# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.virustotal.com/#/ip-address/185.10.68.163 # Reference: https://twitter.com/luc4m/status/1044148790008205312 /miner.sh /scanner.sh /worlswest.sh /bruteforce_ssh /bruteforce_ssh_386 /bruteforce_ssh_arm /tcpconnect_zmap_386 /tcpconnect_zmap_arm # Reference: https://twitter.com/bad_packets/status/1127110083429654528 r00ts.online # Reference: https://twitter.com/bad_packets/status/1127450801834680320 104.128.230.16:8000 # Reference: https://www.fortinet.com/blog/threat-research/closer-look-satan-ransomwares-propagation-technics.html /conn32 /conn64 # Reference: https://twitter.com/ankit_anubhav/status/1132974251194011648 # Reference: https://twitter.com/0xrb/status/1133055807572959232 nadns.info 222.186.15.231:5555 # Reference: https://twitter.com/bad_packets/status/1133534604030169088 185.239.226.167:8480 # Reference: https://twitter.com/ankit_anubhav/status/1133682276045164544 cyberium.xyz # Reference: https://twitter.com/smii_mondher/status/1134068251951083521 http://54.37.70.249 # Reference: https://twitter.com/bad_packets/status/1134920520644714496 # Reference: https://twitter.com/bad_packets/status/1140065934926684162 45.79.9.153:8000 110.40.14.13:8000 # Reference: https://twitter.com/bad_packets/status/1135623419670646784 216.176.179.106:9090 # Misc. http://173.212.214.137 http://46.22.220.21 45.32.200.190:443 85.25.84.99:443 # Reference: https://otx.alienvault.com/pulse/5d020fb5a91466d30ad51fa2 146.185.171.227:443 5.255.86.129:3333 /.satan /.x15cache # Reference: https://twitter.com/P3pperP0tts/status/1140335879493492737 qqxh888.785sou.xyz # Reference: https://twitter.com/P3pperP0tts/status/1140528607766466560 hjghj.cn # Reference: https://twitter.com/P3pperP0tts/status/1140927899824005125 154.218.1.63:9 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-10149 # Reference: https://github.com/bananaphones/exim-rce-quickfix # Reference: https://habr.com/ru/company/first/blog/455636/ (Russian) # Reference: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability # Reference: https://twitter.com/bad_packets/status/1140719767961001984 # Aliases: CVE-2019-10149, CVE-2019-1003029 an7kmd2wp4xo7hpr.tor2web.io an7kmd2wp4xo7hpr.tor2web.su an7kmd2wp4xo7hpr.onion.sh http://185.10.68.193 http://185.162.235.211 # Reference: https://twitter.com/P3pperP0tts/status/1145813992297914368 58.218.66.92:520 # Reference: https://twitter.com/ankit_anubhav/status/1147172115516293121 # Reference: https://twitter.com/Jouliok/status/1143947867910004742 222.186.52.155:21541 # Reference: https://twitter.com/0xrb/status/1147447320595685376 /s1g3.sh # Reference: https://twitter.com/bad_packets/status/1148673303533387776 http://103.76.87.94 /ARM4LinuxTF /ARM6LinuxTF /MipsLinuxTF /Serverdd # Reference: https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories (# libpeshnx, libpesh, libari) http://145.249.104.71 # Reference: https://otx.alienvault.com/pulse/5d44445d2995170f8886c141 # Reference: https://blog.netlab.360.com/some-fiberhome-routers-are-being-utilized-as-ssh-tunneling-proxy-nodes-2/ gggwmndy.org # Reference: https://twitter.com/smii_mondher/status/1161534124596875266 http://91.92.66.192 # Reference: https://www.virustotal.com/gui/file/d5926800003d87349fdd8d2844c799bf294037e541ec84e9079b7cdd75ea04db/detection 83.212.110.123:2222 # Reference: https://www.virustotal.com/gui/file/91995b62129f53ac97485c736ff7e06289bdbf5cbd4ee9f837d956fd6a230dfc/detection 103.237.99.228:1337 # Reference: https://www.virustotal.com/gui/file/381a555090858ad3aeb3484eebb596c0b2b61511d43e36339abd114efc58dae3/detection 103.41.16.39:80 # Reference: https://www.virustotal.com/gui/file/7b21b057d5d3c7f2316845e6c2e32244ab4df8f3e379d15143e52f991d2046f1/detection 129.21.254.89:2222 # Reference: https://twitter.com/_odisseus/status/1112653908185415681 80.211.90.168:53773 # Reference: https://twitter.com/zom3y3/status/1175008703138787328 # Reference: https://www.virustotal.com/gui/file/9ee0d726bdff15df6f508665ffcdece268d516c3c5062443c2b64ce67029db5e/detection # Reference: https://www.virustotal.com/gui/ip-address/185.228.137.2/relations attacking.systems misc0110.net # Reference: https://twitter.com/VessOnSecurity/status/1177884186461507584 cnc.dontcatch.us # Reference: https://twitter.com/bad_packets/status/1186876280446185477 # Reference: https://www.virustotal.com/gui/ip-address/188.92.77.12/relations 188.92.77.12:80 188.92.77.12:801 # Reference: https://twitter.com/Sektor7Net/status/1187292703102570496 # Reference: https://2019.hack.lu/archive/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (Slide 106) 82.194.229.214:8738 # Reference: https://twitter.com/zom3y3/status/1109044920755482624 172.104.182.244:30003 # Reference: https://twitter.com/binitamshah/status/1210110141464317958 # Reference: https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32 # Reference: https://www.virustotal.com/gui/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/detection 104.248.237.194:1337 # Reference: https://www.virustotal.com/gui/file/0e9ec521e0f862be55b967944516362aa4f4f975397086adad33bf37f69ec474/detection 119.3.22.174:8082 # Reference: https://www.virustotal.com/gui/file/325192ff91f5ec9502aedc8fad61a5a81813d0f856d2d2063d26140647d01ce7/detection 119.3.22.174:4445 # Reference: https://www.virustotal.com/gui/file/d3cb5474eaa64748b066fc78a02227fad012292d5c9f7b77e898d3b7f1eb327e/detection 119.3.22.174:9090 # Reference: https://www.virustotal.com/gui/ip-address/119.3.22.174/relations http://119.3.22.174 # Reference: https://www.virustotal.com/gui/file/d7ee59c5d7406b95f5c8bc1bf55cca00e106df1014914b5ddd68e9d58ecc04ca/detection 109.234.37.219:7393 # Reference: https://tolisec.com/yarn-botnet/ http://104.244.74.248 /hehe.sh