TweakTown Forums - View Single Post - HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, fully, per CIS Tool scoring

APK · 11-30-2007, 05:55 AM

As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.

(RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/eviden...kso_id=ROK7465

----

FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"

(That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)).

SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE!

----

USING NOTEPAD.EXE

ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):

# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
0.0.0.0 rxpharmacy-support.com
0.0.0.0 ns3.cnmsn.com
0.0.0.0 thecanadianmeds.com
0.0.0.0 officialmedicines.com
0.0.0.0 psxshop.com
0.0.0.0 10000xing.cn
0.0.0.0 222360.com
0.0.0.0 adslooks.info
0.0.0.0 bnably.com
0.0.0.0 eqcorn.com
0.0.0.0 familypostcards2008.com
0.0.0.0 freshcards2008.com
0.0.0.0 happy2008toyou.com
0.0.0.0 happysantacards.com
0.0.0.0 hellosanta2008.com
0.0.0.0 hohoho2008.com
0.0.0.0 kqfloat.com
0.0.0.0 ltbrew.com
0.0.0.0 mymetavids.com
0.0.0.0 obebos.cn
0.0.0.0 parentscards.com
0.0.0.0 postcards-2008.com
0.0.0.0 ptowl.com
0.0.0.0 qavoter.com
0.0.0.0 santapcards.com
0.0.0.0 santawishes2008.com
0.0.0.0 siski.cn
0.0.0.0 snbane.com
0.0.0.0 snlilac.com
0.0.0.0 tibeam.com
0.0.0.0 tushove.com
0.0.0.0 wxtaste.com
0.0.0.0 yxbegan.com
0.0.0.0 iframedollars.biz
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 RUSOUVENIRS.COM
0.0.0.0 RBNNETWORK.COM
0.0.0.0 NS1.INFOBOX.ORG
0.0.0.0 NS2.INFOBOX.ORG
0.0.0.0 NS1.RUSOUVENIRS.COM
0.0.0.0 NS2.RUSOUVENIRS.COM
0.0.0.0 NS1.RUSOUVENIRS.NET
0.0.0.0 NS2.RUSOUVENIRS.NET
0.0.0.0 SBTTEL.COM
0.0.0.0 AKIMON.COM
0.0.0.0 AKIMON.NET
0.0.0.0 EEXHOST.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 VALUEDOT.NET
0.0.0.0 ns0.valuedot.net
0.0.0.0 ns1.valuedot.net
0.0.0.0 1000WATT.BIZ
0.0.0.0 2SOVKA.NET
0.0.0.0 AIDEN-GROUP.COM
0.0.0.0 AKIMON.COM
0.0.0.0 ALEKC.NET
0.0.0.0 ANDREY-STUDIO.INFO
0.0.0.0 AUTOKUBAN.INFO
0.0.0.0 AVIATRAVELAGENCY.COM
0.0.0.0 AVTOMOBILEY.NET
0.0.0.0 BAGA****A.COM
0.0.0.0 BAIKERGROUP.COM
0.0.0.0 BALTICDOORS.COM
0.0.0.0 BALTMONOLIT.COM
0.0.0.0 BRIGADA-EL.COM
0.0.0.0 CARPRIVOZ.COM
0.0.0.0 CHILLERU.COM
0.0.0.0 CVETOVODSTVO.COM
0.0.0.0 E-GOLD-CHANGER.COM
0.0.0.0 ELECTRONOV.NET
0.0.0.0 FASHIONER.BIZ
0.0.0.0 FFFFFF.ORG
0.0.0.0 FIFACUP06.INFO
0.0.0.0 FISHTORG.COM
0.0.0.0 FKGARANT.COM
0.0.0.0 FOTORETUSH.COM
0.0.0.0 FREGATSOFT.COM
0.0.0.0 FROLROMANOFF.COM
0.0.0.0 FULLVER.INFO
0.0.0.0 GAKKEL.COM
0.0.0.0 GARANTSERVICE.ORG
0.0.0.0 GDEDENGI.INFO
0.0.0.0 GLAZKI.NET
0.0.0.0 GOLD-DRAGON.INFO
0.0.0.0 GORODM.COM
0.0.0.0 GRAYZI.NET
0.0.0.0 GRIFFINFLY.COM
0.0.0.0 HEAT-ENERGO.COM
0.0.0.0 HITEMA.NET
0.0.0.0 HYIPREVIEW.INFO
0.0.0.0 HYIPSMAP.COM
0.0.0.0 ILOXX.ORG
0.0.0.0 IMYA.INFO
0.0.0.0 INFODOSKA.COM
0.0.0.0 INTERNETWORLDBOOK.COM
0.0.0.0 KLIMATA.NET
0.0.0.0 KOMOV.NET
0.0.0.0 KOSMETICHKA.NET
0.0.0.0 LIDTRADE.COM
0.0.0.0 LIFE-RU.ORG
0.0.0.0 LPSPB.COM
0.0.0.0 M-OST.NET
0.0.0.0 M-UNLOCK.COM
0.0.0.0 MAMRU.COM
0.0.0.0 MAPSERV.COM
0.0.0.0 MASTERDOKS.COM
0.0.0.0 MIRMED.COM
0.0.0.0 MOOSEMUSE.COM
0.0.0.0 MOREPRODUCT.NET
0.0.0.0 MUSEMOOSE.COM
0.0.0.0 NESTRONICS.COM
0.0.0.0 NESTRONICS.NET
0.0.0.0 NOFUN.INFO
0.0.0.0 OIL-GAS-MINERALS.COM
0.0.0.0 OKOSHKA.NET
0.0.0.0 OPTIMUS.BIZ
0.0.0.0 OTKRITKI.NET
0.0.0.0 OTKRITOK.NET
0.0.0.0 PARALLELSIXTY.COM
0.0.0.0 PASSOMONTANO.COM
0.0.0.0 PETROBALT.NET
0.0.0.0 PHARMACY-MD.COM
0.0.0.0 PISKUNOV.NET
0.0.0.0 POIGRAI.INFO
0.0.0.0 PROETCONTRA.ORG
0.0.0.0 PSOLAO.ORG
0.0.0.0 ROSEL.INFO
0.0.0.0 SBTTEL.COM
0.0.0.0 SECONDAPPROACH.COM
0.0.0.0 SMARTSOFTLINE.COM
0.0.0.0 SMESHNOY.COM
0.0.0.0 SQUAREDREAM.COM
0.0.0.0 STROIINFORM.COM
0.0.0.0 STROYBRIGADA.COM
0.0.0.0 TANK-HOBBY.COM
0.0.0.0 TECHNONORDIC.COM
0.0.0.0 TELEUNITED.NET
0.0.0.0 TEPLOCOM.COM
0.0.0.0 THERMOCAUTERY.COM
0.0.0.0 TIARU.COM
0.0.0.0 TRADEFINANS.COM
0.0.0.0 TRADEFINANS.NET
0.0.0.0 TRAININGS-TRIUMPH.ORG
0.0.0.0 TSAR-SUVENIR.COM
0.0.0.0 UEFACUP08.INFO
0.0.0.0 UMNIKSOFT.COM
0.0.0.0 UNDERCOOLED.NET
0.0.0.0 VALIDBIT.COM
0.0.0.0 VERESC.ORG
0.0.0.0 VOROLAIN.COM
0.0.0.0 WHITENIGHTSHOSTELS.COM
0.0.0.0 WORLDFONDS.NET
0.0.0.0 XRUST.NET
0.0.0.0 YAHOCHU.COM
0.0.0.0 Z-GROUP.INFO
0.0.0.0 ZDRAV.INFO
0.0.0.0 ZHESTOV.NET
0.0.0.0 ZOOSPB.COM
0.0.0.0 goldenpiginvest.com
0.0.0.0 goldenpiginvest.net
0.0.0.0 pharmacy-viagra.net
# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===

Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe
& going here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

& checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc

(Unless you KNOW that YOU move it, as I do!)

I move mine INTENTIONALLY to another disk here that is less used & faster on seeks!

That is just so it init.'s faster since the HDD is not contending with other programs loading etc.
or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example).

----

FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):

I.P. address block for Russian Business Network:

81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)

And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:

85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)

69.50.160.0/19
(69.50.160.0 - 69.50.191.255)

194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)

Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:

193.
194.
195.
213.
217.
62.64.
62.76.

(AND, A few major Internet providers that provide services to RBN including)

Tiscali.uk
SBT Telecom
Aki Mon Telecom
Nevacon LTD
Frame Cash
76service
Noc4Hosts

APK

11-30-2007, 05:55 AM	#21 (permalink)
APK Junior Member Join Date: Nov 2007 Location: A discrete point in the space-time continuum... Posts: 36	Russian Business Network (RBN) servers to add to your HOSTS file to block them As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them. (RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/eviden...kso_id=ROK7465 ---- FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1" (That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)). SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE! ---- USING NOTEPAD.EXE ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory): # === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS === 0.0.0.0 rxpharmacy-support.com 0.0.0.0 ns3.cnmsn.com 0.0.0.0 thecanadianmeds.com 0.0.0.0 officialmedicines.com 0.0.0.0 psxshop.com 0.0.0.0 10000xing.cn 0.0.0.0 222360.com 0.0.0.0 adslooks.info 0.0.0.0 bnably.com 0.0.0.0 eqcorn.com 0.0.0.0 familypostcards2008.com 0.0.0.0 freshcards2008.com 0.0.0.0 happy2008toyou.com 0.0.0.0 happysantacards.com 0.0.0.0 hellosanta2008.com 0.0.0.0 hohoho2008.com 0.0.0.0 kqfloat.com 0.0.0.0 ltbrew.com 0.0.0.0 mymetavids.com 0.0.0.0 obebos.cn 0.0.0.0 parentscards.com 0.0.0.0 postcards-2008.com 0.0.0.0 ptowl.com 0.0.0.0 qavoter.com 0.0.0.0 santapcards.com 0.0.0.0 santawishes2008.com 0.0.0.0 siski.cn 0.0.0.0 snbane.com 0.0.0.0 snlilac.com 0.0.0.0 tibeam.com 0.0.0.0 tushove.com 0.0.0.0 wxtaste.com 0.0.0.0 yxbegan.com 0.0.0.0 iframedollars.biz 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 RUSOUVENIRS.COM 0.0.0.0 RBNNETWORK.COM 0.0.0.0 NS1.INFOBOX.ORG 0.0.0.0 NS2.INFOBOX.ORG 0.0.0.0 NS1.RUSOUVENIRS.COM 0.0.0.0 NS2.RUSOUVENIRS.COM 0.0.0.0 NS1.RUSOUVENIRS.NET 0.0.0.0 NS2.RUSOUVENIRS.NET 0.0.0.0 SBTTEL.COM 0.0.0.0 AKIMON.COM 0.0.0.0 AKIMON.NET 0.0.0.0 EEXHOST.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 VALUEDOT.NET 0.0.0.0 ns0.valuedot.net 0.0.0.0 ns1.valuedot.net 0.0.0.0 1000WATT.BIZ 0.0.0.0 2SOVKA.NET 0.0.0.0 AIDEN-GROUP.COM 0.0.0.0 AKIMON.COM 0.0.0.0 ALEKC.NET 0.0.0.0 ANDREY-STUDIO.INFO 0.0.0.0 AUTOKUBAN.INFO 0.0.0.0 AVIATRAVELAGENCY.COM 0.0.0.0 AVTOMOBILEY.NET 0.0.0.0 BAGA**A.COM 0.0.0.0 BAIKERGROUP.COM 0.0.0.0 BALTICDOORS.COM 0.0.0.0 BALTMONOLIT.COM 0.0.0.0 BRIGADA-EL.COM 0.0.0.0 CARPRIVOZ.COM 0.0.0.0 CHILLERU.COM 0.0.0.0 CVETOVODSTVO.COM 0.0.0.0 E-GOLD-CHANGER.COM 0.0.0.0 ELECTRONOV.NET 0.0.0.0 FASHIONER.BIZ 0.0.0.0 FFFFFF.ORG 0.0.0.0 FIFACUP06.INFO 0.0.0.0 FISHTORG.COM 0.0.0.0 FKGARANT.COM 0.0.0.0 FOTORETUSH.COM 0.0.0.0 FREGATSOFT.COM 0.0.0.0 FROLROMANOFF.COM 0.0.0.0 FULLVER.INFO 0.0.0.0 GAKKEL.COM 0.0.0.0 GARANTSERVICE.ORG 0.0.0.0 GDEDENGI.INFO 0.0.0.0 GLAZKI.NET 0.0.0.0 GOLD-DRAGON.INFO 0.0.0.0 GORODM.COM 0.0.0.0 GRAYZI.NET 0.0.0.0 GRIFFINFLY.COM 0.0.0.0 HEAT-ENERGO.COM 0.0.0.0 HITEMA.NET 0.0.0.0 HYIPREVIEW.INFO 0.0.0.0 HYIPSMAP.COM 0.0.0.0 ILOXX.ORG 0.0.0.0 IMYA.INFO 0.0.0.0 INFODOSKA.COM 0.0.0.0 INTERNETWORLDBOOK.COM 0.0.0.0 KLIMATA.NET 0.0.0.0 KOMOV.NET 0.0.0.0 KOSMETICHKA.NET 0.0.0.0 LIDTRADE.COM 0.0.0.0 LIFE-RU.ORG 0.0.0.0 LPSPB.COM 0.0.0.0 M-OST.NET 0.0.0.0 M-UNLOCK.COM 0.0.0.0 MAMRU.COM 0.0.0.0 MAPSERV.COM 0.0.0.0 MASTERDOKS.COM 0.0.0.0 MIRMED.COM 0.0.0.0 MOOSEMUSE.COM 0.0.0.0 MOREPRODUCT.NET 0.0.0.0 MUSEMOOSE.COM 0.0.0.0 NESTRONICS.COM 0.0.0.0 NESTRONICS.NET 0.0.0.0 NOFUN.INFO 0.0.0.0 OIL-GAS-MINERALS.COM 0.0.0.0 OKOSHKA.NET 0.0.0.0 OPTIMUS.BIZ 0.0.0.0 OTKRITKI.NET 0.0.0.0 OTKRITOK.NET 0.0.0.0 PARALLELSIXTY.COM 0.0.0.0 PASSOMONTANO.COM 0.0.0.0 PETROBALT.NET 0.0.0.0 PHARMACY-MD.COM 0.0.0.0 PISKUNOV.NET 0.0.0.0 POIGRAI.INFO 0.0.0.0 PROETCONTRA.ORG 0.0.0.0 PSOLAO.ORG 0.0.0.0 ROSEL.INFO 0.0.0.0 SBTTEL.COM 0.0.0.0 SECONDAPPROACH.COM 0.0.0.0 SMARTSOFTLINE.COM 0.0.0.0 SMESHNOY.COM 0.0.0.0 SQUAREDREAM.COM 0.0.0.0 STROIINFORM.COM 0.0.0.0 STROYBRIGADA.COM 0.0.0.0 TANK-HOBBY.COM 0.0.0.0 TECHNONORDIC.COM 0.0.0.0 TELEUNITED.NET 0.0.0.0 TEPLOCOM.COM 0.0.0.0 THERMOCAUTERY.COM 0.0.0.0 TIARU.COM 0.0.0.0 TRADEFINANS.COM 0.0.0.0 TRADEFINANS.NET 0.0.0.0 TRAININGS-TRIUMPH.ORG 0.0.0.0 TSAR-SUVENIR.COM 0.0.0.0 UEFACUP08.INFO 0.0.0.0 UMNIKSOFT.COM 0.0.0.0 UNDERCOOLED.NET 0.0.0.0 VALIDBIT.COM 0.0.0.0 VERESC.ORG 0.0.0.0 VOROLAIN.COM 0.0.0.0 WHITENIGHTSHOSTELS.COM 0.0.0.0 WORLDFONDS.NET 0.0.0.0 XRUST.NET 0.0.0.0 YAHOCHU.COM 0.0.0.0 Z-GROUP.INFO 0.0.0.0 ZDRAV.INFO 0.0.0.0 ZHESTOV.NET 0.0.0.0 ZOOSPB.COM 0.0.0.0 goldenpiginvest.com 0.0.0.0 goldenpiginvest.net 0.0.0.0 pharmacy-viagra.net # === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS === Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe & going here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters & checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc (Unless you KNOW that YOU move it, as I do!) I move mine INTENTIONALLY to another disk here that is less used & faster on seeks! That is just so it init.'s faster since the HDD is not contending with other programs loading etc. or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example). ---- FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage): I.P. address block for Russian Business Network: 81.95.144.0/20 #SBL43489 (81.95.144.0 - 81.95.159.255) And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon: 85.255.112.0/20 #SBL36702 (85.255.112.0 - 85.255.127.255) 69.50.160.0/19 (69.50.160.0 - 69.50.191.255) 194.146.204.0/22 #SBL51152 (194.146.204.0 - 194.146.207.255) Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China: 193. 194. 195. 213. 217. 62.64. 62.76. (AND, A few major Internet providers that provide services to RBN including)** Tiscali.uk SBT Telecom Aki Mon Telecom Nevacon LTD Frame Cash 76service Noc4Hosts APK Last edited by APK; 04-07-2008 at 04:56 PM..