Suspicious site what malware there?

See: http://zulu.zscaler.com/submission/show/64f57553dff6f7725c1496d96efa8d9b-1347296470
and http://urlquery.net/report.php?id=171399
See: https://www.virustotal.com/url/56d7bcc4faf8530566c5b4fa5df7d33be5e659603a7f511ab862d74c56d282b5/analysis/1345151050/#additional-info

polonus

www.urlvoid.com/scan/ultimatehacks.net/

The website is new

:slight_smile:

Now everybody is scanning that site. Sucuri could not connect.

EDIT
http://centralops.net/co/DomainDossier.aspx?addr=93. 114. 45. 84&dom_dns=1&dom_whois=1&net_whois=1
domain or IP address 93. 114. 45. 84
canonical name ixam-hosting.com.
addresses 108. 162. 197.7 9 108. 162. 197.1 79

Still don’t know how to read this, how do we get from 93.114 to 108.162?

@adotd

Yep, that was why it was flagged here: http://hosts-file.net/?s=ultimatehacks.net
EMD high risk site
So then we land here: http://www.ipvoid.com/scan/93.114.45.84
Conflicting opinions given here:
1 by Dareks67 08/15/2012
Malicious content, viruses

hpHosts classifies the site as “EMD”

0 0
2 by saberclaw34 08/10/2012
Good site
This is my host, somebody hosted malware here once, please do not think this is a malicious site :frowning:

But IP has a history of malware Blachole injecting malware, java malcode & phishing - see; http://urlquery.net/report.php?id=171399

So be vigilant, where there is smoke apparently there is …

@Kwartet! Are we that popular?

pol

Transfer in, transfer out. Guess those other urls have also some interesting stuff?
Transfer is likely the reason for “how do we get from 93.114 to 108.162”?

http://www.dailychanges.com/ixam-hosting.com/2012-09-10/

Currently displaying 3 of 3 domain names registered on September 10, 2012 and hosted at at the nameserver ixam-hosting. com.
Download all ixam-hosting. com activity for September 10, 2012(.CSV)
Domain Name
easyresolver. com
forum-reviews. com
upload-sell. com

Currently displaying 3 of 3 domain names transferred into ixam-hosting. com on September 10, 2012.
Download all ixam-hosting. com activity for September 10, 2012(.CSV)
Domain Name Transferred From
ultimatehacks. net name-services. com
winiphone4s. net downtownhost. com
xxxbanger. com ukrnames. com

Currently displaying 2 of 2 domain names transferred away from ixam-hosting. com on September 10, 2012.
diamondhosting. net cloudflare. com
strangebooter. com main-hosting. com

Following up; checked on urlquery.net:

easyresolver. com http://urlquery.net/report.php?id=171592 No alerts
forum-reviews. com http://urlquery.net/report.php?id=171596 No alerts
upload-sell. com http://urlquery.net/report.php?id=171609 No alerts
xxxbanger. com http://urlquery.net/report.php?id=171620 No alerts

winiphone4s. net http://urlquery.net/report.php?id=171613 No alerts, WOT warning

diamondhosting. net http://urlquery.net/report.php?id=171627 No alerts,
Now cloudflare.com, increasing badness, http://sitevet.com/db/asn/AS13335

ultimatehacks. net http://urlquery.net/report.php?id=171399 [not by me]
ET RBN Known Russian Business Network IP (353),
ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Requestname-services.com

strangebooter. com http://urlquery.net/report.php?id=171635
ET RBN Known Russian Business Network IP (204)
“Exchange Paypal, Exchange Bank Wire, Exchange Pecunix, Exchange Bitcoin, Exchange Liberty Reserve”
Rogue payment site?

Hi Kwartet!,

What you point out is the normal migration procedure for these kind of domains. They always comply, when found out and then open up shop somewhere else.
These are also the migration patterns you see on Netpilot’s daily archives and abuse dot ch. As you analyze Urlquery dot net for previous scans on the same IP or for the AS or when you do a searchquery for the alerted IDS flags from Suricata/Emerging Threats and/or Snort in combination with urlquery you find up a lot of interesting interlinking sites. Also interestin is a project honeypot IP query, see here: http://www.projecthoneypot.org/ip_93.114.45.84
Then also pay attention to associated harvesters mentioned there and what is being spread…

Main line of business: banking trojans, malvertising, spam, etc…

polonus