Select Page

Um, I don’t think so

by | Feb 1, 2006 | Uncategorized | 0 comments

Sans just recommended removing certain IP ranges from block lists:

Update:
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.

Link here.

The IP ranges in question are:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 – 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 – 85.255.127.255)

While we rarely disagree with our friends at SANs, we do NOT recommend removing these ranges, at least not 69.50.160.0/19.  This is a live bad range.

Examples:

Blocklist21390

kristinapollard.com 69.50.188.36
Andy Placid      
London  GB      
placid @ treffend.com

Or this one:

Blocklist123

And let’s not forget the very evil Vcodec, http://www.vicodec(dot)com (69.50.160.61), which is responsible for SpyAxe, SpyStriker, desktop hijacks, pop-up advertising, toolbar installs, and all that fun.

As regards the 85.255.112.0/20 range, the IP range is hosed with live files and the sites that look normal also make calls to the 195 and 85 of the Russian servers:

  • dirty-rape(dot)com calls in the rotational 85.255.113.22 IP that will end up running a wmf exploit and infestation. 
  • 69.50.161.169 dirty-rape.com calls in Iframe:85.255.113.22/inc/yfuzz.html
  •  85.255.113.22/inc/yfuzz.html redirects to: 85.255.113.10/?to=yfuzz&from=in
  •  85.255.113.10/?to=yfuzz&from=in calls: 85.255.113.83/users/fill/web/count.php?id=yfuzz
  •  85.255.113.83/users/fill/web/count.php?id=yfuzz in Iframe runs 85.255.113.83/users/fill/web/xxx.wmf
  •  The wmf calls to 85.255.113.84/users/smell/web/sex.

85.255.114.* is also a bad site (Wuster Ltd sites running wmf exploits). 

However, 85.255.112.0/ to 85.255.112.255 may be clean.

Maybe SANS should recommend to blocking specific domains and IP address instead. 

For example:

x-stories.org – 69.50.187.19
zlex.org – 85.255.115.227
85.255.116.213
85.255.117.51

And preferably these as well:

Noi.themovie.com that calls the x-stories.org – 69.50.187.19
Cleanchan.net – (formally fullchain.net) -195.255.177.21

Or else people with un-patched machines are going to end up looking at this

Ablock21390

or this, depending on the day and time:

Spyware219808fsa

 

Alex Eckelberry
(Thanks to Sunbelt researchers Patrick Jordan, Adam Thomas)

Submit a Comment

Your email address will not be published. Required fields are marked *