Sources of Badness – LeaseWeb
**Edit 2**
I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.
**Edit** Seems this post has already drummed up some interest from several parties.
Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.
Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.
The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.
**Edit**
Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.
If I had more hosts, maybe I could call this series of articles “The week of shady web hosts” 
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.
netname: LEASEWEB descr: LeaseWeb descr: P.O. Box 93054 descr: 1090BB AMSTERDAM descr: Netherlands descr: www.leaseweb.com remarks: Please send email to "abuse@leaseweb.com" for complaints remarks: regarding portscans, DoS attacks and spam. remarks: INFRA-AW country: NL admin-c: LSW1-RIPE tech-c: LSW1-RIPE status: ASSIGNED PA mnt-by: OCOM-MNT changed: ripe@leaseweb.com 20071015 source: RIPE Information related to '85.17.0.0/16AS16265' route: 85.17.0.0/16 descr: LEASEWEB origin: AS16265 remarks: LeaseWeb mnt-by: OCOM-MNT changed: ripe@ocom.com 20050311 changed: ripe@ocom.com 20070610 source: RIPE
We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however.
85.17.212.0 - 85.17.212.255
85.17.162.0 - 85.17.162.255
85.17.189.0 - 85.17.189.255
85.17.238.0 - 85.17.238.255
IP Date Domain/IP URL
85.17.162.100 2008-12-08 ad-adnet.net /xrun.tmp (exe payload)
2008-11-06 infonews.ath.cx /data.pdf (exploit)
85.17.212.137 2008-12-01 www.golfinau.com /stat/index.htm (exploit)
85.17.212.134 2008-12-09 securefilecourier.com /downloadsetupws.php (exe payload)
85.17.189.153 2008-10-14 www.zifirgad.info /n_fia/pdf.php (exploit)
85.17.238.144 2008-12-03 85.17.238.144 /74812/a.php (exe payload)
Xentronix network (LeaseWeb)
85.17.166.128 - 85.17.166.255
85.17.166.139 2008-11-05 85.17.166.139 /css/pdf.php (exploit)
85.17.166.229 2008-09-19 85.17.166.229 /gtest2/pdf.php (exploit)
85.17.166.231 2008-10-15 85.17.166.231 /gtest2/pdf.php (exploit)
Hi “RealSecurity”,
After reading your blog entry, I (as LeaseWeb’s Security Officer) felt the need to reply.
As you probably know LeaseWeb is one of the largest dedicated hosters in the world, we own more than 15.000 servers, and offer colocation to an other 6000. Currently our traffic volume is peaking at about 255 Gbit/sec. Our size means we can offer clients a very good price, however it also means that due to the size of our infrastructure many types of abuse are ‘present’ within our AS. LeaseWeb understands that
due to it’s size there is the need for a dedicated Security Officer who is repsonsable for handling these types of abuse, hence my hiring I guess. LeaseWeb prides itself on being a good ‘netizen’ therefore your blog entry paints the wrong picture of LeaseWeb.
Please allow me to address the listed sites and the action we took:
ad-adnet.net; On December 3rd we received a message about a user being attacked from that ip#, however
we never received a response to our request for details about the specifics (url/malware location).
infonews.ath.cx; On November 12th 09:37 CET we received a detailed report about this site, at 11:25 CET our customer reported the sites as removed.
http://www.golfinau.com; On December 1st we received a message about a user being attacked from that ip#, however we never received a response to our request for details about the specifics (url/malware location).
securefilecourier.com; We received a spamhaus notice on 12 Dec 2008 10:13, customer has been informed.
http://www.zifirgad.info; We received a message from AusCert on 28 Nov 2008 05:00:25 UT, the site was removed 28 Nov 2008 23:47:31 +0300
85.17.238.144; On November 10th we received a message about a user being attacked from that ip#, however
we never received a response to our request for details about the specifics (url/malware location).
85.17.166.13; On December 5th we received a message about a user being attacked from that ip#, however we never received a response to our request for details about the specifics (url/malware location).
85.17.166.229; we never received a complaint about this site;
85.17.166.231; we never received a complaint about this site.
As you can see, LeaseWeb does not allow these websites to operate unhindered, our policy is to take down such websites, and it is a effective policy as you saw above. We request more information about a website, if it is not obvious what the trojaned URL is, therefor we ask the complainee to provide more information,
if he does reply with the requested there is a 100% procent change the website gets killed. So I feel any comparison with McColo is totally unwarranted.
If you want to help get rid off these websites, please report them to LeaseWeb so we can take action, not reporting them to LeaseWeb only exposes more inocent people to these nefarious activities.
Best Regards,
Alex de Joode
Security Officer
LeaseWeb B.V.
E: a[dot]dejoode leaseweb [] com
W: http://www.leaseweb.com/
Alex,
The bulk of the attacks create TCP connections to “hosted-by.leaseweb.com”, and ultimately this is part of a bigger security threat — search engine redirects. It is troubling that these threats originate from within your own data centers.
If you are asking for specific URL or Domain that I would like removed altogether, it would be all servers, pages, and devices under that IP. This is the domain that each of the infected computers in my organization were connecting directly to upon becoming infected.
-George.
I do not have _any_ patiense what-so-ever with Lease-web. Just blocked the entire IP-range.