Monday, January 21, 2013

Research on /forum/links/columns.php



The current IP of choice is 91.224.135.20


hxxp://bananamamor.ru:8080/forum/links/abc.php 91.224.135.20
hxxp://bananamamor.ru:8080/forum/links/public_version.php 91.224.135.20
hxxp://bananamamor.ru:8080/yahoo/index.php 91.224.135.20
hxxp://belnialamsik.ru/forum/links/column.php 91.224.135.20
hxxp://belnialamsik.ru:8080/forum/links/column.php 91.224.135.20
hxxp://damagalko.ru/forum/links/public_version.php 91.224.135.20
hxxp://damagalko.ru:8080/forum/links/public_version.php 91.224.135.20
hxxp://dekamerionka.ru:8080/forum/links/column.php 91.224.135.20
hxxp://demoralization.ru 91.224.135.20
hxxp://demoralization.ru/forum/links/column.php 91.224.135.20
hxxp://demoralization.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dfudont.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dimanakasono.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dmpsonthh.ru:8080/forum/links/public_version.php 91.224.135.20
hxxp://dmssmgf.ru 91.224.135.20
hxxp://dmssmgf.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dozakialko.ru 91.224.135.20
hxxp://dozakialko.ru/forum/links/column.php 91.224.135.20
hxxp://dozakialko.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dumarianoko.ru:8080/forum/links/public_version.php 91.224.135.20


Similar Types hosted at:

hxxp://212.112.207.15:8080/forum/links/column.php 212.112.207.15
hxxp://belnialamsik.ru:8080/forum/links/column.php 187.85.160.106
hxxp://dekamerionka.ru:8080/forum/links/column.php 91.224.135.20
hxxp://demoralization.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dfudont.ru:8080/forum/links/column.php 91.224.135.20
hxxp://dimanakasono.ru:8080/forum/links/column.php 187.85.160.106
hxxp://dmeiweilik.ru:8080/forum/links/column.php 187.85.160.106
hxxp://dmssmgf.ru:8080/forum/links/column.php 89.111.176.125
hxxp://dopaminko.ru:8080/forum/links/column.php 212.112.207.15
hxxp://dozakialko.ru:8080/forum/links/column.php 91.224.135.20


Recent IP Addresses Hosting This Garbage:

IP Hoster
187.85.160.106 AS28343
212.112.207.15 AS702
82.165.193.26 AS8560-MNT
89.111.176.125 address:        Garant-Park-Telecom, Ltd
  address:        Alexander Panov
  address:        Moscow State University
91.224.135.20 AS56413


Historical IPs Hosting "/forum/links/column.php"
103.6.238.9 AS132197
120.138.20.54 AS45179
187.85.160.106 AS28343
190.10.14.196 AS3790
202.180.221.186 AS24496
202.3.245.13 AS9471
203.80.16.81 AS24514
208.87.243.131 AS40676
209.51.221.247 AS10297
212.112.207.15 AS702
212.162.52.180 AS9829
216.24.194.66 AS40676
216.24.196.66 AS40676
42.121.116.38 AS37963
68.67.42.41 AS22652
72.18.203.140 AS26277
75.148.242.70 AS33662
79.98.27.9 AS47205
82.165.193.26 AS8560
89.111.176.125 AS41126
91.142.208.144 AS12860
91.224.135.20 AS56413



Alphabetical list of reported/known domains hosting this pattern:
187.85.160.106
202.180.221.186
203.80.16.81
208.87.243.131
42.121.116.38
analunakis.ru
anifkailood.ru
apendiksator.ru
appleonliner.ru
aseniakrol.ru
aviaonlolsio.ru
awoeionfpop.ru
bakface.ru
bamanaco.ru
belnialamsik.ru
bunakaranka.ru
canadianpanakota.ru
ceredinopl.ru
cinemaallon.ru
controlleramo.ru
danadala.ru
delemiator.ru
demoralization.ru
dfudont.ru
dimanakasono.ru
dimarikanko.ru
dmssmgf.ru
donkihotik.ru
dopaminko.ru
dozakialko.ru
efaxinok.ru
feronialopam.ru
fidelocastroo.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
francese.ru
ganadeion.ru
ganiopatia.ru
geforceexlusive.ru
genevaonline.ru
gurmanikia.ru
hamasutra.ru
kennedyana.ru
kiladopje.ru
leberiasun.ru
lentuiax.ru
leprasmotra.ru
linkrdin.ru
manekenppa.ru
monacofrm.ru
moneymakergrow.ru
panalkinew.ru
panamechkis.ru
panasonicviva.ru
pelamutrika.ru
peneloipin.ru
podarunoki.ru
ponowseniks.ru
secondhand4u.ru
veneziolo.ru
windowsmobilever.ru


Recently Checked Known Redirectors -  if they are live (Sites followed immediately by a red color are live)

TCP_IMS_HIT/304 320 GET http://bartinemusicstudio.com/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 341 GET http://galantvisa.ru/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/403 561 GET http://ceratofortekoup.sg/wlc.htm
TCP_MISS/404 569 GET http://limavirtual.unicordoba.edu.co/wlc.htm
TCP_IMS_HIT/304 325 GET http://www.shadownessence.net/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/404 462 GET http://www.rovere.lu/wlc.htm
TCP_IMS_HIT/304 328 GET http://taleemindia.org/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/404 467 GET http://schetchik-grand.ru/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/404 3952 GET http://aanchalfoundation.org/wlc.htm
TCP_MISS/404 468 GET http://www.telemirspb.ru/wlc.htm
TCP_MISS/301 570 GET http://ktakademija.lt/wlc.htm
TCP_IMS_HIT/304 293 GET http://thekla-kampelmann.com/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_NEGATIVE_HIT/404 476 GET http://schetchik-grand.ru/wlc.htm
TCP_MISS/500 798 GET http://banner.terrarium.pl/wlc.htm
TCP_IMS_HIT/304 327 GET http://eens.econz.net/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 320 GET http://e-hydromax.pl/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 343 GET http://test-dm.designcon.tmweb.ru/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_NEGATIVE_HIT/404 471 GET http://www.rovere.lu/wlc.htm
TCP_IMS_HIT/304 328 GET http://taleemindia.org/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/200 661 GET http://www.fonlider.rs/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 328 GET http://gurupra.com/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 320 GET http://algamish.com/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 320 GET http://ismmania.com/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_IMS_HIT/304 328 GET http://jayhawksbasketball.ca/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php
TCP_MISS/404 468 GET http://www.miel-baumanskaya.ru/wlc.htm
TCP_IMS_HIT/304 327 GET http://avatar-italia.it/wlc.htm
TCP_DENIED/403 1425 GET http://dfudont.ru:8080/forum/links/column.php



Whois - I'm loving the gmail address

Network Whois record

Queried whois.ripe.net with "-B 91.224.135.20"...
% Information related to '91.224.134.0 - 91.224.135.255'

inetnum:        91.224.134.0 - 91.224.135.255
netname:        PROSERVIS-NET
descr:          Proservis UAB
country:        LT
org:            ORG-UP13-RIPE
admin-c:        PJ2859-RIPE
tech-c:         MD138-RIPE
status:         ASSIGNED PI
notify:         ipas.master@gmail.com
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         MNT-ALFATELECOM
mnt-by:         MNT-PROSERVIS-LT
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     MNT-PROSERVIS-LT
mnt-domains:    MNT-PROSERVIS-LT
changed:        ipas.master@gmail.com 20110302
source:         RIPE




route:          91.224.134.0/23
descr:          PROSERVIS
origin:         AS56413
mnt-by:         MNT-PROSERVIS-LT
changed:        marius@proservis.lt 20110405
source:         RIPE


Reported Recent Redirectors
Note, other redirectors are possible. 

hxxp://aanchalfoundation.org/wlc.htm 173.0.137.215
hxxp://algamish.com/wlc.htm 67.228.38.74
hxxp://alokab.com/wlc.htm 77.232.90.21
hxxp://areawebmaster.seat.it/wlc.htm 212.48.3.234
hxxp://avatar-italia.it/wlc.htm 109.237.160.68
hxxp://banner.terrarium.pl/wlc.htm 87.98.235.213
hxxp://bartinemusicstudio.com/wlc.htm 69.163.133.96
hxxp://beachhamburg.de/wlc.htm 88.198.55.176
hxxp://beatall.net/wlc.htm 67.207.130.151
hxxp://beer-land.ru/wlc.htm 92.53.98.191
hxxp://board.edenservers.fr/wlc.htm 91.236.239.88
hxxp://brlifecs.paradisegamers.com.br/wlc.htm 108.163.190.2
hxxp://ceratofortekoup.sg/wlc.htm 116.12.49.215
hxxp://contentoz.com/wlc.htm 134.0.10.214
hxxp://crimestoppers-uk.org/wlc.htm 84.45.40.244
hxxp://donmt-com.standart.info/wlc.htm 92.53.123.113
hxxp://dontwakethecat.net/wlc.htm 94.23.70.134
hxxp://eens.econz.net/wlc.htm 173.0.137.215
hxxp://e-hydromax.pl/wlc.htm 87.98.235.213
hxxp://elmira.designcon.tmweb.ru/wlc.htm 176.57.216.3
hxxp://fizkult64.ru/wlc.htm 217.112.35.62
hxxp://fondarh.ru/wlc.htm 92.53.96.106
hxxp://fonlider.rs/wlc.htm 212.200.146.137
hxxp://forum.diabetes-zveza.si/wlc.htm 89.142.199.108
hxxp://forum.pilesfissure.in/wlc.htm 173.0.137.215
hxxp://galantvisa.ru/wlc.htm 81.177.6.141
hxxp://geo-top.ru/wlc.htm 78.108.84.160
hxxp://globalcartrading.dk/wlc.htm 213.83.233.51
hxxp://gurupra.com/wlc.htm 122.155.10.238
hxxp://hyundai-tskmotor.ru/wlc.htm 77.221.130.38
hxxp://ismmania.com/wlc.htm 69.163.133.96
hxxp://italtravel-rimini.com/wlc.htm 178.20.153.14
hxxp://itoobras.cl/wlc.htm 69.163.151.29
hxxp://jayhawksbasketball.ca/wlc.htm 173.254.28.67
hxxp://kingpinvideos.com/wlc.htm 66.147.244.169
hxxp://knoxvillejukebox.com/wlc.htm 69.163.133.96
hxxp://krinitskiy.com/wlc.htm 176.57.216.3
hxxp://kroppskultur.com/wlc.htm 195.74.38.119
hxxp://ktakademija.lt/wlc.htm 79.98.28.30
hxxp://l2nightfall.com.br/wlc.htm 187.17.98.166
hxxp://ldengi.ru/wlc.htm 195.24.65.120
hxxp://limavirtual.unicordoba.edu.co/wlc.htm 190.66.23.38
hxxp://lindsaylohan.com.br/wlc.htm 5.39.71.9
hxxp://lt-eg.com/wlc.htm 98.138.19.88
hxxp://meat64.ru/wlc.htm 81.177.139.244
hxxp://miel-baumanskaya.ru/wlc.htm 77.222.40.153
hxxp://my.knoxvillebusiness.com/wlc.htm 69.163.133.96
hxxp://myv.co.il/wlc.htm 82.80.17.43
hxxp://nafa.mexaimoda.ru/wlc.htm 188.120.39.56
hxxp://portjeffersonfishing.com/wlc.htm 69.163.200.199
hxxp://profsiz.ru/wlc.htm 81.222.215.167
hxxp://puma-avto.ru/wlc.htm 195.208.1.100
hxxp://putevkivsem.ru/wlc.htm 217.29.51.172
hxxp://repairmycomputer.in/wlc.htm 108.174.50.150
hxxp://rovere.lu/wlc.htm 80.92.67.155
hxxp://sagafurs.mexaimoda.ru/wlc.htm 188.120.39.56
hxxp://san-tyr.ru/wlc.htm 83.172.33.19
hxxp://schetchik-grand.ru/wlc.htm 92.53.123.113
hxxp://secure.publiquest.net/wlc.htm 23.23.211.79
hxxp://shadownessence.net/wlc.htm 195.74.38.18
hxxp://silkway.webmanager.kz/wlc.htm 212.154.250.254
hxxp://sv-company.ae/wlc.htm 176.57.216.3
hxxp://taleemindia.org/wlc.htm 173.0.137.215
hxxp://test-dm.designcon.tmweb.ru/wlc.htm 176.57.216.3
hxxp://thekla-kampelmann.com/wlc.htm 83.125.114.225
hxxp://theundergrounds.org/wlc.htm 188.93.237.135
hxxp://tickets.econz.net/wlc.htm 173.0.137.215
hxxp://top10.knoxvillebusiness.com/wlc.htm 69.163.133.96
hxxp://trasken.com.br/wlc.htm 187.17.98.166
hxxp://valleyironworksinc.com/wlc.htm 67.205.7.106
hxxp://voltecs.unima.ru/wlc.htm 213.239.214.68
hxxp://web.shu-bg.net/wlc.htm 194.141.47.8
hxxp://wodteam.by/wlc.htm 80.249.84.134
hxxp://www.bkpschool.ac.th/wlc.htm 119.59.120.12
hxxp://www.brita-leth.dk/wlc.htm 193.202.110.80
hxxp://www.caven.cn/wlc.htm 219.133.36.172
hxxp://www.ccanw.co.uk/wlc.htm 79.170.44.112
hxxp://www.cfbc.md/wlc.htm 93.116.255.220
hxxp://www.contentoz.com/wlc.htm 134.0.10.214
hxxp://www.crimestoppers-uk.org/wlc.htm 84.45.40.244
hxxp://www.envirobuildings.com/wlc.htm 173.254.3.165
hxxp://www.filmactingworkshops.com/wlc.htm 67.20.82.242
hxxp://www.fizkult64.ru/wlc.htm 217.112.35.62
hxxp://www.fonlider.rs/wlc.htm 212.200.146.137
hxxp://www.ghostway.it/wlc.htm 46.137.96.65
hxxp://www.globalcartrading.dk/wlc.htm 213.83.233.51
hxxp://www.ibraco.org.co/wlc.htm 216.22.48.60
hxxp://www.irklakojis.lt/wlc.htm 79.98.24.10
hxxp://www.italianosrestaurant.net/wlc.htm 98.129.229.207
hxxp://www.itoobras.cl/wlc.htm 69.163.151.29
hxxp://www.ivcmf.by/wlc.htm 31.130.201.140
hxxp://www.judiciary.go.ke/wlc.htm 31.222.163.18
hxxp://www.karaczany.terrarium.pl/wlc.htm 87.98.235.213
hxxp://www.knoxvillejukebox.com/wlc.htm 69.163.133.96
hxxp://www.miel-baumanskaya.ru/wlc.htm 77.222.40.153
hxxp://www.ndcotas.com.au/wlc.htm 69.163.229.122
hxxp://www.playkrampage.com/wlc.htm 50.56.110.204
hxxp://www.rascoly.com/wlc.htm 66.147.240.198
hxxp://www.rovere.lu/wlc.htm 80.92.67.155
hxxp://www.shadownessence.net/wlc.htm 195.74.38.18
hxxp://www.suuberquiz.ch/wlc.htm 82.195.253.206
hxxp://www.telemirspb.ru/wlc.htm 77.222.40.117
hxxp://www.theundergrounds.org/wlc.htm 188.93.237.135
hxxp://www.worldfund.org/wlc.htm 98.129.212.7
hxxp://www.xrayinspectionservice.com/wlc.htm 184.106.55.35
hxxp://zeo.designcon.tmweb.ru/wlc.htm 176.57.216.3
hxxp://zone4.co.id/wlc.htm 103.4.175.114


I've never visited Lithuania.


References:
URLQuery
Cleanmx
Generated intelligence

Tuesday, January 15, 2013

Data Dump - 115,000 suspicious URLs

I recently discovered a published list of suspicious URLs containing over 115,000 links. This list came from a compromised box where the C drive was published online, accidentally.

The list itself is a nice reference for patterns and use cases, including 7,000+ .exe files, paypal phishing links, pastehtml.com links and all kinds of redirectors. Some of these are valid, some of them are taken down. Some of these are super malicious, some of them are unknown.

It should be stated that this list was grabbed from a repository of files on a compromised box which was accidentally published online. Not every link is live, but all these links were in a directory referenced by a malware samples of a likely TDS infection.

I have gone through many of them, but I decided to publish the entire list.

Sharing is caring.

FULL URL LIST

EXEs ONLY

Screencap of dump file, available at links above.