[nsp-sec] Possible Phish web site, oh and malware installer!

Beth Young youngba at ren-isac.net
Wed Jun 6 09:13:40 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Re: 69.194.196.34

We have seen that IP address multiple times serving up Blackhole
exploit kits.

Re: 209.237.151.17
It has had multiple domains point to it, starting in Dec 2011.  At one
time, it was also hosting a phishing site, as well as serving up malware.

(please excuse the column wrap)
detecttime          	address                  	protocol	portlist
impact      	description           	alternativeid
2011-12-26T00:00:00Z	roundoakuk.com           	6	80	malware url
html%2fdldr.agent.fai
http://support.clean-mx.de/clean-mx/viruses.php?id=685114
2011-12-26T00:00:00Z	209.237.151.17           	6	80	malware url
html%2fdldr.agent.fai
http://support.clean-mx.de/clean-mx/viruses.php?id=685114
2012-02-11T00:00:00Z	www.comprasin.com        	6	80	malware url
unknown_html_rfi_shell
http://support.clean-mx.de/clean-mx/viruses.php?id=1224314
2012-02-11T00:00:00Z	209.237.151.17           	6	80	malware url
unknown_html_rfi_shell
http://support.clean-mx.de/clean-mx/viruses.php?id=1224314
2012-02-17T00:00:00Z	www.springboardagency.com	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1259920
2012-02-17T00:00:00Z	209.237.151.17           	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1259920
2012-02-20T00:00:00Z	springboardagency.com    	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1269182
2012-02-21T00:00:00Z	209.237.151.17           	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1269182
2012-02-24T00:00:00Z	ebytransb.com            	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-24T00:00:00Z	209.237.151.17           	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-25T00:00:00Z	ebytransb.com            	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-25T00:00:00Z	209.237.151.17           	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-26T00:00:00Z	ebytransb.com            	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-26T00:00:00Z	209.237.151.17           	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-27T00:00:00Z	ebytransb.com            	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-27T00:00:00Z	209.237.151.17           	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1375970
2012-02-27T00:00:00Z	ebytransb.com            	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1377891
2012-02-27T00:00:00Z	209.237.151.17           	6	80	phishing url
paypal
http://www.phishtank.com/phish_detail.php?phish_id=1377891
2012-04-29T00:00:00Z	springboardagency.com    	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1484196
2012-04-29T00:00:00Z	209.237.151.17           	6	80	malware url
js%2fredirector.dc.7
http://support.clean-mx.de/clean-mx/viruses.php?id=1484196

Hope that helps!
Beth


On 6/5/2012 6:57 PM, Hicks, Howard wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> Hay all,
> 
> I am looking for any intelligence on IP 209.237.151.17.  (this is a
> possible phish url server)  And 69.194.196.34.  (this IP
> 69.194.196.34 seems to be a drive by malware installer)
> 
> -bash-2.05b$ whois -h whois.cymru.com 69.194.196.34
> 
>> whois -h whois.cymru.com 209.237.151.17
> AS      | IP               | AS Name 36476   | 209.237.151.17   |
> WEB-COM-ASN1 - Web.com, Inc.
> 
> AS      | IP               | AS Name 14670   | 69.194.196.34    |
> SOLAR-VPS - Solar VPS
> 
> Anyone with information please help.
> 
> Thanks
> 
> --
> 
> Howard Hicks Senior Engineer CenturyLink 
> howard.hicks at centurylink.com 612-664-3021 PGP public key
> BB5ECDA6<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91D85E81BB5ECDA6>
> Available at http://pgp.mit.edu/
> 
> [cid:image001.png at 01CD4340.BBB54740]
> 
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you
> have received this communication in error, please immediately
> notify the sender by reply e-mail and destroy all copies of the
> communication and any attachments.
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures. 
> _______________________________________________


- -- 
Beth Young, CISSP
soc at ren-isac.net
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEVAwUBT89Xg3On520JM2MZAQLhxgf+Nh8dFkZRsh+SNDmvWBJDNWVvP33WkJz8
OuCRYySffdDS/wtkmW8jMaqBDB4suqD8sd63mnizZJikNKUQQC+W1JUK2Qa4DdQs
7BdNsE97obU825fbjpYQ7bFsNeM+slnDOUx4RJhviZPcp3ChQ9yJbk3Ky1Zf3oG4
KebEVvBO55ObRbbMQdibuvKTWLqvCbamuNNgIfhQ1XQZ7QOG4qIeVrgD1cUvvbUb
tQISXU56uxxqTO7+JXD9rduxt0+lTLOLU9u6zCTKgxsX4sXw0vXGqWWiPr2m2STy
mZrq2jjud6CIzz3z0Fr7nXqW25zpkPxNCwfHtatUELcXRRp/xZWo7g==
=Q2dS
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list