Infrastructure from java-se[.]com and java-sec[.]com from PassiveTotal
Java-se[.]com has been observed in a compromise of the DPHK website. Some of the IP addresses outlined below appear to be smaller shared hosting and could contain valid websites. Blocking domains is an easy first step to help clean-up any infections.
java-se[.]com
Unique IP resolutions for subdomain and primary infrastructure
- 112.175.143.2
- 112.175.143.9
- 119.205.217.104
- 121.78.246.174
- 124.248.237.26
- 202.181.133.215
- 210.172.148.40
- 210.253.96.200
- 210.253.99.103
- 211.125.81.203
- 211.233.89.182
- 223.29.248.9
- 96.7.111.133
Subdomains observed
- jre.java-se[.]com
- 81.java-se[.]com
- ga.java-se[.]com
- hk.java-se[.]com
- up.java-se[.]com
- jre76.java-se[.]com
- jre7.java-se[.]com
- kr.java-se[.]com
- www.java-se[.]com
- ud.java-se[.]com
- jdk-7u12-windows-i586.java-se[.]com
- ns.java-se[.]com
- idc.java-se[.]com
- uc.java-se[.]com
java-sec[.]com
Unique IP resolutions for subdomain and primary infrastructure
- 112.175.143.2
- 112.175.143.9
- 124.248.202.174
- 124.248.237.26
- 153.121.70.17
- 203.174.34.36
- 203.174.34.40
- 203.174.48.67
- 203.174.48.96
- 203.189.99.106
- 210.17.188.201
- 210.180.33.33
- 211.171.247.240
- 211.171.247.251
- 211.233.89.182
- 222.122.208.10
- 223.29.248.20
- 223.29.248.9
Subdomains observed
- zr.java-sec[.]com
- trustwave.java-sec[.]com
- zr1.java-sec[.]com
- tup.java-sec[.]com
- lab.java-sec[.]com
- server.java-sec[.]com
- blog.java-sec[.]com
- pop1.java-sec[.]com
- pop.java-sec[.]com
- ns1.java-sec[.]com
- ns2.java-sec[.]com
- ns3.java-sec[.]com
- 360.java-sec[.]com
- rss.java-sec[.]com