Home page logo
/

nanog logo nanog mailing list archives

91.201.64.0/22 hijacked?
From: Jeroen van Aart <jeroen () mompl net>
Date: Fri, 31 Aug 2012 11:38:30 -0700

The below email exchange may be of interest to some of you. The practical upshot is that it appears "the 91.201.64.0/22 range was hijacked and should be included into the DROP list".

As an interesting aside, quoting a friend:

"the original company (that performed dangerous waste utilization) may have been a shady thing in and of itself (..) what most companies calling themselves "ecoservice" (with variations) do is take money for "safe utilisation" of hazardous waste, and then dump it in some old quarry out in the remote (or not so remote) corner of a forest or other natural area (..) they always have criminal links and protection from corrupts officials (often co-owners) and security/law enforcement services"


From: Jeroen van Aart

there is nothing but crap coming from 91.201.64.0/24. Amongst other things attempts to spam (through) wordpress sites.

inetnum:         91.201.64.0 - 91.201.67.255
netname:         Donekoserv
descr:           DonEkoService Ltd

Don - name of the nearby large river.
"EkoService" means ecological service.

country:         RU
org:             ORG-DS41-RIPE

person:         Haralevich Piotr
address:        novocherkassk, ul stremyannaya d.6
mnt-by:         MNT-DONECO
phone:          +74951000000

nic-hdl: HP2220-RIPE
changed: admin () donecoserv ru 20101117

The company performed dangerous waste utilization:
http://donekoservis.alloy.ru/contacts/
http://www.idbo.ru/view/72321/
But domains donecoserv.ru and donekoservis.ru don't exist anymore.

traceroute 91.201.64.14
...
11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms 66.182 ms 12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms 47.715ms
13 195.2.240.234 (195.2.240.234)  48.235 ms  48.546 ms  48.664 ms
14 ajursrv.parohod.biz (95.215.0.206)  47.957 ms  47.752 ms  47.606 ms
15 mail.rx-helps.com (91.201.64.14)  48.206 ms  48.302 ms  48.237 ms

SPb (Sankt-Peterburg) is 1500 km from Novocherkassk.
parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider fraud,
spamming websites and search engines).

Also, see
http://support.clean-mx.de/clean-mx/viruses.php?email=admin () donecoserv ru&response=
http://www.spambotsecurity.com/forum/viewtopic.php?f=7&t=795

http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedsshop-com/
| January 3, 2011
...
| inetnum: 91.201.64.0  91.201.67.255
| netname: Donekoserv
| descr: DonEkoService Ltd
| country: RU
| org: ORG-DS41-RIPE
...
| organisation: ORG-DS41-RIPE
| org-name: DonEko Service
| org-type: OTHER
| address: novocherkassk, ul stremyannaya d.6
| e-mail: admin () bulletproof-web com

Note "bulletproof".

Therefore, the 91.201.64.0/22 range was hijacked
and should be included into the DROP list.


  By Date           By Thread  

Current thread:
  • 91.201.64.0/22 hijacked? Jeroen van Aart (Aug 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault