IP Addresses to block due to malicious activity
DrCaleb @ Tue Sep 19, 2017 5:48 am
Tricks Tricks:
DrCaleb DrCaleb:
We've been getting a huge number of phishing attempts, with a zero day payload. Do NOT open emails with subject lines:
“Pat due invoice notification”
“My O2 Business - Your O2 Bill is ready”
“#09932 Invoice secondary notice”
Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.
“Pat due invoice notification”
“My O2 Business - Your O2 Bill is ready”
“#09932 Invoice secondary notice”
Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.
I had a fun assignment last week about tracing emails back to people.
Found the guy's phone number in Africa who tried to get my information claiming to be from the IRS.
I used to do that.
After a while I stopped. No point.But it must be fun calling him at 3am and asking if he'd like to buy an all inclusive Caribbean cruise!!
Tricks @ Tue Sep 19, 2017 9:48 am
DrCaleb DrCaleb:
Tricks Tricks:
DrCaleb DrCaleb:
We've been getting a huge number of phishing attempts, with a zero day payload. Do NOT open emails with subject lines:
“Pat due invoice notification”
“My O2 Business - Your O2 Bill is ready”
“#09932 Invoice secondary notice”
Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.
“Pat due invoice notification”
“My O2 Business - Your O2 Bill is ready”
“#09932 Invoice secondary notice”
Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.
I had a fun assignment last week about tracing emails back to people.
Found the guy's phone number in Africa who tried to get my information claiming to be from the IRS.
I used to do that.
After a while I stopped. No point.But it must be fun calling him at 3am and asking if he'd like to buy an all inclusive Caribbean cruise!!
BartSimpson @ Tue Sep 19, 2017 4:31 pm
When I find spammers living in progressive countries like Nigeria and Belarus my favorite trick is to send them an original email from my email address.
I first check Live Ships to see what cargo ships are expected in their ports and when. Then I pick a random container number for an actual container.
Then I draw up a spreadsheet with a list of small to medium arms and ammunition and I attach it to the email.
The message typically reads:
$1:
Mr. Spammer,
Your payment of $3,720,000 was received in our account in the Seychelles.
Attached is the manifest of the weapons and ammunition you ordered.
Container 324567-39 will arrive in your port aboard the MV Spam Queen.
The passcode for taking possession of the container is A325-67Y4-8291
Thank you for your business and should you have any future needs please do not hesitate to contact us. Best of luck with your revolution and the overthrow of President Nmbimbwe.
- Bart
Your payment of $3,720,000 was received in our account in the Seychelles.
Attached is the manifest of the weapons and ammunition you ordered.
Container 324567-39 will arrive in your port aboard the MV Spam Queen.
The passcode for taking possession of the container is A325-67Y4-8291
Thank you for your business and should you have any future needs please do not hesitate to contact us. Best of luck with your revolution and the overthrow of President Nmbimbwe.
- Bart
This is often followed by a desperate sounding email denying any knowledge of the transaction.
The end game is usually noted by a drop off in global spam traffic.
DrCaleb @ Wed Sep 20, 2017 6:07 am
I like your style! 
DrCaleb @ Fri Sep 22, 2017 7:45 am
Sort of off topic, but related. If you use 'CCleaner' as your Antivirus, you probably got hacked. And it looks like the hack was intended as corporate espionage!
CCleaner malware outbreak is much worse than it first appeared
BartSimpson @ Fri Sep 22, 2017 8:25 am
DrCaleb DrCaleb:
Sort of off topic, but related. If you use 'CCleaner' as your Antivirus, you probably got hacked. And it looks like the hack was intended as corporate espionage!
CCleaner malware outbreak is much worse than it first appeared
CCleaner malware outbreak is much worse than it first appeared
The version that was reported as compromised is 5.33.6162.
But I isolated four of our computers that had CCleaner on them and found evidence of Floxif compromise on all four.
Their versions were:
4.00.0.4064
4.14.00.4707
5.18.00.5607
5.23.00.5808
If your machines have these hashes then they should be considered compromised:
ccleaner.exe - ef694b89ad7addb9a16bb6f26f1efaf7, d488e4b61c233293bec2ee09553d3a2f
ccsetup533.exe - 75735db7291a19329190757437bdb847
The compromised update server (which should be blocked on your firewall) is at 216.126.225.148
Tricks @ Fri Sep 22, 2017 11:45 am
Shit I have to check some family computers, I had switch from CCleaner to glary a while ago, but I can't remember who might still have it.
BartSimpson @ Tue Sep 26, 2017 8:56 am
Moar shot to block
rockjonadd.top
gokeenakte.top
sokerrorfa.top
photographycounsel.win
soundmanjl.top
download-msjlukqyrkni5ss5o.stackpathdns.com
oaksdjhtuenhed.net
ekolapsm.top
newwincasinokf.com
nbhvnfhrnmc.com
nguoiphunu.net
jnbhbyuyyyyy.com
ddl7.data.hu
www.supercleanupdate.com
helprover.com
newesttechnology.net
outingsforseniors.com.au
searbrmiyet.xyz
serverofficedoc.camaradeburitirama.ba.gov.br
slimka.xyz
www.apleid.apple.com.secure.authcode.sa ... update.com
www.tanushreedesigns.in
141.255.147.229
141.255.149.195
193.46.83.9
47.88.51.250
192.95.11.45
88.99.7.251
73.25.4.70
74.50.61.177
192.129.227.190
195.123.218.226
137.74.239.213
199.204.52.89
185.174.100.125
185.174.100.116
45.63.71.59
185.194.141.172
151.139.245.15
185.82.23.28
5.34.180.135
85.25.210.172
176.31.241.189
193.169.54.12
104.131.116.144
91.189.131.90
herbie @ Tue Sep 26, 2017 9:36 am
CCleaner?
How 2001
BartSimpson @ Tue Sep 26, 2017 10:29 am
herbie herbie:
CCleaner?
How 2001
How 2001
Agreed. I just reimage my computers when this crap comes up. Anymore it's the only way to be sure you've removed whatever the hackers and the NSA have installed on your machine.
BartSimpson @ Mon Oct 09, 2017 3:08 pm
The shit list for the first part of October:
differentia.ru
disorderstatus.ru
eastomjetyopd.top
easyhomeworldsn.top
donfolednobelza.top
oiqbgenbchsss.com
www.jeegtube.com
66.234.234.36
162.243.154.25
62.210.86.114
37.187.57.57
74.208.155.175
217.160.91.206
108.59.253.38
37.48.125.112
51.255.58.18
5.196.200.229
185.174.100.125
46.4.67.203
147.135.209.118
178.254.33.12
137.74.98.30
5.45.108.249
74.50.52.130
80.93.62.67
204.27.59.196
159.203.94.198
185.82.23.28
46.4.207.219
64.73.192.190
82.211.30.202
208.83.111.114
193.169.54.12
23.227.197.134
45.77.74.168
89.26.255.26
BartSimpson @ Mon Dec 11, 2017 11:37 am
Whole big boatload of crap sites to block this month:
198.154.238.174
180.131.139.203
104.236.109.186
176.58.104.69
69.198.17.49
107.170.177.153
173.255.217.114
64.131.70.202
185.174.100.124
69.43.168.200
85.25.192.71
23.227.197.133
66.85.74.178
124.95.181.146
216.70.105.121
152.204.28.255
208.106.132.197
80.13.139.237
23.89.220.136
34.233.17.86
54.213.74.215
35.227.195.76
189.160.190.12
37.59.247.119
23.110.109.101
192.129.227.205
76.112.70.9
23.204.155.198
185.8.236.15
80.74.170.249
52.221.119.36
69.71.90.153
23.202.40.86
23.46.35.180
23.212.102.181
189.180.206.138
162.144.182.242
132.148.85.171
69.4.79.157
205.204.81.15
208.100.26.251
131.0.103.194
91.192.100.33
187.209.163.252
200.61.34.67
104.227.137.35
188.241.155.6
withadvertisingthe.net
docteuur13.no-ip.org
www.onesystemupdate.com
www.ckj.ink
www.treckings.info
zakzak.at
awism.com
pic.cnitblog.com
rptx.anchorfree.net
sektori.org
BartSimpson @ Tue Jan 16, 2018 11:45 am
Today's list of shitty sites and domains to block:
docteuur13.no-ip.org
update-msjlukqyrkni5ss5o.stackpathdns.com
catrand.com
49.212.135.76
103.195.103.253
23.219.140.15
133.218.41.153
178.32.255.132
198.61.207.174
212.5.159.61
193.36.46.77
90.149.213.71
208.115.116.37
23.247.120.181
192.129.227.204
13.73.157.43
115.129.14.75
118.179.249.103
189.170.148.68
24.241.107.41
104.26.37.78
176.116.236.136
192.229.221.194
200.111.98.105
108.186.31.83
117.251.127.110
184.26.167.120
187.214.33.114
201.199.95.98
200.34.200.17
193.43.88.16
125.7.81.143
59.1.227.170
23.193.176.172
173.201.245.52
93.194.101.204
192.138.210.187
137.101.49.140
172.1.250.131
141.178.110.69
19.170.16.122
176.34.145.83
170.122.103.39
149.149.128.200
185.70.33.115
208.53.160.125
176.31.254.115
142.111.149.198
64.223.90.253
70.110.115.96
198.57.193.227
144.202.238.80
36.82.142.161
153.159.237.228
78.128.129.35
80.201.112.201
188.112.189.11
169.255.126.23
187.145.171.217
77.253.84.197
192.189.221.253
104.219.56.187
145.253.158.56
72.13.114.89
68.169.44.68
128.199.255.176
24.69.102.154
80.235.62.161
46.101.168.104
166.245.148.68
38.124.48.210
64.8.64.249
104.24.204.121
122.181.147.82
192.44.189.229
196.209.208.223
216.219.134.10
67.222.4.110
216.14.91.105
185.64.142.13
107.163.118.32
135.84.152.147
210.245.121.212
134.147.177.138
138.128.208.93
216.172.173.157
163.177.203.49
88.196.209.220
75.103.126.58
104.156.227.44
202.43.45.145
82.211.30.202
121.183.239.8
115.187.62.74
43.240.237.84
68.45.48.216
148.53.245.247
197.155.23.189
23.107.7.244
65.211.211.16
31.214.197.215
78.141.10.249
209.8.150.65
187.233.63.122
187.170.6.227
23.249.167.99
198.56.171.253
82.119.26.224
98.204.117.185
83.172.91.104
196.113.24.57
196.114.182.121
198.71.174.168
148.101.235.200
188.62.82.142
187.138.45.223
190.90.27.29
192.129.227.188
23.2.185.231
187.157.247.73
42.166.90.13
82.152.190.54
92.51.161.43
193.8.57.65
87.106.163.193
37.62.139.237
185.16.60.239
101.118.195.246
23.225.72.135
160.124.139.73
189.143.230.59
117.102.98.14
201.220.130.169
125.5.85.1
186.27.232.121
52.178.146.182
94.126.18.219
38.21.11.72
71.244.60.231
24.201.37.162
65.23.150.31
107.9.187.40
36.110.66.202
50.100.23.130
85.203.17.77
66.59.69.81
90.190.99.130
150.12.89.226
23.27.242.227
24.43.164.179
111.102.171.136
60.43.182.150
155.159.205.53
194.88.246.242
45.32.11.97
164.100.222.151
124.65.112.22
126.36.25.20
128.77.1.170
189.239.173.189
194.17.211.225
12.23.241.9
80.250.126.7
138.128.85.163
170.171.208.176
64.41.95.148
167.162.157.165
69.73.137.165
187.147.250.58
82.131.166.42
147.87.250.217
103.27.108.179
146.66.72.206
103.221.233.81
203.171.220.142
46.160.90.75
149.88.80.247
193.106.107.92
47.149.106.204
165.146.175.115
132.74.66.65
151.139.244.17
23.227.197.132
216.224.113.192
178.204.159.118
185.55.108.99
201.119.127.6
160.87.211.203
188.165.26.192
194.87.228.102
23.230.78.29
68.72.75.161
115.128.120.26
23.80.243.248
148.251.94.221
107.154.60.248
66.196.39.9
107.186.42.62
77.95.80.147
191.248.226.50
45.4.32.26
134.119.194.10
23.247.88.16
133.68.164.27
81.88.77.222
125.186.197.197
67.76.234.201
107.154.174.229
197.165.206.193
202.47.180.25
178.59.102.132
45.33.254.11
89.23.70.120
155.230.193.36
104.64.11.232
132.148.12.131
23.207.123.150
85.13.211.214
113.152.249.65
104.216.245.216
38.113.60.145
68.177.148.98
190.68.219.75
104.128.74.62
138.190.118.135
94.130.205.168
185.170.212.36
187.202.76.146
210.92.196.120
74.219.247.92
69.43.168.200
213.243.39.35
64.182.125.6
67.20.93.234
221.151.185.3
104.88.192.34
74.197.132.142
88.208.192.10
109.237.99.78
211.138.123.13
216.167.203.107
45.76.250.114
24.70.241.32
103.212.69.28
107.154.196.193
138.68.147.96
64.26.29.92
188.128.20.155
158.54.201.250
185.174.100.123
23.8.26.208
144.76.255.36
188.124.254.107
189.161.232.128
BartSimpson @ Mon Feb 26, 2018 12:11 pm
Today's list of crap to block:
cafe-family-club.by
tacon.cc
update-msjlukqyrkni5ss5o.stackpathdns.com
pn.dr906090.com
oaeyouwjntxp.branchnaturally.ru
vqpydhheirk2i.com
kometa-stat.ru
8e199364a6.dataurls.com
ojzujxnyefgrqwp.showerisland.ru
wqulmgxkwpnkai.showerisland.ru
applicationfirst.info
dvciuwmhvogbm.showerisland.ru
fadaehh.com
iostream.system.band
proffidriversun.info
qzpbrksdmpohtbi.showerisland.ru
skyprobar.info
union.296dh.com
wzetkjrugpxombp.showerisland.ru
zillionnetuk.info
178.62.39.238
103.195.103.253
37.187.57.57
188.226.223.31
158.69.65.158
185.174.100.122
178.254.24.98
103.84.165.9
103.39.48.23
118.5.150.80
164.73.2.168
69.170.181.38
172.246.143.165
179.56.110.162
69.36.59.125
81.247.231.92
200.52.90.182
75.91.233.177
24.220.183.96
79.96.41.228
121.127.246.105
212.128.206.11
37.244.144.72
69.45.26.218
92.84.161.91
185.129.113.74
111.78.211.129
103.31.75.113
46.25.3.15
37.59.61.56
23.227.197.131
47.62.7.26
216.104.165.3
62.129.196.195
75.151.5.17
115.128.194.86
107.186.20.200
217.182.28.213
148.101.143.170
187.229.67.96
23.244.118.211
106.15.186.93
104.200.168.241
93.42.184.106
14.102.19.50
95.101.26.177
114.71.120.38
140.129.143.177
88.207.49.89
139.130.85.122
110.232.140.224
80.82.115.164
93.125.99.43
66.160.132.147
178.157.87.71
190.104.250.74
134.119.212.224
192.241.104.54
148.251.163.79
212.18.203.58
193.109.130.150
185.117.88.11
67.225.119.43
188.212.127.111
80.200.220.113
50.63.202.45
192.129.227.187
203.6.67.123
5.255.156.145
125.135.210.230
108.170.46.236
219.103.36.112
198.98.119.108
23.231.153.137
196.201.119.181
203.125.177.178
189.182.63.117
201.97.106.131
163.172.96.109
170.254.148.189
172.246.207.150
64.27.11.34
138.68.50.132
212.201.49.222
190.42.55.123
103.39.84.244
144.76.91.209
77.247.54.169
185.207.204.203
66.33.203.154
165.160.35.206
190.67.187.221
190.80.207.119
185.174.100.113
5.197.219.217
95.141.33.11
45.79.213.182
68.171.82.196
185.243.112.38
46.24.203.83
23.245.249.193
104.144.207.201
BartSimpson @ Mon Feb 26, 2018 12:12 pm
Anyone notice a trend on these sites?
.ru <<<<<<<