Sans just recommended removing certain IP ranges from block lists:
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 188.8.131.52/19 and we will try to facility contact and a resolution.
The IP ranges in question are:
InterCage Inc.: 184.108.40.206/19 (220.127.116.11 – 18.104.22.168)
Inhoster: 22.214.171.124/20 (126.96.36.199 – 188.8.131.52)
While we rarely disagree with our friends at SANs, we do NOT recommend removing these ranges, at least not 184.108.40.206/19. This is a live bad range.
placid @ treffend.com
Or this one:
And let’s not forget the very evil Vcodec, http://www.vicodec(dot)com (220.127.116.11), which is responsible for SpyAxe, SpyStriker, desktop hijacks, pop-up advertising, toolbar installs, and all that fun.
As regards the 18.104.22.168/20 range, the IP range is hosed with live files and the sites that look normal also make calls to the 195 and 85 of the Russian servers:
- dirty-rape(dot)com calls in the rotational 22.214.171.124 IP that will end up running a wmf exploit and infestation.
- 126.96.36.199 dirty-rape.com calls in Iframe:188.8.131.52/inc/yfuzz.html
- 184.108.40.206/inc/yfuzz.html redirects to: 220.127.116.11/?to=yfuzz&from=in
- 18.104.22.168/?to=yfuzz&from=in calls: 22.214.171.124/users/fill/web/count.php?id=yfuzz
- 126.96.36.199/users/fill/web/count.php?id=yfuzz in Iframe runs 188.8.131.52/users/fill/web/xxx.wmf
- The wmf calls to 184.108.40.206/users/smell/web/sex.
85.255.114.* is also a bad site (Wuster Ltd sites running wmf exploits).
However, 220.127.116.11/ to 18.104.22.168 may be clean.
Maybe SANS should recommend to blocking specific domains and IP address instead.
x-stories.org – 22.214.171.124
zlex.org – 126.96.36.199
And preferably these as well:
Noi.themovie.com that calls the x-stories.org – 188.8.131.52
Cleanchan.net – (formally fullchain.net) -184.108.40.206
Or else people with un-patched machines are going to end up looking at this
or this, depending on the day and time:
(Thanks to Sunbelt researchers Patrick Jordan, Adam Thomas)