Now.. here's something strange. Remember the blocklist that the ISC was recommending..

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
Well, check out Alexa's movers and shakers (do NOT visit the sites) and look at the sites going down.

  • Skarb.biz (69.50.161.197)
  • Ep-arch.com (69.50.182.68)
  • Debri.net (69.50.182.68)
  • Buycd.org (69.50.182.69)
  • Lonely-wolf.net (69.50.182.69)
  • Cobgalls.com (69.50.182.66)


They are all in InterCage's IP address range and from early October to the end of December, all these sites were pulling in a sh*tload of traffic.. I reckon about 60,000-80,000 uniques per day per site. Each of those servers has 50 sites running for 80 days, and poking around some random IP addresses shows that there are other servers in that farm, I count at least 6 in total with about 275 sites.

OK, there's a wide margin for error here, but that's an astounding about of traffic they've pulled in, and if those servers were distributing the WMF exploit (I guess during December), then there could be a truly staggering number of infected PCs.