# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/ninoseki/status/1168102281713045504 # Reference: https://otx.alienvault.com/pulse/5be215744ab6fe50c74e94e6 # Reference: https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/ http://104.196.177.180 http://104.196.232.200 http://104.197.106.6 http://104.198.54.181 http://104.198.77.60 http://104.199.77.41 http://104.248.155.139 http://107.155.132.186 http://107.155.152.10 http://107.155.152.16 http://132.148.148.78 http://139.60.162.188 http://139.60.162.201 http://144.22.104.185 http://155.94.88.155 http://162.216.152.58 http://166.62.103.184 http://173.82.168.104 http://185.137.94.120 http://185.162.229.147 http://185.70.186.4 http://191.252.191.180 http://191.252.203.201 http://192.99.133.147 http://192.99.187.193 http://198.27.121.241 http://198.50.212.232 http://198.50.222.139 http://200.196.240.104 http://200.196.240.120 http://34.73.48.65 http://34.83.129.246 http://35.185.127.39 http://35.185.9.164 http://35.187.149.224 http://35.187.202.208 http://35.187.238.80 http://35.187.246.103 http://35.188.134.185 http://35.189.101.217 http://35.189.125.149 http://35.189.30.127 http://35.189.59.155 http://35.189.63.168 http://35.189.92.68 http://35.194.197.94 http://35.195.116.90 http://35.195.176.44 http://35.196.101.227 http://35.196.89.26 http://35.197.148.253 http://35.197.160.167 http://35.197.172.214 http://35.198.11.42 http://35.198.203.18 http://35.198.22.154 http://35.198.31.197 http://35.198.39.201 http://35.198.5.34 http://35.198.56.227 http://35.198.74.14 http://35.199.106.0 http://35.199.117.75 http://35.199.151.193 http://35.199.2.186 http://35.199.61.19 http://35.199.66.147 http://35.199.75.224 http://35.199.77.82 http://35.199.98.107 http://35.200.179.26 http://35.200.186.172 http://35.200.28.69 http://35.201.11.237 http://35.201.4.21 http://35.203.111.239 http://35.203.116.212 http://35.203.135.65 http://35.203.143.138 http://35.203.167.224 http://35.203.18.30 http://35.203.183.182 http://35.203.25.136 http://35.203.3.16 http://35.203.48.110 http://35.203.5.160 http://35.203.8.203 http://35.203.81.109 http://35.203.85.130 http://35.203.99.113 http://35.204.103.135 http://35.204.146.109 http://35.204.148.156 http://35.204.175.255 http://35.204.237.126 http://35.204.51.103 http://35.204.77.160 http://35.204.80.189 http://35.205.148.72 http://35.205.24.104 http://35.207.28.174 http://35.221.109.188 http://35.221.110.75 http://35.221.192.155 http://35.221.71.123 http://35.227.25.22 http://35.228.156.223 http://35.228.156.99 http://35.228.240.14 http://35.228.244.19 http://35.228.73.198 http://35.228.90.15 http://35.230.104.237 http://35.230.149.66 http://35.230.158.25 http://35.230.162.54 http://35.230.165.35 http://35.230.38.33 http://35.231.163.40 http://35.231.52.239 http://35.231.60.255 http://35.231.68.186 http://35.232.10.244 http://35.233.135.207 http://35.234.131.31 http://35.234.136.116 http://35.234.155.174 http://35.234.156.85 http://35.234.158.120 http://35.234.77.117 http://35.234.89.25 http://35.234.94.97 http://35.235.89.254 http://35.236.116.201 http://35.236.117.108 http://35.236.2.49 http://35.236.203.212 http://35.236.205.241 http://35.236.222.1 http://35.236.246.82 http://35.236.25.247 http://35.236.254.11 http://35.236.34.51 http://35.236.46.246 http://35.236.94.2 http://35.237.127.167 http://35.237.204.11 http://35.237.215.211 http://35.237.32.144 http://35.237.68.143 http://35.237.98.219 http://35.238.4.122 http://35.238.74.24 http://35.240.156.17 http://35.240.176.163 http://35.240.212.106 http://35.240.234.169 http://35.240.94.181 http://35.241.151.23 http://35.242.134.99 http://35.242.140.13 http://35.242.143.117 http://35.242.152.241 http://35.242.203.94 http://35.242.245.109 http://35.243.195.131 http://35.247.224.113 http://40.114.78.143 http://40.74.85.45 http://51.68.184.181 http://51.75.89.185 http://52.234.212.27 http://80.211.37.41 http://93.188.161.184 # Reference: https://decoded.avast.io/simonamusilova/ghostdns-exploit-kit-strikes-back/ http://138.197.149.162 avast.users.scale.virtualcloud.com.br cvtonelli.com.br novonovonovo.users.scale.virtualcloud.com.br # Reference: https://www.platinbilisim.com.tr/TR/Medya/Duyurular/dikkat-ghost-dns-261 (Turkish) # Reference: https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/ 139.60.162.188:53 139.60.162.201:53 144.22.104.185:53 173.82.168.104:53 18.223.2.98:53 192.99.187.193:53 198.27.121.241:53 200.196.240.104:53 200.196.240.120:53 35.185.9.164:53 80.211.37.41:53 # Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/37214.txt 133.71.33.7:53 # Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/42197.sh 133.7.133.7:53 # Reference: https://twitter.com/ninoseki/status/1207634830927679488 107.155.152.15:53 # Reference: https://twitter.com/ninoseki/status/1250014776014454784 167.114.178.206:53 # Reference: https://twitter.com/bad_packets/status/1264290514406240257 # Reference: https://twitter.com/bad_packets/status/1295782392649535488 # Reference: https://otx.alienvault.com/pulse/5f57d49ace88612cf9f49b34 # Reference: https://team-cymru.com/2020/09/08/ghostdnsbusters/ # Reference: https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/ # Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/ http://104.215.74.207 http://107.155.132.188 http://107.155.152.21 http://107.155.152.24 http://107.155.152.26 http://107.155.152.28 http://107.155.152.3 http://134.209.194.220 http://149.56.79.215 http://149.56.79.217 http://161.35.82.213 http://164.90.195.195 http://167.172.47.178 http://178.62.205.16 http://178.62.208.183 http://178.62.211.51 http://192.99.208.102 http://200.98.134.184 http://209.61.253.201 http://23.101.189.23 http://35.203.119.123 http://45.62.198.154 http://45.62.198.155 http://45.62.198.156 http://45.62.198.157 http://45.62.198.160 http://45.62.198.161 http://45.62.198.162 http://45.62.198.163 http://45.62.198.165 http://45.62.198.166 http://51.159.71.63 http://64.225.66.217 http://65.52.36.98 http://70.37.165.155 http://70.37.90.42 107.155.132.186:53 107.155.132.189:53 107.155.152.13:53 107.155.152.14:53 107.155.152.15:53 107.155.152.17:53 107.155.152.20:53 107.155.152.27:53 107.155.152.28:53 107.155.152.5:53 111.90.159.53:53 144.217.42.134:53 149.56.152.185:53 162.248.164.36:53 192.169.7.38:53 192.95.42.19:53 45.62.198.242:53 45.62.198.243:53 45.62.198.73:53 45.62.198.74:53 45.62.198.89:53 51.81.27.247:53 80.82.77.163:53 [0:0:0:0:0:ffff:2d3e:c649]:53 [0:0:0:0:0:ffff:2d3e:c64a]:53 # Reference: https://twitter.com/albertzsigovits/status/1323211552380588032 # Reference: https://urlscan.io/result/5a9b6153-e218-4051-9ec0-b89caafbb4e0/ http://91.234.99.178 # Reference: https://twitter.com/ninoseki/status/1339464021389365249 3.131.142.96:53 http://3.25.124.206 # Reference: https://twitter.com/MrsYisWhy/status/1342380641539796993 # Reference: https://twitter.com/bad_packets/status/1330346587126632451 158.69.37.88:53 167.114.138.250:53 192.95.59.130:53 # Reference: https://twitter.com/siimi_m_/status/1349796184370634754 62.182.83.86:53 # Reference: https://twitter.com/teamcymru/status/1354059873953132547 # Reference: https://team-cymru.com/blog/2021/01/26/illuminating-ghostdns-infrastructure/ http://144.217.105.149 http://18.197.159.147 http://45.62.198.176 http://45.62.198.69 http://47.88.76.58 http://68.183.245.48 192.95.63.156:53 45.62.198.50:53 45.62.198.54:53 51.81.101.114:53 51.81.28.240:53 # Reference: https://twitter.com/ninoseki/status/1356455460778299392 # Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_101_josh-niseki_jp.pdf (slide 37) 185.125.216.173:53 206.166.251.163:53 # Reference: https://twitter.com/AvastThreatLabs/status/1536322428875440129 asamas.com.br/loja01 167.114.43.24:53 66.70.155.224:53 # Generic /api.init.php?d=