Spamhaus under DDOS from AnonOps (Wikileaks.info)

foks lists at foks.se
Sun Dec 19 15:19:31 CST 2010


On 12/19/2010 08:33 PM, Ned Moran wrote:
> additional evidence
>
> http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on
>
> On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec <rsk at gsp.org> wrote:
>
>> On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
>>> While I tend to trust Steve and Spamhaus because of their built up
>>> reputation, it would be helpful if some concrete facts were published
>> about
>>> the "more than 40 criminal-run sites operating on the same IP address as
>>> wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net,
>> and
>>> bank phishes paypal-securitycenter.com and postbank-kontodirekt.com."
>> I found this:
>>
>>        http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru
>>
>> (as well as the SBL records those reference) quite interesting.
>>
>> ---rsk
>>
>>

The evidence is for Webalta, which hosts Heihachi (which hosts
wikileaks.info). I spent some minutes checking Heihachis IP block
92.241.190.0 – 92.241.190.255.

I found 255 .com/.net domains which use this IP block and Heihachis DNS
servers. Google reports that none of them is used to serve malware. Two
of them, dhl24-servicecenter.com and pixel-banner.com, are reported as
phishing sites. Both are down at the moment.

http://support.clean-mx.de/clean-mx/rss?scope=viruses&as=AS41947 reports
4 addresses on this IP block, all seems to be up.

http://www.malwaredomainlist.com/mdl.php?search=92.241.190&colsearch=All&quantity=50
reports 3 addresses on underground-infosource.info. This site is not
online at the moment.

If Heihachi hasn't cleaned up very good the last days I would say that
they behave much better than Webaltas customers in general.






More information about the NANOG mailing list