176.113.80.149 google-site-verification.com 2021-11-29 02:21:09 176.113.80.149 googletags-manager.com 2021-11-29 02:36:22 176.113.80.149 script-analytic.com 2021-11-30 02:36:40 176.113.80.149 script-analytics.com 2021-11-30 02:36:30 _____________ Was: 85.192.56.21 googletags-manager.com 2021-11-18 02:06:29 85.192.56.21 script-analytic.com 2021-11-18 01:41:15 85.192.56.21 script-analytics.com 2021-11-18 01:46:15 _____________ Was: google-site-verification.com. 600 IN A 194.113.107.118 _____________ Was: google-site-verification.com. 600 IN A 193.42.112.78 _____________ Was: google-site-verification.com. 600 IN A 62.113.117.27 _____________ Was: 178.218.213.234 google-site-verification.com… Читать далее Botnet spammed phishing domains: Phishing Google users.
spam emitter @76.223.177.55
Received: from c177-55.smtp-out.ap-northeast-2.amazonses.com (76.223.177.55) Date: Mon, 29 Nov 2021 20:2x:xx +0000 From: Évaluation voiture <no_reply@hanjin.co.kr> Subject: Prix en ligne pour votre voiture
Malware distribution @95.181.152.139
The host at this IP address is currently being used to distribute malware. Malware distribution located here: hXXp://95.181.152.139/rrghost.exe Referencing malware binaries (MD5 hash): 01506977f93139155d8b8fd0b571470c — AV detection: 40 / 61 (65.57) 09d5cb1ce36967235ccae5c7e5d81ddc — AV detection: 32 / 64 (50.00) 0ed55fa041adc2cb12006d044306633b — AV detection: 39 / 68 (57.35) 111235284fa41f19e41f117a9ad43372 — AV detection: 35 / 64 (54.69)… Читать далее Malware distribution @95.181.152.139
Loki botnet controller @104.21.67.244
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Loki botnet controller located at 104.21.67.244 on port 80 (using HTTP POST): hXXp://hdmibonquet.ir/five/fre.php $ dig +short hdmibonquet.ir 104.21.67.244 Referencing malware binaries (MD5 hash): 47a0e4fec99c3018e70abdf75c4e210f — AV detection:… Читать далее Loki botnet controller @104.21.67.244
Loki botnet controller @3.145.25.98
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Loki botnet controller located at 3.145.25.98 on port 80 (using HTTP POST): hXXp://domynuts.ga/accounts/fre.php $ dig +short domynuts.ga 3.145.25.98 $ nslookup 3.145.25.98 ec2-3-145-25-98.us-east-2.compute.amazonaws.com Referencing malware binaries (MD5 hash):… Читать далее Loki botnet controller @3.145.25.98
Malicious redirectors.
Was SBL537335 47.254.173.194/32 Was SBL537237 47.74.89.251/32 Was SBL537181 47.251.40.77/32 188.246.235.218 transit-uk.com 188.246.235.218 nhs.auth-covid-pass.com hermes.online-postage-delivery.com has address 188.246.235.218 online-postage-delivery.com has address 188.246.235.218 dpd-parcel-reschedule.com has address 45.130.41.12 ————————————— Nothing legitimate is hosted here. auth-covid-pass.com has address 47.254.173.194 nhs.auth-covid-pass.com has address 47.254.173.194 delayed-gb.com has address 47.254.173.194 hermes.online-postage-delivery.com has address 47.254.173.194 online-postage-delivery.com has address 47.254.173.194 dpd-parcel-reschedule.com has address 45.130.41.12… Читать далее Malicious redirectors.
Botnet hosting (escalation)
Due to massive and repeated botnet hosting, as well as the fact that hostway provides bulletproof hosting to botnet operators by ignoring abuse reports sent by Spamhaus and 3rd parties, we consider their network as harmful and risky for our users. As a result, we advise our users to not accept network traffic from hostway.ru’s… Читать далее Botnet hosting (escalation)
Attack Server
Exploit scanner 1638207204.833 0 206.189.131.7 TCP_DENIED/403 4019 GET http://X.X.X.X/pma2019/index.php? — HIER_NONE/- text/html 1638207205.398 0 206.189.131.7 TCP_DENIED/403 4007 GET http://X.X.X.X/pma/index.php? — HIER_NONE/- text/html 1638207205.974 0 206.189.131.7 TCP_DENIED/403 4042 GET http://X.X.X.X/admin/sqladmin/index.php? — HIER_NONE/- text/html 1638207206.616 0 206.189.131.7 TCP_DENIED/403 4019 GET http://X.X.X.X/PMA2021/index.php? — HIER_NONE/- text/html 1638207207.207 0 206.189.131.7 TCP_DENIED/403 4019 GET http://X.X.X.X/PMA2016/index.php? — HIER_NONE/- text/html 1638207207.699 0 206.189.131.7… Читать далее Attack Server
top200.live / myopenaccess.live / scholarlyopenaccessjournals.com / opastonline.com (OPast Publishing Group)
11/29/2021: The owner of the doamins and IP addresses used in this spam run has moved hosting for their main domain from GoDaddy to Contabo. This was done without resolving the spam issue, so Spamhaus is listing the new hosting IP address to protect users and make Contabo aware of this entity’s record. $ host… Читать далее top200.live / myopenaccess.live / scholarlyopenaccessjournals.com / opastonline.com (OPast Publishing Group)
RedLineStealer botnet controller @185.189.167.130
RedLineStealer botnet controller hosted here: $ telnet 185.189.167.130 38637 Trying 185.189.167.130… Connected to 185.189.167.130. Escape character is ‘^]’.