On 12/19/2010 08:33 PM, Ned Moran wrote:
additional evidence
http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on
On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." I found this:
http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru
(as well as the SBL records those reference) quite interesting.
---rsk
The evidence is for Webalta, which hosts Heihachi (which hosts wikileaks.info). I spent some minutes checking Heihachis IP block 92.241.190.0 – 92.241.190.255. I found 255 .com/.net domains which use this IP block and Heihachis DNS servers. Google reports that none of them is used to serve malware. Two of them, dhl24-servicecenter.com and pixel-banner.com, are reported as phishing sites. Both are down at the moment. http://support.clean-mx.de/clean-mx/rss?scope=viruses&as=AS41947 reports 4 addresses on this IP block, all seems to be up. http://www.malwaredomainlist.com/mdl.php?search=92.241.190&colsearch=All&quantity=50 reports 3 addresses on underground-infosource.info. This site is not online at the moment. If Heihachi hasn't cleaned up very good the last days I would say that they behave much better than Webaltas customers in general.