AD
zllin.info/e/us26/index.php 
zllin.info/e/us26/index1.php 
zllin.info/e/us26/index1.php 
zlex.org/fr/?id=us27 
zlex.org/fr/tp/?id=us27&tp=lan 
zlex.org/new/us27/Anima.class 
zlex.org/new/us27/zl.anrTROJ_ANI.L
zlex.org/per/jara.jar (Gummy.class)JAVA_BYTEVER.A-1
zlex.org/per/?ct=lan 
zlex.org/per/aAnima.class 
zlex.org/psg/us27/indexa.php 
zlex.org/psg/us27/index.php 
zlex.org/psg/us27/psg.anrTROJ_ANI.H



























85.255.115.230/1/gdnUS1402.exeSpyAxe rogue anti-spyware application
85.255.116.29 Name server 
85.255.116.43 Name server 
85.255.116.149 Name server 
85.255.116.212/pa/inp/inpl.php?id=pt6 
85.255.116.213/pa/inp/inpl.php?id=pt4 
85.255.117.38/_cnt2.htmHTML_HTHELP.A
85.255.117.38/cnt8_secret.htm 
85.255.117.38/cnt8.ani 
85.255.117.38/cnt8.htmTROJ_ANICMOO.N
85.255.117.38/cnt7_dhycnft.htm 
85.255.117.38/site.htm?lng=1&trg=rc 
85.255.117.50/pa/1/newe/assemble1.htm 
85.255.117.50/pa/1/newe/css.wmfEXPL_WMF.GEN
85.255.117.50/pa/1/newe/index.ani 
85.255.117.50/pa/1/newe/makeit.htm 
85.255.117.50/pa/1/newe/prepare.htmJS_EXPLOIT.AC
85.255.117.50/pa/inp/i.php?id=pa1 
85.255.117.51/pa/inp/newver/WkNRT3JrVXl0Sm9BQUVYMVV3RUFBQURV.wmf
EXPL_WMF.GEN
85.255.117.53/pa/inp/img/aC1QUUZVVXl0Sm9BQUdWc2xHNEFBQUZq.htmlEXPL_WMF.GEN
85.255.117.53/pa/inp/img/aHA4eE5VVXl0Sm9BQUg2RWZZZ0FBQUpM.htmlEXPL_WMF.GEN
85.255.117.53/pa/inp/img/akBVcGVrVXl0Sm9BQUU3eno0MEFBQUo3.wmfEXPL_WMF.GEN
85.255.117.53/pa/inp/img/bzl6OExrVXl0Sm9BQURLRThQa0FBQUZI.wmfEXPL_WMF.GEN
85.255.117.52/pa/inp/img/cDlHdGpFVXl0Sm9BQUIzSmV3VUFBQUJD.htmEXPL_WMF.GEN
85.255.117.53/pa/inp/img/ZXZhVmhVVXl0Sm9BQUR1QkxQSUFBQUZx.wmfEXPL_WMF.GEN


0 Comments:

Post a Comment

<< Home