Sources of Badness – LeaseWeb

**Edit 2**

I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.

**Edit** Seems this post has already drummed up some interest from several parties.

Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.

Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.

The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.

**Edit**

Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.

If I had more hosts, maybe I could call this series of articles “The week of shady web hosts” :)
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.

netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "abuse@leaseweb.com" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
changed:        ripe@leaseweb.com 20071015
source:         RIPE

Information related to '85.17.0.0/16AS16265'

route:          85.17.0.0/16
descr:          LEASEWEB
origin:         AS16265
remarks:        LeaseWeb
mnt-by:         OCOM-MNT
changed:        ripe@ocom.com 20050311
changed:        ripe@ocom.com 20070610
source:         RIPE

We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however.

85.17.212.0 - 85.17.212.255
85.17.162.0 - 85.17.162.255
85.17.189.0 - 85.17.189.255
85.17.238.0 - 85.17.238.255

IP              Date       Domain/IP            URL

85.17.162.100   2008-12-08 ad-adnet.net		/xrun.tmp (exe payload)
                2008-11-06 infonews.ath.cx	/data.pdf (exploit)
85.17.212.137	2008-12-01 www.golfinau.com	/stat/index.htm (exploit)
85.17.212.134	2008-12-09 securefilecourier.com	/downloadsetupws.php (exe payload)
85.17.189.153	2008-10-14 www.zifirgad.info	/n_fia/pdf.php (exploit)
85.17.238.144	2008-12-03 85.17.238.144	/74812/a.php (exe payload)

Xentronix network (LeaseWeb)
85.17.166.128 - 85.17.166.255

85.17.166.139	2008-11-05 85.17.166.139	/css/pdf.php (exploit)
85.17.166.229	2008-09-19 85.17.166.229	/gtest2/pdf.php (exploit)
85.17.166.231	2008-10-15 85.17.166.231	/gtest2/pdf.php (exploit)

8 comments to Sources of Badness – LeaseWeb

  • Hi “RealSecurity”,

    After reading your blog entry, I (as LeaseWeb’s Security Officer) felt the need to reply.

    As you probably know LeaseWeb is one of the largest dedicated hosters in the world, we own more than 15.000 servers, and offer colocation to an other 6000. Currently our traffic volume is peaking at about 255 Gbit/sec. Our size means we can offer clients a very good price, however it also means that due to the size of our infrastructure many types of abuse are ‘present’ within our AS. LeaseWeb understands that
    due to it’s size there is the need for a dedicated Security Officer who is repsonsable for handling these types of abuse, hence my hiring I guess. LeaseWeb prides itself on being a good ‘netizen’ therefore your blog entry paints the wrong picture of LeaseWeb.

    Please allow me to address the listed sites and the action we took:

    ad-adnet.net; On December 3rd we received a message about a user being attacked from that ip#, however
    we never received a response to our request for details about the specifics (url/malware location).

    infonews.ath.cx; On November 12th 09:37 CET we received a detailed report about this site, at 11:25 CET our customer reported the sites as removed.

    http://www.golfinau.com; On December 1st we received a message about a user being attacked from that ip#, however we never received a response to our request for details about the specifics (url/malware location).

    securefilecourier.com; We received a spamhaus notice on 12 Dec 2008 10:13, customer has been informed.

    http://www.zifirgad.info; We received a message from AusCert on 28 Nov 2008 05:00:25 UT, the site was removed 28 Nov 2008 23:47:31 +0300

    85.17.238.144; On November 10th we received a message about a user being attacked from that ip#, however
    we never received a response to our request for details about the specifics (url/malware location).

    85.17.166.13; On December 5th we received a message about a user being attacked from that ip#, however we never received a response to our request for details about the specifics (url/malware location).

    85.17.166.229; we never received a complaint about this site;

    85.17.166.231; we never received a complaint about this site.

    As you can see, LeaseWeb does not allow these websites to operate unhindered, our policy is to take down such websites, and it is a effective policy as you saw above. We request more information about a website, if it is not obvious what the trojaned URL is, therefor we ask the complainee to provide more information,
    if he does reply with the requested there is a 100% procent change the website gets killed. So I feel any comparison with McColo is totally unwarranted.

    If you want to help get rid off these websites, please report them to LeaseWeb so we can take action, not reporting them to LeaseWeb only exposes more inocent people to these nefarious activities.

    Best Regards,

    Alex de Joode
    Security Officer
    LeaseWeb B.V.

    E: a[dot]dejoode leaseweb [] com
    W: http://www.leaseweb.com/

  • George Heering

    Alex,

    The bulk of the attacks create TCP connections to “hosted-by.leaseweb.com”, and ultimately this is part of a bigger security threat — search engine redirects. It is troubling that these threats originate from within your own data centers.

    If you are asking for specific URL or Domain that I would like removed altogether, it would be all servers, pages, and devices under that IP. This is the domain that each of the infected computers in my organization were connecting directly to upon becoming infected.

    -George.

  • Rune Jensen

    I do not have _any_ patiense what-so-ever with Lease-web. Just blocked the entire IP-range.

  • A Doyle

    Seems the attacks have started again.. looks like leaseweb are either in cahoots or allowing there servers to be part of bot networks hosted-by.leaseweb.com.. multiple connections to our servers..

    Whole range now blocked and reported.

  • Azzouz Nezar

    I am glad to come accross this article regarding abuse from LeaseWeb customers.

    Below is my correpondence with LeaseWeb security people.

    —– Original Message —–
    From: “zzz”
    To:
    Sent: Wednesday, May 04, 2011 10:13 AM
    Subject: Re: [ts #1133444] Abuse!

    >I forgot to add the following:
    > zeeMachine:1324 hosted-by.leaseweb.com:http TIME_WAIT
    >
    > This occurs whenever the iexplorer is invoked (see below).
    >
    >
    > —– Original Message —–
    > From: “zzz”
    > To:
    > Sent: Wednesday, May 04, 2011 7:27 AM
    > Subject: Re: [ts #1133444] Abuse!
    >
    >
    >> IP: 85.17.216.105
    >> You can alo ping it from your end!
    >>
    >> —– Original Message —–
    >> From: “LeaseWeb – Security ”
    >> To:
    >> Sent: Wednesday, May 04, 2011 3:15 AM
    >> Subject: [ts #1133444] Abuse!
    >>
    >>
    >> Hello,
    >>
    >>> I have had some issues with my PC lately. “Some virus” runs Internet
    >>> Explorer in the background to make connections to http://r-
    >>> ads.info. When I tracked this link I found that it is hosted by
    >>> Leaseweb! I may have to report this site (http://r-ads.info) as
    >>> well as Leaseweb for bad business!
    >>
    >> Please provide more information, i.e. IP address.
    >>
    >> Kind regards,
    >>
    >> (LeaseWeb person)
    >> LeaseWeb – Security
    >>
    >>

  • Michelle Erbeck

    We have a customer who has a leaseweb DOS attack twice in a month, with them refusing to put a block in thier network from accessing the victims network block, the list posted above by others is not complete, thier ASN has made other network blocks which we will later post a complete list of so others can filter thier entire asn.

  • Sim

    Here is an update from 2011. I contacted abuse@leasweb.com and a reply came back 2 days later requesting that since the IP address is under their US abusecenter, I should contact them directly. There was no microsecond of thought to forward my urgent report to their US abusecenter. Why bother publishing the abuse report details in whois if you cannot fulfill the obligation. Anyway, I forwarded to the US abusecenter as directed and it is now about 1 week and no response. Maybe the head office abusecenter knew something better – if they forwarded my message and get no response they are held responsible.

    It is now my belief that a majority of ISPs do not take their duty of care seriously, just because they get many reports a day. In fact, I believe that if ISPs do not act satisfactorily, these ISPs are actually encouraging illegal system intrusions. Do not use the word ‘hacking’ as it makes a mockery of the seriousness of the illegal activity.

    You would think all the king’s men and horses for one of the world’s largest ISP cannot configure a better workflow process to fulfill their statutory duty of care.

    I am still waiting.

  • Tom

    I simply blocked their complete subnet on my servers. I honestly do not care how many systems they run. If they do not care/stop the criminal attacks and continue to making their money with criminals, I will not allow any of their IPs to connect to any of my servers.