I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.
**Edit** Seems this post has already drummed up some interest from several parties.
Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.
Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.
The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.
Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.
If I had more hosts, maybe I could call this series of articles “The week of shady web hosts”
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.
netname: LEASEWEB descr: LeaseWeb descr: P.O. Box 93054 descr: 1090BB AMSTERDAM descr: Netherlands descr: www.leaseweb.com remarks: Please send email to "firstname.lastname@example.org" for complaints remarks: regarding portscans, DoS attacks and spam. remarks: INFRA-AW country: NL admin-c: LSW1-RIPE tech-c: LSW1-RIPE status: ASSIGNED PA mnt-by: OCOM-MNT changed: email@example.com 20071015 source: RIPE Information related to '126.96.36.199/16AS16265' route: 188.8.131.52/16 descr: LEASEWEB origin: AS16265 remarks: LeaseWeb mnt-by: OCOM-MNT changed: firstname.lastname@example.org 20050311 changed: email@example.com 20070610 source: RIPE
We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however.
184.108.40.206 - 220.127.116.11 18.104.22.168 - 22.214.171.124 126.96.36.199 - 188.8.131.52 184.108.40.206 - 220.127.116.11 IP Date Domain/IP URL 18.104.22.168 2008-12-08 ad-adnet.net /xrun.tmp (exe payload) 2008-11-06 infonews.ath.cx /data.pdf (exploit) 22.214.171.124 2008-12-01 www.golfinau.com /stat/index.htm (exploit) 126.96.36.199 2008-12-09 securefilecourier.com /downloadsetupws.php (exe payload) 188.8.131.52 2008-10-14 www.zifirgad.info /n_fia/pdf.php (exploit) 184.108.40.206 2008-12-03 220.127.116.11 /74812/a.php (exe payload) Xentronix network (LeaseWeb) 18.104.22.168 - 22.214.171.124 126.96.36.199 2008-11-05 188.8.131.52 /css/pdf.php (exploit) 184.108.40.206 2008-09-19 220.127.116.11 /gtest2/pdf.php (exploit) 18.104.22.168 2008-10-15 22.214.171.124 /gtest2/pdf.php (exploit)