FYI...More sites to block
13 August 2012 - "More evil sites to block on 220.127.116.11
(Specialist ISP*) following on from these:
idi42nga .rr.nu, kprud89entia .rr.nu, hin66gof .rr.nu, iste03dengi .rr.nu, hing30emplo .rr.nu,
ize84dso .rr.nu, ind42icat .rr.nu, lack33andw .rr.nu"
10 August 2012 - "... blocking access to 18.104.22.168/22 and 22.214.171.124/22 (Specialist ISP) plus -all- .rr.nu domains would be even better."
13 August 2012 - "..."126.96.36.199 (Amazon, Ireland)
188.8.131.52 (Cloudaccess.net, US)
184.108.40.206 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem..."Something evil on 220.127.116.11/26
13 August 2012 - "The IP address range 18.104.22.168/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 22.214.171.124. A look at the 126.96.36.199/26 range (188.8.131.52 - 184.108.40.206) shows several suspicious websites with domains apparently generated by DoItQuick (more info here*). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice
... quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 220.127.116.11 - 18.104.22.168
address: RUSSIAN FEDERATION