Author Topic: Suspicious site what malware there?  (Read 3719 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

adotd

  • Guest
Re: Suspicious site what malware there?
« Reply #1 on: September 10, 2012, 07:21:15 PM »

Theo Peterbroers

  • Guest
Re: Suspicious site what malware there?
« Reply #2 on: September 10, 2012, 07:33:06 PM »
Now everybody is scanning that site. Sucuri could not connect.

EDIT
http://centralops.net/co/DomainDossier.aspx?addr=93. 114. 45. 84&dom_dns=1&dom_whois=1&net_whois=1
domain or IP address     93. 114. 45. 84
canonical name    ixam-hosting.com.
addresses    108. 162. 197.7 9 108. 162. 197.1 79

Still don't know how to read this, how do we get from 93.114 to 108.162?
« Last Edit: September 10, 2012, 07:42:18 PM by Kwartet! »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Suspicious site what malware there?
« Reply #3 on: September 10, 2012, 07:40:50 PM »
@adotd

Yep, that was why it was flagged  here: http://hosts-file.net/?s=ultimatehacks.net
EMD high risk site
So then we land here: http://www.ipvoid.com/scan/93.114.45.84
Conflicting opinions given here:
1 by Dareks67 08/15/2012
Malicious content, viruses

hpHosts classifies the site as "EMD"
- sites engaged in malware distribution
http://hosts-file.net/?s=Browse&f=EMD   

0 0
2 by saberclaw34 08/10/2012
Good site
This is my host, somebody hosted malware here once, please do not think this is a malicious site :(   

But IP has a history of malware Blachole injecting malware, java malcode & phishing - see; http://urlquery.net/report.php?id=171399

So be vigilant, where there is smoke apparently there is ...........

@Kwartet!  Are we that popular?

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Theo Peterbroers

  • Guest
Re: Suspicious site what malware there?
« Reply #4 on: September 10, 2012, 07:57:52 PM »
Transfer in, transfer out. Guess those other urls have also some interesting stuff?
Transfer is likely the reason for "how do we get from 93.114 to 108.162"?

http://www.dailychanges.com/ixam-hosting.com/2012-09-10/

Currently displaying 3 of 3 domain names registered on September 10, 2012 and hosted at at the nameserver ixam-hosting. com.
Download all ixam-hosting. com activity for September 10, 2012(.CSV)
Domain Name
easyresolver. com
forum-reviews. com
upload-sell. com

Currently displaying 3 of 3 domain names transferred into ixam-hosting. com on September 10, 2012.
Download all ixam-hosting. com activity for September 10, 2012(.CSV)
Domain Name    Transferred From
ultimatehacks. net    name-services. com
winiphone4s. net    downtownhost. com
xxxbanger. com    ukrnames. com

Currently displaying 2 of 2 domain names transferred away from ixam-hosting. com on September 10, 2012.
diamondhosting. net    cloudflare. com
strangebooter. com    main-hosting. com

Theo Peterbroers

  • Guest
Re: Suspicious site what malware there?
« Reply #5 on: September 10, 2012, 08:45:41 PM »
Following up; checked on urlquery.net:

easyresolver. com http://urlquery.net/report.php?id=171592 No alerts
forum-reviews. com http://urlquery.net/report.php?id=171596 No alerts
upload-sell. com http://urlquery.net/report.php?id=171609 No alerts
xxxbanger. com http://urlquery.net/report.php?id=171620  No alerts

winiphone4s. net http://urlquery.net/report.php?id=171613 No alerts, WOT warning

diamondhosting. net http://urlquery.net/report.php?id=171627 No alerts,
Now cloudflare.com, increasing badness, http://sitevet.com/db/asn/AS13335

ultimatehacks. net http://urlquery.net/report.php?id=171399 [not by me]   
ET RBN Known Russian Business Network IP (353),
ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Requestname-services.com

strangebooter. com http://urlquery.net/report.php?id=171635
ET RBN Known Russian Business Network IP (204)
"Exchange Paypal, Exchange Bank Wire, Exchange Pecunix, Exchange Bitcoin, Exchange Liberty Reserve"
Rogue payment site?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Suspicious site what malware there?
« Reply #6 on: September 10, 2012, 10:02:08 PM »
Hi Kwartet!,

What you point out is the normal migration procedure for these kind of  domains. They always comply, when found out and then open up shop somewhere else.
These are also the migration patterns you see on Netpilot's daily archives and abuse dot ch. As you analyze Urlquery dot net for previous scans on the same IP or for the AS or when you do a searchquery  for the alerted IDS flags from Suricata/Emerging Threats and/or Snort in combination with urlquery you find up a lot of interesting interlinking sites. Also interestin is a project honeypot IP query, see here:  http://www.projecthoneypot.org/ip_93.114.45.84
Then also pay attention to associated harvesters mentioned there and what is being spread.....

Main line of business: banking trojans, malvertising, spam, etc....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!