Fail2Ban Reporting Service

In our Database, we have after the cleaning over 7.000 URLs  there linked to the IP 205.189.72.71 and hosted only Fake-Shops for Gucci, UGG and other Bags:

For the IP-Address 205.189.72.71 the Abuse-Contact is the following (from the Arin.net):


OrgAbuseHandle: ABUSE540-ARIN
OrgAbuseName:   Abuse Desk
OrgAbusePhone:  +1-705-872-1310
OrgAbuseEmail:  info@publicroot.org
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE540-ARIN


And the Address is unaviable:


# telnet smtp.secureserver.net 25
Trying 72.167.238.201...
Connected to smtp.secureserver.net.
Escape character is '^]'.
helo blocklist.de
220 p3pismtp01-043.prod.phx3.secureserver.net ESMTP
250 p3pismtp01-043.prod.phx3.secureserver.net
mail from:<abuse@blocklist.de>
250 sender <abuse@blocklist.de> ok
rcpt to:<info@publicroot.org>
550 #5.1.0 Address rejected.


So, we dont report the Site/IP….

We have export the current Domains/URLS which are linked the IP on the download-Folder:

https://www.blocklist.de/downloads/urls/205.189.72.71.txt

We found earlier a Phishing-Site, which blocks a lot of IP-Ranges from the Phishing-Site.
Now we found one again, but whith more IPs:


## USER IP BANNING
order allow,deny
deny from 199.15.234.21
deny from 91.207.4
deny from 120.
deny from 184.22.48.18
deny from 83.
deny from 80.26.132.167
deny from 92.244.
deny from 91.202
deny from 208.
deny from 123.
deny from 98.
deny from 157.
deny from 113
deny from 97.
deny from 74.55.73.74
deny from 17.
deny from 66.45.237.122
deny from 69.195.136.106
deny from 93.115
deny from 157.55.116.31
deny from 222.
deny from 68.
deny from 59.
deny from 182.40
deny from 182.
deny from 64.72.56.130
deny from 93.182.133.140
deny from 46.17
deny from 46.4
deny from 195.190.13.62
deny from 92.241
deny from 91.224
deny from 90.156.203.101
deny from 64.182.62.57
deny from 211.48.190.80
deny from 121.125.67.27
deny from 91.98.99.162
deny from 194.219.107.203
deny from 81.95.96.163
deny from 12.183.2.69
deny from 69.10.151.98
deny from 164.46.245.120
deny from 213.148.182.69
deny from 190.6.160.54
deny from 90.156.203.102
deny from 91.212.226.114
deny from 66.249.71.118
deny from 209.99.234.37
deny from 180.125.218.248
deny from 209.
deny from 182.50.141.198
deny from 81.25.60.106
deny from 66.249.71.118
deny from 173.203
deny from 98.204.175.129
deny from 157
deny from 118.127.29.172
deny from 70.32.97.156
deny from 219
deny from 95.
deny from 178.
deny from 78.106.194.36
deny from 74.204.
deny from 218
deny from 24.98.52.108
deny from 72.55.176.232
deny from 41.
deny from 212.88.118.181
deny from 69.64.32.202
deny from 61.158.167.52
deny from 46.109.192.225
deny from 190.
deny from 80.
deny from 98.
deny from 64.233.172.1
deny from 24.
deny from 76.
deny from 91.202.57.24
deny from 93.104.
deny from 115.
deny from 205.134.252.112
deny from 80.
deny from 94.136.38.121
deny from 109.
deny from 95.166
deny from 203.
deny from 124.
deny from 173.
deny from 64.
deny from 31.
deny from 77.
deny from 221.203.
deny from 91.210.105.223
deny from 91.212.226.210
deny from 69.162.
deny from 204.45
deny from 224.
deny from 98.198.
deny from 216.
deny from 69.
deny from 72.
deny from 193.200
deny from 222.73.173.115
deny from 216.245.216.230
deny from 64.235.
deny from 190.120.231.158
deny from 141.76.45.35
deny from 205.186.130.170
deny from 205.209.
deny from 217.116.8.82
deny from 67.228.204.44
deny from 125.181
deny from 67.
deny from 74.
deny from 93.166
deny from 67.228.
deny from 64.118.86.50
deny from 72.167.131.145
deny from 189.73.112.198
deny from 97.74
deny from 58.22.101.247
deny from 193.202.
deny from 74.204.168.185
deny from 24.
deny from 94.41
deny from 212.92.23.142
deny from 193.105.210.162
deny from 79.
deny from 67.23.226.77
deny from 4.79.181.232
deny from 67.228.160.66
deny from 109.
deny from 122.155.3.124
deny from 97.74.144.126
deny from 67.210.122.
deny from 190.152.
deny from 176.
deny from 149.
deny from 195.
deny from 66.
deny from 62.
deny from 89.
deny from 84.
deny from 193.
deny from 130.
deny from 50.
deny from 93.
deny from 91.
deny from 199.
deny from 118.
deny from 125.
deny from 128.
deny from 58.
deny from 195.
deny from 194.
allow from all

order allow,deny
allow from all
And he logs all Access too like this:
promo/acessos/16-11-2012 – 186.241.xxx.xxx.txt
promo/acessos/17-11-2012 – 201.86.xxx.xxx.txt

The badnes is, you can see the Phishing-Site was two Days online bevor we received a information.

Today, we have set the fifth RBL-Mirror Online.
Now, we have 2 Mirros in the USA (1 x New York, 1 x Los Angeles) and 3 Mirros in Germany (1 x Munich, 2 x Falkenstein).
When you are in the USA, you can use for only the USA-Mirrors:
usa.bl.blocklist.de
de.bl.blocklist.de

When you use only bl.blocklist.de it will bee used one of the 5 bl-server random.

When you use a rbl-server near your location, you can set the latency down to < 13msec. Otherwise you have a latency from 13 to 190msec.

On a Honeypot-System, a Hacker/Spamer/Phisher loads a .tgz-File down and try to install a Phishing Site for Absa Internet Banking ->

It is nice, he generates a Logfile from all Users which surf on the Phishing-Site:

$fp = fopen("log.txt", "a");
fputs($fp, "IP: $ip - DATE: $date - [URL: $url] | [Agent: $agent] \n");
fclose($fp);


When the Logfiles is bigger than 200000 bytes, he send the Logfile to a Gmail-Account.

But the really interesting stuff is, he had in here phishing-Archiv a .htaccess-File and blocks a lot of IPs like Google, Tor-Servers from the CCC and other Networks.

Here is the complete .htaccess-File:

order allow,deny
deny from 173.254.216.69
deny from 173.254
deny from 196.214.84.44
deny from 196.210
deny from 174.93.39.58
deny from 74.120.12.140
deny from 41.162.7
deny from 74.3.165.39
deny from 85.250.100.210
deny from 83.222
deny from 168.142.192.43
deny from 80.237.226.75
deny from 220.225
deny from 89.160.83.61
deny from 89.145.108
deny from 74.120.13.132
deny from 46.4.118.254
deny from 93.172.68.165
deny from 93.172
deny from 109.186.49.23
deny from 109.186
deny from 91.199.104
deny from 193.200
deny from 69.202
deny from 50.97
deny from 86.35
deny from 69.163
deny from 196.33
deny from 109.67
deny from 109.163
deny from 150.70
deny from 63.251
deny from 184.107
deny from 173.255
deny from 178.217.184
deny from 184.154.169
deny from 149.20
deny from 212.143
deny from 62.213
deny from 173.204
deny from 176.32.64.173
deny from 99.190
deny from 67.78
deny from 209.85.224.93
deny from 109.66
deny from 65.49
deny from 79.182
deny from 79.178
deny from 85.13.235.26
deny from 77.247
deny from 199.48
deny from 79.176
deny from 84.110
deny from 219.117
deny from 217.128
deny from 87.249.110
deny from 109.65
deny from 94.172
deny from 209.85
deny from 74.125
deny from 176.67
deny from 66.249
deny from 199.19
deny from 66.150
deny from 64.125
deny from 64.90
deny from 128.232
deny from 169.202
allow from all


The Timestamp from the .htaccess from the .tgz is:

Size: 1330            Blocks: 16         IO Block: 4096   regular file
Device: 901h/2305d      Inode: 12162162    Links: 1
Access: (0666/-rw-rw-rw-)  Uid: (xxxxx/ UNKNOWN)   Gid: (   99/  nobody)
Access: 2012-11-11 20:16:12.000000000 +0100
Modify: 2012-08-16 07:40:30.000000000 +0200
Change: 2012-11-11 20:16:12.000000000 +0100


When the IPs from Google does not access to the Phishing-Site, he dont report the Site on Safebrowsing and Google-Alerts or other Security-Companys dont found them automatically.

In the log.txt from the .tgz-Archiv, there are a lot of Entry’s and he use on all Sites the Directory-Name „netservice“


IP: 105.xxx.xxx.xxx - DATE: Monday 05 November 11:04:04 - [URL: /wp-content/plugins/nospamnx/netservice/form.php] | [Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)]

IP: 161.xxx.xxx.xxx - DATE: Monday 05 November 15:31:28 - [URL: /wp-content/plugins/nospamnx/netservice/index.php] | [Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.40607)]


The Drop-boxes are on Google and Hotmail. I report it to msn and gmail, but i think that MSN will shut down the E-Mailaccount earlier than Google (i think Google do nothing….).

Ask us for the Files….

[UPDATE 17.11.2012 20:27 +0100]
We found a new .htaccess Files with more IP-Ranges:
https://blog.blocklist.de/2012/11/17/new-htaccess-to-block-security-ips-and-bots-from-phishing-sites-founded/

Yesterday (10.11.2012) we reached 1 Million BadBots-Attacks.
The BadBots are IPs which send Postings or automatically registrations in Honeypot-Sites, Honeypot-Forums or Guestbooks.

Currently, we have listed more Proxy-/BadBots IPs than IPs from Mail (Unknown User, Relaying….).
The most BadBots IPs comes from Provider like as SUPREME-TELECOM – Supreme Telecom Systems, Inc. or from SSASN2 – SECURED SERVERS LLC which is new in the last two months. In the Month befor, we never has seen an Entry from SSASN2 – SECURED SERVERS LLC.

In this month, the IPs from Country Germany (DE) has risen to the second Place after China (CN) on Place #1:

http://www.blocklist.de/en/statisticsmonth.html

But this comes mainly from infected Customer Computers which try to send Spam (Service mail).

If you received Spam, please report them!
You can use Services like spamcop.net or blackhole.mx, then the Access-Provider can block and inform the Customer about the Malware on there Computers.