Sans just recommended removing certain IP ranges from block lists:
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 220.127.116.11/19 and we will try to facility contact and a resolution.
The IP ranges in question are:
InterCage Inc.: 18.104.22.168/19 (22.214.171.124 – 126.96.36.199)
Inhoster: 188.8.131.52/20 (184.108.40.206 – 220.127.116.11)
While we rarely disagree with our friends at SANs, we do NOT recommend removing these ranges, at least not 18.104.22.168/19. This is a live bad range.
placid @ treffend.com
Or this one:
And let’s not forget the very evil Vcodec, http://www.vicodec(dot)com (22.214.171.124), which is responsible for SpyAxe, SpyStriker, desktop hijacks, pop-up advertising, toolbar installs, and all that fun.
As regards the 126.96.36.199/20 range, the IP range is hosed with live files and the sites that look normal also make calls to the 195 and 85 of the Russian servers:
- dirty-rape(dot)com calls in the rotational 188.8.131.52 IP that will end up running a wmf exploit and infestation.
- 184.108.40.206 dirty-rape.com calls in Iframe:220.127.116.11/inc/yfuzz.html
- 18.104.22.168/inc/yfuzz.html redirects to: 22.214.171.124/?to=yfuzz&from=in
- 126.96.36.199/?to=yfuzz&from=in calls: 188.8.131.52/users/fill/web/count.php?id=yfuzz
- 184.108.40.206/users/fill/web/count.php?id=yfuzz in Iframe runs 220.127.116.11/users/fill/web/xxx.wmf
- The wmf calls to 18.104.22.168/users/smell/web/sex.
85.255.114.* is also a bad site (Wuster Ltd sites running wmf exploits).
However, 22.214.171.124/ to 126.96.36.199 may be clean.
Maybe SANS should recommend to blocking specific domains and IP address instead.
x-stories.org – 188.8.131.52
zlex.org – 184.108.40.206
And preferably these as well:
Noi.themovie.com that calls the x-stories.org – 220.127.116.11
Cleanchan.net – (formally fullchain.net) -18.104.22.168
Or else people with un-patched machines are going to end up looking at this
or this, depending on the day and time:
(Thanks to Sunbelt researchers Patrick Jordan, Adam Thomas)