Over 10,000 payload domains for SMS spam are located on 130.211.17.207, and have been there for months.
phishing server
sun1coast-6authx.duckdns.org has address 35.237.111.208
phishing server
52.184.18.103|bgsecureaiamato09y-chase.com|2022-04-09 21:28:06 52.184.18.103|bocotkelem01a-chase.com|2022-04-09 08:11:59 52.184.18.103|chase-secure07a.management-help-customer2022.com|2022-04-09 15:01:10 52.184.18.103|chase.clepet-atami.com|2022-04-08 15:03:59 52.184.18.103|chase.costumer-care2022.com|2022-04-11 15:01:34 52.184.18.103|chase.help-customer-mail2022.com|2022-04-09 15:01:16 52.184.18.103|chase.index.mangagement-secure08.com|2022-04-08 15:03:57 52.184.18.103|chase.information12.problem-unusual-activity-account.com|2022-04-12 15:01:22 52.184.18.103|chase.secure05an.com|2022-04-05 15:06:42 52.184.18.103|chase.secure05as.com|2022-04-05 15:04:05 52.184.18.103|chase.secure05at.com|2022-04-05 15:01:19 52.184.18.103|chase.secure06cs.com|2022-04-05 15:03:59 52.184.18.103|chase.secure06ur.com|2022-04-08 15:03:55 52.184.18.103|chase.secure07ca.com|2022-04-05 15:03:17 52.184.18.103|chase.secure07sm.com|2022-04-08 15:03:59 52.184.18.103|chase.secure08ct.com|2022-04-08 15:04:03 52.184.18.103|chase.secure09.help-management-security-info2022.com|2022-04-10 15:01:22 52.184.18.103|dbsecuremodeko09k-chase.com|2022-04-09 19:41:15 52.184.18.103|dbsecurepadiah09w-chase.com|2022-04-13 21:46:08 52.184.18.103|dcsecureadiakcnt02b-chase.com|2022-04-05 23:45:24 52.184.18.103|dfsecuremandehkn06y-chase.com|2022-04-07 08:13:28 52.184.18.103|dggsecurebalnjo05r-chase.com|2022-04-15 15:01:27 52.184.18.103|dhhsecuremodekobana06s-chase.com|2022-04-11 21:31:24 52.184.18.103|dhsecurebanget07p-chase.com|2022-04-06 14:47:04 52.184.18.103|dkksecurehancua09r-chase.com|2022-04-11 17:32:50 52.184.18.103|dllsecurebadabuak05yy-chase.com|2022-04-11 08:12:58 52.184.18.103|dmsecurekuneii03u-chase.com|2022-04-10 08:11:49 52.184.18.103|dnsecuresantiang07u-chase.com|2022-04-09… Читать далее phishing server
phishing server
20.230.61.235|heldesk-boa-update.com|2022-04-16 11:34:42
spam source at findall.app
Spam source findall.app. 30 IN A 34.236.24.70 findall.app. 10798 IN NS ns2.findall.app. findall.app. 10798 IN NS ns1.findall.app. ns2.findall.app. 3598 IN A 23.21.78.86 ns1.findall.app. 3598 IN A 23.21.78.86 ================================================================= Return-Path: <ubuntu@ssiwb7.findall.app> Received: from ssiwb7.findall.app (findall.app [34.236.24.70]) by x (Postfix) with SMTP id x for <x>; Mon, 11 Apr 2022 xx:xx:xx -0400 (EDT) From: ubuntu@ssiwb7.findall.app Subject: Poligran… Читать далее spam source at findall.app
IcedID botnet controller @164.92.104.194
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. IcedID botnet controller located at 164.92.104.194 on port 80 (using HTTP GET): hXXp://ertimadifa.com/ $ dig +short ertimadifa.com 164.92.104.194 Referencing malware binaries (MD5 hash): 89a0e6601d22c145a7dd5f5dd65b1f04 — AV detection:… Читать далее IcedID botnet controller @164.92.104.194
AZORult botnet controller @104.21.20.176
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. AZORult botnet controller located at 104.21.20.176 on port 80 (using HTTP POST): hXXp://e4v5sa.xyz/PL341/index.php $ dig +short e4v5sa.xyz 104.21.20.176
ArkeiStealer botnet controller @159.69.101.49
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. ArkeiStealer botnet controller located at 159.69.101.49 on port 80 (using HTTP POST): hXXp://159.69.101.49/ $ nslookup 159.69.101.49 static.49.101.69.159.clients.your-server.de Referencing malware binaries (MD5 hash): 67fe8a8dca32f7c9326e3ddf75e0eb9e — AV detection: 27… Читать далее ArkeiStealer botnet controller @159.69.101.49
Abused crypto currency mining pool
The host at this IP address is running a crypto currency mining pool that is currently being abused by cybercriminals for mining crypto currencies on malware infected computers. The following information should be sufficient for the identification and suspension of the abusive users: {«id»:1,»jsonrpc»:»2.0″,»method»:»login»,»params»:{«login»:»45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH.x»,»pass»:»x»,»agent»:»XMRig/6.16.4 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019″,»algo»:[«cn/1″,»cn/2″,»cn/r»,»cn/fast»,»cn/half»,»cn/xao»,»cn/rto»,»cn/rwz»,»cn/zls»,»cn/double»,»cn/ccx»,»cn-lite/1″,»cn-heavy/0″,»cn-heavy/tube»,»cn-heavy/xhv»,»cn-pico»,»cn-pico/tlo»,»cn/upx2″,»rx/0″,»rx/wow»,»rx/arq»,»rx/graft»,»rx/sfx»,»rx/keva»,»argon2/chukwa»,»argon2/chukwav2″,»argon2/ninja»,»astrobwt»,»ghostrider»]}}
Malware botnet controller @198.244.224.125
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Malware botnet controller at 198.244.224.125 on port 443. $ telnet 198.244.224.125 443 Trying 198.244.224.125… Connected to 198.244.224.125. Escape character is ‘^]’ Malicious domains observed at this IP… Читать далее Malware botnet controller @198.244.224.125