More on .NL attacks
Posted by Oliver Day
Last week I wrote about a new string of attacks we noticed pointing to servers in the Netherlands. Over the weekend I found some public sources which show a more complete list of the attack sites which share the list of IP addresses. Hosts-file.net has a decent compilation of each of the five addresses we listed:
16265 | 85.17.138.27 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
16265 | 85.17.237.5 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
15703 | 87.233.139.100 | 87.233.128.0/18 | TRUESERVER
15435 | 217.23.4.76 | 217.23.0.0/20 | KABELFOON
15435 | 217.23.5.27 | 217.23.0.0/20 | KABELFOON
Interestingly the domains don’t overlap in every instance so not every one of the domains listed are necessarily serving out badware. Google, our data partner, says that over 12,000 websites have been infected which point back to one of the sites on these 5 IP addresses. I’m still working on obtaining a full list of all the infected sites to analyze the distribution of the victims. My assumption is that certain web hosts were harder hit than others but this is entirely speculation until I can analyze the full list.
If you have any information regarding these attacks please feel free to write us at contact <at> stopbadware <dot> org