Java-se[.]com has been observed in a compromise of the DPHK website. Some of the IP addresses outlined below appear to be smaller shared hosting and could contain valid websites. Blocking domains is an easy first step to help clean-up any infections.
- 112.175.143.2
- 112.175.143.9
- 119.205.217.104
- 121.78.246.174
- 124.248.237.26
- 202.181.133.215
- 210.172.148.40
- 210.253.96.200
- 210.253.99.103
- 211.125.81.203
- 211.233.89.182
- 223.29.248.9
- 96.7.111.133
- jre.java-se[.]com
- 81.java-se[.]com
- ga.java-se[.]com
- hk.java-se[.]com
- up.java-se[.]com
- jre76.java-se[.]com
- jre7.java-se[.]com
- kr.java-se[.]com
- www.java-se[.]com
- ud.java-se[.]com
- jdk-7u12-windows-i586.java-se[.]com
- ns.java-se[.]com
- idc.java-se[.]com
- uc.java-se[.]com
- 112.175.143.2
- 112.175.143.9
- 124.248.202.174
- 124.248.237.26
- 153.121.70.17
- 203.174.34.36
- 203.174.34.40
- 203.174.48.67
- 203.174.48.96
- 203.189.99.106
- 210.17.188.201
- 210.180.33.33
- 211.171.247.240
- 211.171.247.251
- 211.233.89.182
- 222.122.208.10
- 223.29.248.20
- 223.29.248.9
- zr.java-sec[.]com
- trustwave.java-sec[.]com
- zr1.java-sec[.]com
- tup.java-sec[.]com
- lab.java-sec[.]com
- server.java-sec[.]com
- blog.java-sec[.]com
- pop1.java-sec[.]com
- pop.java-sec[.]com
- ns1.java-sec[.]com
- ns2.java-sec[.]com
- ns3.java-sec[.]com
- 360.java-sec[.]com
- rss.java-sec[.]com