# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.virustotal.com/#/ip-address/185.10.68.163 # Reference: https://twitter.com/luc4m/status/1044148790008205312 /miner.sh /scanner.sh /worlswest.sh /bruteforce_ssh /bruteforce_ssh_386 /bruteforce_ssh_arm /tcpconnect_zmap_386 /tcpconnect_zmap_arm # Reference: https://twitter.com/bad_packets/status/1127110083429654528 r00ts.online # Reference: https://twitter.com/bad_packets/status/1127450801834680320 104.128.230.16:8000 # Reference: https://www.fortinet.com/blog/threat-research/closer-look-satan-ransomwares-propagation-technics.html /conn32 /conn64 # Reference: https://twitter.com/ankit_anubhav/status/1132974251194011648 # Reference: https://twitter.com/0xrb/status/1133055807572959232 nadns.info 222.186.15.231:5555 # Reference: https://twitter.com/bad_packets/status/1133534604030169088 185.239.226.167:8480 # Reference: https://twitter.com/ankit_anubhav/status/1133682276045164544 cyberium.xyz # Reference: https://twitter.com/smii_mondher/status/1134068251951083521 http://54.37.70.249 # Reference: https://twitter.com/bad_packets/status/1134920520644714496 # Reference: https://twitter.com/bad_packets/status/1140065934926684162 45.79.9.153:8000 110.40.14.13:8000 # Reference: https://twitter.com/bad_packets/status/1135623419670646784 216.176.179.106:9090 # Misc. http://173.212.214.137 http://46.22.220.21 45.32.200.190:443 85.25.84.99:443 # Reference: https://otx.alienvault.com/pulse/5d020fb5a91466d30ad51fa2 146.185.171.227:443 5.255.86.129:3333 /.satan /.x15cache # Reference: https://twitter.com/P3pperP0tts/status/1140335879493492737 qqxh888.785sou.xyz # Reference: https://twitter.com/P3pperP0tts/status/1140528607766466560 hjghj.cn # Reference: https://twitter.com/P3pperP0tts/status/1140927899824005125 154.218.1.63:9 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-10149 # Reference: https://github.com/bananaphones/exim-rce-quickfix # Reference: https://habr.com/ru/company/first/blog/455636/ (Russian) # Reference: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability # Reference: https://twitter.com/bad_packets/status/1140719767961001984 # Aliases: CVE-2019-10149, CVE-2019-1003029 an7kmd2wp4xo7hpr.tor2web.io an7kmd2wp4xo7hpr.tor2web.su an7kmd2wp4xo7hpr.onion.sh http://185.10.68.193 http://185.162.235.211 # Reference: https://twitter.com/P3pperP0tts/status/1145813992297914368 58.218.66.92:520 # Reference: https://twitter.com/ankit_anubhav/status/1147172115516293121 # Reference: https://twitter.com/Jouliok/status/1143947867910004742 222.186.52.155:21541 # Reference: https://twitter.com/0xrb/status/1147447320595685376 /s1g3.sh # Reference: https://twitter.com/bad_packets/status/1148673303533387776 http://103.76.87.94 /ARM4LinuxTF /ARM6LinuxTF /MipsLinuxTF /Serverdd # Reference: https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories (# libpeshnx, libpesh, libari) http://145.249.104.71 # Reference: https://otx.alienvault.com/pulse/5d44445d2995170f8886c141 # Reference: https://blog.netlab.360.com/some-fiberhome-routers-are-being-utilized-as-ssh-tunneling-proxy-nodes-2/ gggwmndy.org # Reference: https://twitter.com/smii_mondher/status/1161534124596875266 http://91.92.66.192 # Reference: https://www.virustotal.com/gui/file/d5926800003d87349fdd8d2844c799bf294037e541ec84e9079b7cdd75ea04db/detection 83.212.110.123:2222 # Reference: https://www.virustotal.com/gui/file/91995b62129f53ac97485c736ff7e06289bdbf5cbd4ee9f837d956fd6a230dfc/detection 103.237.99.228:1337 # Reference: https://www.virustotal.com/gui/file/381a555090858ad3aeb3484eebb596c0b2b61511d43e36339abd114efc58dae3/detection 103.41.16.39:80 # Reference: https://www.virustotal.com/gui/file/7b21b057d5d3c7f2316845e6c2e32244ab4df8f3e379d15143e52f991d2046f1/detection 129.21.254.89:2222 # Reference: https://twitter.com/_odisseus/status/1112653908185415681 80.211.90.168:53773 # Reference: https://twitter.com/VessOnSecurity/status/1177884186461507584 cnc.dontcatch.us # Reference: https://twitter.com/bad_packets/status/1186876280446185477 # Reference: https://www.virustotal.com/gui/ip-address/188.92.77.12/relations 188.92.77.12:80 188.92.77.12:801 # Reference: https://twitter.com/Sektor7Net/status/1187292703102570496 # Reference: https://2019.hack.lu/archive/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (Slide 106) 82.194.229.214:8738 # Reference: https://twitter.com/zom3y3/status/1109044920755482624 172.104.182.244:30003 # Reference: https://twitter.com/binitamshah/status/1210110141464317958 # Reference: https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32 # Reference: https://www.virustotal.com/gui/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/detection 104.248.237.194:1337 # Reference: https://www.virustotal.com/gui/file/0e9ec521e0f862be55b967944516362aa4f4f975397086adad33bf37f69ec474/detection 119.3.22.174:8082 # Reference: https://www.virustotal.com/gui/file/325192ff91f5ec9502aedc8fad61a5a81813d0f856d2d2063d26140647d01ce7/detection 119.3.22.174:4445 # Reference: https://www.virustotal.com/gui/file/d3cb5474eaa64748b066fc78a02227fad012292d5c9f7b77e898d3b7f1eb327e/detection 119.3.22.174:9090 # Reference: https://www.virustotal.com/gui/ip-address/119.3.22.174/relations http://119.3.22.174 # Reference: https://www.virustotal.com/gui/file/d7ee59c5d7406b95f5c8bc1bf55cca00e106df1014914b5ddd68e9d58ecc04ca/detection 109.234.37.219:7393 # Reference: https://tolisec.com/yarn-botnet/ http://104.244.74.248 /hehe.sh # Reference: https://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chrootapach0day/18453 proxypipe.com/apach0day /apch0day.sh # Reference: https://twitter.com/IntezerLabs/status/1297868508135481346 # Reference: https://analyze.intezer.com/analyses/0d0171fd-c2a1-47eb-8d5c-2aa4a814f87a/sub/75207f3e-c8c1-435a-97ee-9c765f274d80/ # Reference: https://www.virustotal.com/gui/file/4ed5bfcdfe78bfad88494a883c0c8e392f8ccf9746ec5a8449746cc5e8b0edca/detection # Reference: https://www.virustotal.com/gui/file/8471b945edaa37d2cfeda1a7c367cf3f273e8dee7353e6cb309a74d33b6a87b7/detection bcfc.xyz # Reference: https://twitter.com/IntezerLabs/status/1298615434267197440 # Reference: https://analyze.intezer.com/analyses/4149b963-66bc-4bbb-877a-f2a79e884e71 # Reference: https://www.virustotal.com/gui/file/a272169216d1020b615c453e1565857f129a5d4f4fa9f0ac054a3c8a8d98cc06/detection # Reference: https://www.virustotal.com/gui/file/7ae87ed4c4b57b96959f46b24357b15bc68b7cc9a1af2d92a2bcd632f692af5d/detection # Reference: https://www.virustotal.com/gui/file/7e4031816f446e3788303fb0d34b67c3eedb080118bbe9efb9ad567503ac3e0f/detection 95.142.46.69:8015 95.142.46.69:8016 95.142.46.69:8022 fttt.developerstatss.ga # Reference: https://www.virustotal.com/gui/file/96ead4fa8bf37eb8933285466b0f3985ab55438702000f678fac150ab3ea9703/detection 129.204.227.27:11445 # Reference: https://www.virustotal.com/gui/file/d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc/detection # Reference: https://github.com/stamparm/maltrail/pull/12104/commits/4be05bd2e501d1f7558e8f3e0c2f8182775b6bcb 103.125.218.107:1433 103.125.218.107:6379 103.125.218.107:6380 103.125.218.107:7001 103.125.218.107:7002 103.125.218.107:8080 103.125.218.107:8088 103.125.218.107:9200 # Reference: https://www.virustotal.com/gui/file/9a5596bfd850ced638cefeb7eb389448780076e42a6749006409ccef4036cc71/detection 185.191.32.157:8888 # Reference: https://twitter.com/rootprivilege/status/1331348542028275712 http://161.35.110.135/a.tar.gz # Reference: https://twitter.com/jorgemieres/status/1333417189005799424 /shell.elf # Reference: https://twitter.com/alphasoc/status/1056792558284619776 flyings0ul.do.am redu.clan.su # Reference: https://twitter.com/0xrb/status/1344166270736822272 http://51.178.215.251 # Reference: https://twitter.com/SolutionsXnotes/status/1173228101850894342 /auto_priv_exploit.sh /auto_searchsploit.py # Reference: https://www.virustotal.com/gui/file/9dbb7c3cb76ac4620a46400525bfab4fd7935a191b774c0d483b73c6370b5515/detection 149.248.6.193:2006 # Reference: https://www.virustotal.com/gui/file/f0d8ea0e716c239df7829b37ca77c4c55d652e7b64dc0f47291939c173a829ee/detection 149.248.6.193:2007 # Reference: https://twitter.com/r3dbU7z/status/1346381456063528962 # Reference: https://s.tencent.com/research/report/1213.html 103.45.183.12:808 # Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz # Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz antiq.scifi.ro funny.evils.in # Reference: https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/ # Reference: https://otx.alienvault.com/pulse/6011e0e8fe4caceec3d71f63/ /Linuxaacc # Reference: https://twitter.com/r3dbU7z/status/1363822329885847552 http://195.2.78.71 /flash_erase-arm-lsb /flash_erase-arm-msb /flash_erase-mips /flashcp-arm-lsb /flashcp-arm-lsb_2 /flashcp-arm-msb /flashcp-arm-msb_2 /flashcp-mips /flashcp-mips_2 /ssev78 # Reference: https://www.virustotal.com/gui/file/c7c26bf1e2074cf76b67f29489eb71e3a143c2b3bf867d06c3a30905e12aef8f/detection 45.9.148.48:8351 # Reference: https://www.virustotal.com/gui/file/c2c91c021a048eea97147add486b7618304803d63989d2c2fdab87741ca8803b/detection 45.9.148.48:8341 # Reference: https://www.virustotal.com/gui/file/ac636d56a2d4deddcba32c860dbf047575880edc149d1d12065ac881126cb8dc/detection 45.9.148.48:8541 # Reference: https://www.virustotal.com/gui/file/f618a9e30c9b78c3e9c63abacbc795182382237134ca5eca8f270180a1ccca4c/detection 45.9.148.48:8531 # Reference: https://www.virustotal.com/gui/file/0082bf60be89624ca9b9bcffbb4ac000a71bd218650b0db159932d603b2bea20/detection 45.9.148.48:8564 # Reference: https://www.virustotal.com/gui/file/fd3a902c16d01cd926ae97afaa26d520c45eec95c5097edf82f2a98d8f8c310f/detection 45.9.148.48:8524 # Reference: https://www.virustotal.com/gui/file/c2dd9f998ca023047ce598a4d818b3df7c638ba179bb2f81d4ac0c8c0bd8d291/detection 45.9.148.48:8529 # Reference: https://www.virustotal.com/gui/file/ab26a6c846c2cf9b14028bd46229d5ab0e87b30317d9b984f791ca8b07a3e73d/detection 45.9.148.48:8538 # Reference: https://www.virustotal.com/gui/file/434d52b058a290e6a1c7ad710e9cf862d0dc7a1e042030dc1e87e23d8fdc41b9/detection 45.9.148.48:8251 # Reference: https://www.virustotal.com/gui/file/396d35154d706ab8919421ac534884e87731dc0d1291ac74ee5ef71ceec51e69/detection 45.9.148.48:8534 # Reference: https://www.virustotal.com/gui/file/dfe6a1525d7855e0263ea6be94c5df7e6ec30202b648774384886a0d49780dfc/detection 45.9.148.48:8539 # Reference: https://www.virustotal.com/gui/file/c665b2ab1f99897be561b6ef03d9cb95be45b4eb0cef37c6d64aa764a06466a9/detection 45.9.148.48:8143 # Reference: https://www.virustotal.com/gui/file/3adab440aa13c9408773d520db329a2ba2085d2af910fd6f7d524f92e0ec82f7/detection 45.9.148.48:8144 # Reference: https://www.virustotal.com/gui/file/9cff626a8c38625a50a50f9498889f1c840f4cb13d564089a1834c04d639db36/detection 45.9.148.48:8569 # Reference: https://www.virustotal.com/gui/file/2bbdb554932381b2683921398aa359ad495bbe8975756e14cec2a9a0fdc3a40a/detection 45.9.148.48:8549 # Reference: https://www.virustotal.com/gui/file/ee9aba246552f22b89a08c7a576a9985f83a6db534f1be513a976317c90c712a/detection 45.9.148.48:8565 # Reference: https://www.virustotal.com/gui/file/8190aefa69c26c5b4c238773e007329ceb88de346fc319123e37b1f87d6c08c0/detection 45.9.148.48:8553 # Reference: https://www.virustotal.com/gui/file/b4f796628f19d9d27ac1903b7c63c27a243b2aa78733ddf09cedab7d2921cc16/detection 45.9.148.48:8349 # Reference: https://www.virustotal.com/gui/file/aee33e18a36e79f3041c2cd2702a49d06e558b57126beb6690237458efbcc843/detection 45.9.148.48:8535 # Reference: https://www.virustotal.com/gui/file/def65bcae9351a26ee887741beed19779171b144d41746e0720090c4e375856a/detection 45.9.148.48:8543 # Reference: https://www.virustotal.com/gui/file/34b1adb4fb3276b8e80fcd1f339494de2cc09df82dede5d3106a53d9a2f331ce/detection 45.9.148.48:8561 # Reference: https://www.virustotal.com/gui/file/948dd8cfb13ba06a67e379c7ddc5a1a4cc590576fac2b1b8781cfa1955a150e3/detection 45.9.148.48:8548 # Reference: https://www.virustotal.com/gui/file/d19fe4ef771b259146a9d2b2ff60ac8eab1ecc080565c3a76e2dbebb909cea13/detection 45.9.148.48:8544 # Reference: https://www.virustotal.com/gui/file/99b8809f8b5ed31cd69095712fa00642e792649fc87cec7a5b3a01d6cf51056c/detection 45.9.148.48:8525 # Reference: https://www.virustotal.com/gui/file/ec2b53a184f0313d73708075af812519d87aa395c6a2afffb70b4a9485f54c32/detection 45.9.148.48:8528 # Reference: https://www.virustotal.com/gui/file/5550200c4087390971167379104bd56c60aeda620b6ba4314c4e551ec8ff914b/detection 45.9.148.48:8554 # Reference: https://www.virustotal.com/gui/file/1e22b24e5b80926ede6c28d4f1eeb6252ce9f26f99e320d06ae012e489ebe40f/detection 45.9.148.48:8413 # Reference: https://twitter.com/fr0s7_/status/1367895399365816327 goaqaba.com/wp-content/uploads/2021/03/ # Reference: https://twitter.com/xuy1202/status/1370664531190419458 51.195.26.217:6667 # Reference: https://unit42.paloaltonetworks.com/attackers-conducting-cryptojacking-u-s-education-organizations/ /shit/sshd # Reference: https://twitter.com/cyb3rops/status/1383065580379516928 # Reference: https://www.virustotal.com/gui/file/9b0b78716c0c1c5d01231017ef2733115b0a31c1d9b751525d04da89ef17b7d1/relations http://104.248.94.23 # Reference: https://www.virustotal.com/gui/domain/epelcdn.com/relations # Reference: https://www.virustotal.com/gui/file/571bf19ebdc3bc14925b2a41dcd8b1c94cca94b0b59182813267ace0d7f56217/detection epelcdn.com h.epelcdn.com /bd210131/pm.sh /bd210131/scan.sh /dd210131/pm.sh /dd210131/scan.sh # Reference: https://www.trendmicro.com/en_us/research/21/d/tor-based-botnet-malware-targets-linux-systems-abuses-cloud-management-tools.html 7jmrbtrvkgcqkldzyob4kotpyvsgz546yvik2xv4rpnfmrhe4imxthqd.onion bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd.onion dreambusweduybcp.onion i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad.onion ji55jjplpknk7eayxxtb5o3ulxuevntutsdanov5dp3wya7l7btjv4qd.onion mhevkk4odgzqpt2hbj3hhw2uz4vhunoo55evewrgmouyiehcaltmbrqd.onion ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion plgs6otqdiu7snxdfwjnidhw4ncmp5qvvxi5gepiszg75kxebwci2wad.onion ryukdssuskovhnwb.onion sg722jwocbvedckhd4dptpqfek5fsbmx3v57qg6lzhuo56np73mb3zyd.onion trumpzbffbewy3gn.onion trumpzwlvlyrvlss.onion unixdbnuadxmwtob.onion va6xh4hqgb754klsffjamjgotlq7mne3lyyrhu5vhypakbumzeo4c4ad.onion y4mcrfeigcaa2robjk3azb2qwcd5hk45xpoaddupmdwv24qoggnmdbid.onion yrxxxqia45xxcdqfwyx4pk6ufyanazdwjbv3de7r4mrtyztt5mpw35yd.onion # Reference: https://www.virustotal.com/gui/file/aea8280ffdb6b08e6d8dc60682d77731b97873f99d249594f993ea65960f6cb3/detection hulo.r00ts.online /.configs/r00t # Reference: https://twitter.com/r3dbU7z/status/1406688370496057352 # Reference: https://www.virustotal.com/gui/file/4c808923ee3ee4acb59907655f8f87f4f3fa5ab398b254951bf722656dbe43f4/detection http://1.177.164.167 http://1.177.165.230 104.236.13.229:1338 /raffie_lib.so /raffie_r00t.sh /raffie.tar.gz # Reference: https://twitter.com/ESETresearch/status/1410864752948043778 # Reference: https://twitter.com/ESETresearch/status/1410864779229548546 # Reference: https://www.virustotal.com/gui/file/0bff46518b35ddfe37f4a7820286aab829d81f1480d9eeca5aaedc9ceda6724f/detection # Reference: https://www.virustotal.com/gui/file/be97d7ae3b2d876f027d99d8d61dbca92513f4975336c2ebc26cf8a0839b67b6/detection rec.micosoft.ga # Reference: https://twitter.com/ESETresearch/status/1415542456360263682 # Reference: https://otx.alienvault.com/pulse/60f12a9bc1e8763fef70a512 # Reference: https://www.virustotal.com/gui/file/ce272b58c186f690c18c50c3ac97c49fc425ca2798e376a9c7dc98d4b5019e38/detection cloudflare.5156game.com # Reference: https://www.virustotal.com/gui/file/a58765e3ed00f4f22129d62289524986ae61ed4f87762264a28d3b01f6f486a3/detection 42.193.186.7:9997