Skip to content

Your web resource on Hymenoptera Chrysididae and Macrophotography

Denied IP addresses and domains

31 Dec 2009. After a recent violation of our site we are forced to block the following IP addresses and domain to prevent them from accessing our website.

On 13 Dec 2009, 922 files of our website have been altered by a globally distributed attack. The violation have consisted in the insertion of an obfuscated script in the files code, whose function is yet unknown to us. We reacted heavily and quickly in order to stop the infection and additional damages. Fortunately, the databases are still intact and uncompromised. We are sorry for what happened, because we do not understand the reason of such a hostile act.

But our reaction is equally hostile, by denying access to all resources of the site at the following addresses:

Denied IP addresses and domains
IP Host City, Region, Country
62.65.167.166 Bratislava, Bratislava, Slovakia
64.46.36.66 Kelowna, British Columbia, Canada
64.120.173.32 Unknown, Unknown, Unknown
66.197.202.141 Scranton, Pennsylvania, United States
67.205.67.17 Vienna, Virginia, United States
69.41.173.111 Dallas, Texas, United States
69.64.78.165 San Diego, California, United States
69.90.135.156 Puyallup, Washington, United States
70.86.16.162 Houston, Texas, United States
71.149.199.150 Steubenville, Ohio, United States
71.246.56.67 Manhattan Beach, California, United States
72.51.35.145 Los Angeles, California, United States
74.55.142.202 Houston, Texas, United States
74.208.72.174 Wayne, Pennsylvania, United States
74.208.149.83 Wayne, Pennsylvania, United States
74.208.166.27 Wayne, Pennsylvania, United States
74.222.3.75 Los Angeles, California, United States
75.127.87.101 Atlanta, Georgia, United States
75.127.87.123 Atlanta, Georgia, United States
75.127.113.20 Atlanta, Georgia, United States
76.74.236.72 Los Angeles, California, United States
76.224.244.5 Camp Pendleton, California, United States
77.48.46.46 Praha, Hlavni mesto Praha, Czech Republic
77.68.37.40 Gloucester, Gloucestershire, United Kingdom
78.129.146.145 Maidenhead, Windsor and Maidenhead, United Kingdom
82.99.134.254 Zdar Nad Sazavou, Vysocina, Czech Republic
83.3.243.74 Krzeszów, Bielsko, Poland
83.18.58.66 Jaroslaw, Legnica, Poland
83.18.58.154 Czudec, Rzeszow, Poland
85.214.76.236 Berlin, Berlin, Germany
85.214.106.178 Berlin, Berlin, Germany
87.106.70.42 Karlsruhe, Baden-Wurttemberg, Germany
87.106.95.3 Karlsruhe, Baden-Wurttemberg, Germany
87.230.88.149 Höst, Nordrhein-Westfalen, Germany
88.86.106.22 Praha, Hlavni mesto Praha, Czech Republic
88.208.201.48 Gloucester, Gloucestershire, United Kingdom
88.208.211.151 Gloucester, Gloucestershire, United Kingdom
88.208.229.24 Sudbury, Suffolk, United Kingdom
88.208.229.165 Sudbury, Suffolk, United Kingdom
88.208.229.173 Sudbury, Suffolk, United Kingdom
88.208.239.3 Sudbury, Suffolk, United Kingdom
88.208.244.116 Gloucester, Gloucestershire, United Kingdom
88.208.246.180 Gloucester, Gloucestershire, United Kingdom
89.188.109.222 Moscow, Moscow, Russian Federation
95.131.64.25 Unknown, Unknown, Unknown
173.45.84.90 Columbus, Ohio, United States
174.132.133.130 Houston, Texas, United States
207.30.13.76 Unknown, Unknown, United States
209.190.17.20 Columbus, Ohio, United States
209.190.54.58 New York, New York, United States
212.34.138.195 Madrid, Madrid, Spain
212.239.26.156 Milan, Lombardia, Italy
213.165.84.86 Karlsruhe, Baden-Wurttemberg, Germany
213.171.221.32 Gloucester, Gloucestershire, United Kingdom
213.246.53.38 Courbevoie, Ile-de-France, France
216.121.87.50 San Francisco, California, United States
216.187.92.146 Richmond, British Columbia, Canada
216.229.0.196 Lincoln, Nebraska, United States
Domain Hosting
bestartsale . ru OVH ISP Paris, France
bluejackmusic . ru OVH ISP Paris, France
brownbagbar . ru OVH ISP Paris, France
easymusicstore . ru OVH ISP Paris, France
easytabletennis . ru OVH ISP Paris, France
greatsalecenter . ru OVH ISP Paris, France
homesaleplus . ru OVH ISP Paris, France
homesaleplus . ru OVH ISP Paris, France
musicboxpro . ru OVH ISP Paris, France
mygreatsale . ru OVH ISP Paris, France
simpleworldhouse . ru OVH ISP Paris, France
sugaryhome . ru OVH ISP Paris, France
themobisite . ru OVH ISP Paris, France
viewhomesale . ru OVH ISP Paris, France
votrelib . ru OVH ISP Paris, France

 

Gian Luca Agnoli

 

06 Jan 2010 - Additional notes

Italian Telecommunication PoliceFrom an informal assessment performed together with the Italian Telecommunication Police, whom we thank, it comes out that the malicious code refers to the easytabletennis . ru domain, blacklisted by Google as a suspect domain able to vehiculate malicious software. Such domain is hosted by 9 global networks and refers to many IP addresses, as shown by the following search: http://www.robtex.com/dns/*.easytabletennis.ru.html.

From Hidden Iframes to Obfuscated Scripts is a very comprehensive report on such attacks, made by Denis of Unmask Parasites.

Fixing GNU GPL Virus/Malware by F. Baguyo Jr. provides a PHP script able to cleanse the infected files directly on your server. We did not try it, since we did the job manually:

  1. change the main account password (including FTP);
  2. download the entire website and uncover the infected files;
  3. overwrite all infected files from our local backup;
  4. enable SSH in order to use Secure-FTP (= SFTP) instead of the unsafe FTP protocol.

For citation purposes
Agnoli G.L. & Rosa P., Chrysis.net website, interim version 10-Jan-2010 , URL: http://www.chrysis.net/.