Blocking the LizaMoon ips

One thing we often note is that many bad IP addresses are recidivists. One day they are seen doing one bad thing, a week later they do something different. A good example are the various IP addresses implicated in the current LizaMoon SQL injection attack. Almost all the addresses were already known to us - in the 'Russian Business Network' feed at least - and some had quite a considerable history. Hence ThreatSTOP subscribers could have been protected against this attack, however not every ThreatSTOP subscriber will be using a block list with the RBN feed in it so we have also added the addresses to Emergency Feed which is downloaded by all our subscribers.

This SQL attack is also instructive for how the large number of domains reported by websense reduce to just a handful of IP addresses (in total just 6 with 2 more acting as final droppers after a redirect). This is typical in our experience and shows yet again why it is better to block IP addresses rather than domain names.

For those interested the 8 IP addresses are:

194.28.44.190, 91.220.35.151, 91.213.29.182, 95.64.9.18, 109.236.81.28 and 91.217.162.45 in the original attack plus the following two 46.252.130.200 and 84.123.115.228.

Share this: