Sans just recommended removing certain IP ranges from block lists:
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 22.214.171.124/19 and we will try to facility contact and a resolution.
The IP ranges in question are:
InterCage Inc.: 126.96.36.199/19 (188.8.131.52 – 184.108.40.206)
Inhoster: 220.127.116.11/20 (18.104.22.168 – 22.214.171.124)
While we rarely disagree with our friends at SANs, we do NOT recommend removing these ranges, at least not 126.96.36.199/19. This is a live bad range.
placid @ treffend.com
Or this one:
And let’s not forget the very evil Vcodec, http://www.vicodec(dot)com (188.8.131.52), which is responsible for SpyAxe, SpyStriker, desktop hijacks, pop-up advertising, toolbar installs, and all that fun.
As regards the 184.108.40.206/20 range, the IP range is hosed with live files and the sites that look normal also make calls to the 195 and 85 of the Russian servers:
- dirty-rape(dot)com calls in the rotational 220.127.116.11 IP that will end up running a wmf exploit and infestation.
- 18.104.22.168 dirty-rape.com calls in Iframe:22.214.171.124/inc/yfuzz.html
- 126.96.36.199/inc/yfuzz.html redirects to: 188.8.131.52/?to=yfuzz&from=in
- 184.108.40.206/?to=yfuzz&from=in calls: 220.127.116.11/users/fill/web/count.php?id=yfuzz
- 18.104.22.168/users/fill/web/count.php?id=yfuzz in Iframe runs 22.214.171.124/users/fill/web/xxx.wmf
- The wmf calls to 126.96.36.199/users/smell/web/sex.
85.255.114.* is also a bad site (Wuster Ltd sites running wmf exploits).
However, 188.8.131.52/ to 184.108.40.206 may be clean.
Maybe SANS should recommend to blocking specific domains and IP address instead.
x-stories.org – 220.127.116.11
zlex.org – 18.104.22.168
And preferably these as well:
Noi.themovie.com that calls the x-stories.org – 22.214.171.124
Cleanchan.net – (formally fullchain.net) -126.96.36.199
Or else people with un-patched machines are going to end up looking at this
or this, depending on the day and time:
(Thanks to Sunbelt researchers Patrick Jordan, Adam Thomas)