# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/#/ip-address/185.10.68.163
# Reference: https://twitter.com/luc4m/status/1044148790008205312

/miner.sh
/scanner.sh
/worlswest.sh
/bruteforce_ssh
/bruteforce_ssh_386
/bruteforce_ssh_arm
/tcpconnect_zmap_386
/tcpconnect_zmap_arm

# Reference: https://twitter.com/bad_packets/status/1127110083429654528

r00ts.online

# Reference: https://twitter.com/bad_packets/status/1127450801834680320

104.128.230.16:8000

# Reference: https://www.fortinet.com/blog/threat-research/closer-look-satan-ransomwares-propagation-technics.html

/conn32
/conn64

# Reference: https://twitter.com/ankit_anubhav/status/1132974251194011648
# Reference: https://twitter.com/0xrb/status/1133055807572959232

nadns.info
222.186.15.231:5555

# Reference: https://twitter.com/bad_packets/status/1133534604030169088

185.239.226.167:8480

# Reference: https://twitter.com/ankit_anubhav/status/1133682276045164544

cyberium.xyz

# Reference: https://twitter.com/smii_mondher/status/1134068251951083521

http://54.37.70.249

# Reference: https://twitter.com/bad_packets/status/1134920520644714496
# Reference: https://twitter.com/bad_packets/status/1140065934926684162

45.79.9.153:8000
110.40.14.13:8000

# Reference: https://twitter.com/bad_packets/status/1135623419670646784

216.176.179.106:9090

# Misc.

http://173.212.214.137
http://46.22.220.21
45.32.200.190:443
85.25.84.99:443

# Reference: https://otx.alienvault.com/pulse/5d020fb5a91466d30ad51fa2

146.185.171.227:443
5.255.86.129:3333
/.satan
/.x15cache

# Reference: https://twitter.com/P3pperP0tts/status/1140335879493492737

qqxh888.785sou.xyz

# Reference: https://twitter.com/P3pperP0tts/status/1140528607766466560

hjghj.cn

# Reference: https://twitter.com/P3pperP0tts/status/1140927899824005125

154.218.1.63:9

# Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-10149
# Reference: https://github.com/bananaphones/exim-rce-quickfix
# Reference: https://habr.com/ru/company/first/blog/455636/ (Russian)
# Reference: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
# Reference: https://twitter.com/bad_packets/status/1140719767961001984

# Aliases: CVE-2019-10149, CVE-2019-1003029

an7kmd2wp4xo7hpr.tor2web.io
an7kmd2wp4xo7hpr.tor2web.su
an7kmd2wp4xo7hpr.onion.sh
http://185.10.68.193
http://185.162.235.211

# Reference: https://twitter.com/P3pperP0tts/status/1145813992297914368

58.218.66.92:520

# Reference: https://twitter.com/ankit_anubhav/status/1147172115516293121
# Reference: https://twitter.com/Jouliok/status/1143947867910004742

222.186.52.155:21541

# Reference: https://twitter.com/0xrb/status/1147447320595685376

/s1g3.sh

# Reference: https://twitter.com/bad_packets/status/1148673303533387776

http://103.76.87.94
/ARM4LinuxTF
/ARM6LinuxTF
/MipsLinuxTF
/Serverdd

# Reference: https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories (# libpeshnx, libpesh, libari)

http://145.249.104.71

# Reference: https://otx.alienvault.com/pulse/5d44445d2995170f8886c141
# Reference: https://blog.netlab.360.com/some-fiberhome-routers-are-being-utilized-as-ssh-tunneling-proxy-nodes-2/

gggwmndy.org

# Reference: https://twitter.com/smii_mondher/status/1161534124596875266

http://91.92.66.192

# Reference: https://www.virustotal.com/gui/file/d5926800003d87349fdd8d2844c799bf294037e541ec84e9079b7cdd75ea04db/detection

83.212.110.123:2222

# Reference: https://www.virustotal.com/gui/file/91995b62129f53ac97485c736ff7e06289bdbf5cbd4ee9f837d956fd6a230dfc/detection

103.237.99.228:1337

# Reference: https://www.virustotal.com/gui/file/381a555090858ad3aeb3484eebb596c0b2b61511d43e36339abd114efc58dae3/detection

103.41.16.39:80

# Reference: https://www.virustotal.com/gui/file/7b21b057d5d3c7f2316845e6c2e32244ab4df8f3e379d15143e52f991d2046f1/detection

129.21.254.89:2222

# Reference: https://twitter.com/_odisseus/status/1112653908185415681

80.211.90.168:53773

# Reference: https://twitter.com/VessOnSecurity/status/1177884186461507584

cnc.dontcatch.us

# Reference: https://twitter.com/bad_packets/status/1186876280446185477
# Reference: https://www.virustotal.com/gui/ip-address/188.92.77.12/relations

188.92.77.12:80
188.92.77.12:801

# Reference: https://twitter.com/Sektor7Net/status/1187292703102570496
# Reference: https://2019.hack.lu/archive/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (Slide 106)

82.194.229.214:8738

# Reference: https://twitter.com/zom3y3/status/1109044920755482624

172.104.182.244:30003

# Reference: https://twitter.com/binitamshah/status/1210110141464317958
# Reference: https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32
# Reference: https://www.virustotal.com/gui/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/detection

104.248.237.194:1337

# Reference: https://www.virustotal.com/gui/file/0e9ec521e0f862be55b967944516362aa4f4f975397086adad33bf37f69ec474/detection

119.3.22.174:8082

# Reference: https://www.virustotal.com/gui/file/325192ff91f5ec9502aedc8fad61a5a81813d0f856d2d2063d26140647d01ce7/detection

119.3.22.174:4445

# Reference: https://www.virustotal.com/gui/file/d3cb5474eaa64748b066fc78a02227fad012292d5c9f7b77e898d3b7f1eb327e/detection

119.3.22.174:9090

# Reference: https://www.virustotal.com/gui/ip-address/119.3.22.174/relations

http://119.3.22.174

# Reference: https://www.virustotal.com/gui/file/d7ee59c5d7406b95f5c8bc1bf55cca00e106df1014914b5ddd68e9d58ecc04ca/detection

109.234.37.219:7393

# Reference: https://tolisec.com/yarn-botnet/

http://104.244.74.248
/hehe.sh

# Reference: https://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chrootapach0day/18453

proxypipe.com/apach0day
/apch0day.sh

# Reference: https://twitter.com/IntezerLabs/status/1297868508135481346
# Reference: https://analyze.intezer.com/analyses/0d0171fd-c2a1-47eb-8d5c-2aa4a814f87a/sub/75207f3e-c8c1-435a-97ee-9c765f274d80/
# Reference: https://www.virustotal.com/gui/file/4ed5bfcdfe78bfad88494a883c0c8e392f8ccf9746ec5a8449746cc5e8b0edca/detection
# Reference: https://www.virustotal.com/gui/file/8471b945edaa37d2cfeda1a7c367cf3f273e8dee7353e6cb309a74d33b6a87b7/detection

bcfc.xyz

# Reference: https://twitter.com/IntezerLabs/status/1298615434267197440
# Reference: https://analyze.intezer.com/analyses/4149b963-66bc-4bbb-877a-f2a79e884e71
# Reference: https://www.virustotal.com/gui/file/a272169216d1020b615c453e1565857f129a5d4f4fa9f0ac054a3c8a8d98cc06/detection
# Reference: https://www.virustotal.com/gui/file/7ae87ed4c4b57b96959f46b24357b15bc68b7cc9a1af2d92a2bcd632f692af5d/detection
# Reference: https://www.virustotal.com/gui/file/7e4031816f446e3788303fb0d34b67c3eedb080118bbe9efb9ad567503ac3e0f/detection

95.142.46.69:8015
95.142.46.69:8016
95.142.46.69:8022
fttt.developerstatss.ga

# Reference: https://www.virustotal.com/gui/file/96ead4fa8bf37eb8933285466b0f3985ab55438702000f678fac150ab3ea9703/detection

129.204.227.27:11445

# Reference: https://www.virustotal.com/gui/file/d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc/detection
# Reference: https://github.com/stamparm/maltrail/pull/12104/commits/4be05bd2e501d1f7558e8f3e0c2f8182775b6bcb

103.125.218.107:1433
103.125.218.107:6379
103.125.218.107:6380
103.125.218.107:7001
103.125.218.107:7002
103.125.218.107:8080
103.125.218.107:8088
103.125.218.107:9200

# Reference: https://www.virustotal.com/gui/file/9a5596bfd850ced638cefeb7eb389448780076e42a6749006409ccef4036cc71/detection

185.191.32.157:8888

# Reference: https://twitter.com/rootprivilege/status/1331348542028275712

http://161.35.110.135/a.tar.gz

# Reference: https://twitter.com/jorgemieres/status/1333417189005799424

/shell.elf

# Reference: https://twitter.com/alphasoc/status/1056792558284619776

flyings0ul.do.am
redu.clan.su

# Reference: https://twitter.com/0xrb/status/1344166270736822272

http://51.178.215.251

# Reference: https://twitter.com/SolutionsXnotes/status/1173228101850894342

/auto_priv_exploit.sh
/auto_searchsploit.py

# Reference: https://www.virustotal.com/gui/file/9dbb7c3cb76ac4620a46400525bfab4fd7935a191b774c0d483b73c6370b5515/detection

149.248.6.193:2006

# Reference: https://www.virustotal.com/gui/file/f0d8ea0e716c239df7829b37ca77c4c55d652e7b64dc0f47291939c173a829ee/detection

149.248.6.193:2007

# Reference: https://twitter.com/r3dbU7z/status/1346381456063528962
# Reference: https://s.tencent.com/research/report/1213.html

103.45.183.12:808

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

antiq.scifi.ro
funny.evils.in