[nsp-sec] UPC NL & iBurst Phising - (Hosted in AS3595)

Rob Thomas robt at cymru.com
Thu Sep 3 13:28:15 EDT 2009 

Hi, Stijn!

Thanks for the heads up!

> Bulk mode; whois.cymru.com [2009-09-03 10:29:23 +0000]
> 3595    | 72.9.224.34      | GNAXNET-AS - Global Net Access, LLC

We see 72.9.224.34 hosting phishing sites dating back to 2009-03-12
22:45:00 UTC.  As of 2009-07-29 12:46:23 UTC we found a malware URL on
it as well.

We see the following DNS RRs pointed to 72.9.224.34 last month.

        stamp        |             qname              | class | type |
  rdata
--------------------- -------------------------------- ------- ------
-------------
 2009-08-18 13:37:29 | actualeyes.com                 | IN    | A    |
72.9.224.34
 2009-08-11 08:57:02 | americanfascistmovement.com    | IN    | A    |
72.9.224.34
 2009-08-19 15:31:45 | artbyginny.com                 | IN    | A    |
72.9.224.34
 2009-08-25 20:20:15 | bethanyb.net                   | IN    | A    |
72.9.224.34
 2009-08-18 15:09:30 | blancarte.com                  | IN    | A    |
72.9.224.34
 2009-08-25 13:47:12 | brokenn.com                    | IN    | A    |
72.9.224.34
 2009-08-03 06:05:17 | brookfieldpapillons.com        | IN    | A    |
72.9.224.34
 2009-08-18 12:37:19 | campmaidenrock.com             | IN    | A    |
72.9.224.34
 2009-08-31 17:20:36 | control4u.com                  | IN    | A    |
72.9.224.34
 2009-08-02 00:50:24 | cynthiacoxcpa.com              | IN    | A    |
72.9.224.34
 2009-08-02 08:57:40 | daniellelouiz.com              | IN    | A    |
72.9.224.34
 2009-08-18 13:57:33 | dnaspeedometers.com            | IN    | A    |
72.9.224.34
 2009-08-10 09:05:43 | dogtok.com                     | IN    | A    |
72.9.224.34
 2009-08-25 09:23:32 | donney.com                     | IN    | A    |
72.9.224.34
 2009-08-25 13:35:50 | drainriteplumbing.com          | IN    | A    |
72.9.224.34
 2009-08-18 18:55:47 | drwilliamdiaz.com              | IN    | A    |
72.9.224.34
 2009-08-03 09:12:20 | eagleholidaysafrica.com        | IN    | A    |
72.9.224.34
 2009-08-02 13:41:45 | eduquilters.org                | IN    | A    |
72.9.224.34
 2009-08-05 11:33:28 | footfamily.com                 | IN    | A    |
72.9.224.34
 2009-08-25 15:18:03 | globaltarget-mkt.com           | IN    | A    |
72.9.224.34
 2009-08-18 23:44:37 | hadleytwp.com                  | IN    | A    |
72.9.224.34
 2009-08-28 19:45:25 | honeygirlwaterwear.com         | IN    | A    |
72.9.224.34
 2009-08-31 15:53:54 | hyyellowsoulfashions.com       | IN    | A    |
72.9.224.34
 2009-08-18 14:39:32 | inthu.com                      | IN    | A    |
72.9.224.34
 2009-08-21 21:00:24 | jhallphoto.com                 | IN    | A    |
72.9.224.34
 2009-08-11 17:20:39 | katzkasting.com                | IN    | A    |
72.9.224.34
 2009-08-19 13:22:22 | kisimasafaris.com              | IN    | A    |
72.9.224.34
 2009-08-31 03:00:49 | lipmanpc.com                   | IN    | A    |
72.9.224.34
 2009-08-25 12:39:39 | margueritesbedandbreakfast.com | IN    | A    |
72.9.224.34
 2009-08-05 15:27:20 | micro-dos.com                  | IN    | A    |
72.9.224.34
 2009-08-25 15:43:32 | milemeadfisheries.com          | IN    | A    |
72.9.224.34
 2009-08-02 14:31:54 | ns1.onestopwebhost.com         | IN    | A    |
72.9.224.34
 2009-08-07 01:05:44 | onestopwebhost.com             | IN    | A    |
72.9.224.34
 2009-08-09 05:35:28 | oryxsafaris.com                | IN    | A    |
72.9.224.34
 2009-08-28 16:09:36 | rally-days.com                 | IN    | A    |
72.9.224.34
 2009-08-07 01:05:35 | redcapedesign.com              | IN    | A    |
72.9.224.34
 2009-08-01 13:35:43 | roemers.be                     | IN    | A    |
72.9.224.34
 2009-08-18 21:39:26 | scpsoftware.com                | IN    | A    |
72.9.224.34
 2009-08-12 17:20:12 | tcmbc.org                      | IN    | A    |
72.9.224.34
 2009-08-25 12:43:33 | thesoulofgreatwines.com        | IN    | A    |
72.9.224.34
 2009-08-18 19:50:44 | thinkafricatours.com           | IN    | A    |
72.9.224.34
 2009-08-25 14:00:39 | tornimages.com                 | IN    | A    |
72.9.224.34
 2009-08-18 18:41:06 | tourwebafrica.com              | IN    | A    |
72.9.224.34
 2009-08-25 13:42:34 | trailfindersafrica.com         | IN    | A    |
72.9.224.34
 2009-08-18 13:50:45 | wcdlawhawaii.com               | IN    | A    |
72.9.224.34
 2009-08-02 00:50:26 | widescopetours.com             | IN    | A    |
72.9.224.34

We see the following DNS RRs pointed to 72.9.224.34 this month.

        stamp        |            qname            | class | type |
rdata
--------------------- ----------------------------- ------- ------
-------------
 2009-09-01 09:36:32 | americanfascistmovement.com | IN    | A    |
72.9.224.34
 2009-09-01 12:35:15 | brookfieldpapillons.com     | IN    | A    |
72.9.224.34
 2009-09-01 14:08:34 | control4u.com               | IN    | A    |
72.9.224.34
 2009-09-01 05:22:49 | dogtok.com                  | IN    | A    |
72.9.224.34
 2009-09-01 15:43:45 | donney.com                  | IN    | A    |
72.9.224.34
 2009-09-01 01:58:25 | jhallphoto.com              | IN    | A    |
72.9.224.34
 2009-09-02 16:03:29 | katzkasting.com             | IN    | A    |
72.9.224.34
 2009-09-01 09:12:56 | ministeriodanzadeluz.com    | IN    | A    |
72.9.224.34
 2009-09-01 01:36:57 | ns1.onestopwebhost.com      | IN    | A    |
72.9.224.34
 2009-09-01 06:20:45 | roemers.be                  | IN    | A    |
72.9.224.34
 2009-09-01 15:37:00 | scpsoftware.com             | IN    | A    |
72.9.224.34

It appears to be a Linux box running Apache/1.3.41 (Unix) PHP/4.4.7
mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8
FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);

More information about the nsp-security mailing list