The-Big-List-of-Hacked-Malware-Web-Sites
The-Big-List-of-Hacked-Malware-Web-Sites copied to clipboard
mitchellkrogza
Botnet domains/IP
Have spot a report of a botnet - with listing nodes and IP's. Perhaps that is worthy an addition. I post the content i found - with brackets [] !
Case 1=
This are nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic start-bootstrap design (with a Laptop) - Example screenshot for node design done with Urlscan tracing tool=
https://urlscan.io/screenshots/93ada930-f663-4574-874f-f929047ba6cc.png
Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (r.php + parameters). Nodes are also using Namecheap domains!
Example parameter - valid for single access so we add them just for explanatory reasons= r.php?t=c&d=20107&l=264&c=39072 r.php?t=o&d=20102&l=264&c=65216
Example spam link forwarding screencapture on Urlscan with one of the nodes= https://urlscan.io/result/1bfe3598-e26f-4101-a0ff-45a8639ef045/
Final redirect goal= https://specialoffer[.]cannablisslabs[.]com/unsubscribe/?s1=20&s2=31027&s3=748&s4=62043
Active nodes - Digital Ocean=
167[.]71[.]94[.]158 kinda[.]press
67[.]205[.]130[.]76 classscience[.]club
104[.]248[.]11[.]231 healtbeautymale[.]xyz
159[.]89[.]86[.]21
165[.]22[.]221[.]148 fungoods[.]xyz
104[.]131[.]223[.]171 lamanovix[.]website
68[.]183[.]95[.]125 piamonfree[.]club
165[.]22[.]65[.]34 houfabia[.]club
188[.]166[.]104[.]151 askorali[.]club
159[.]65[.]218[.]178 matrixlucky[.]sytes[.]net
67[.]205[.]165[.]189 gactay[.]club
206[.]81[.]24[.]120 constitueqzs[.]loan
Active nodes - Random hosts=
93[.]118[.]34[.]205 brandingnews[.]us
185[.]173[.]178[.]4 tech98-c2[.]newtimebearth[.]press
212[.]114[.]109[.]117 starsplay[.]club
Active nodes - Aruba-IT=
94[.]177[.]246[.]26 ibismo[.]us
Active nodes - Hetzner Germany=
95[.]216[.]176[.]255 http://goldtechonline[.]xyz
116[.]203[.]198[.]230 cruiset[.]space
116[.]203[.]194[.]166 bluntt[.]fun
Active nodes - Online/Scaleway=
51[.]15[.]172[.]219 cbsnews[.]press
212[.]83[.]173[.]74 poney[.]cbsnews[.]press
212[.]83[.]184[.]240 telecom[.]cbsnews[.]press
Active nodes - Selectel-RU=
79[.]143[.]30[.]36 sarrion[.]xyz
79[.]143[.]31[.]116 sauronn[.]host
IP= 31[.]184[.]254[.]112 maxvalue[.]icu
37[.]228[.]117[.]29 rainit[.]xyz
37[.]228[.]117[.]128 mrtcom[.]space
37[.]228[.]117[.]242 sidom[.]online
37[.]228[.]117[.]75 malikom[.]xyz
Active nodes - OVH=
Active nodes - Amazon=
3[.]16[.]55[.]7 hobad[.]xyz
3[.]87[.]40[.]41 champion[.]viewdns[.]net
Case2=
Report for nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic clone design - Example screenshot for node design
https://urlscan.io/thumbs/727b47e9-245b-4878-b120-1f59d4849431.png
Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (s.php + parameters). Nodes are also using Namecheap domains!
Example parameter - added them for explanatory reasons= s.php?935291_0_30169_a1b2c3d4e5 s.php?929989_0_30298_a1b2c3d4e5
Spot Active nodes=
109[.]238[.]14[.]205 resolving domain= http://groete[.]org
65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10
185[.]103[.]196[.]107 - resolving domain= http://wisby[.]org
185[.]98[.]63[.]84 - resolving domain= http://unflecked[.]com https://www[.]spamhaus[.]org/query/ip/185[.]98[.]63[.]84
185[.]93[.]71[.]112 - resolving domain= http://ganoblast[.]com https://www[.]spamhaus[.]org/query/ip/185[.]93[.]71[.]112
89[.]42[.]31[.]178 - resolving domain= http://unsooty[.]com https://www[.]spamhaus[.]org/query/ip/89[.]42[.]31[.]178
65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10
Hey @Sa-Ja-Di !
Sorry for taking so long. I thought that @mitchellkrogza handled this. Can you create a PR to the input_sources directory? I think that @mitchellkrogza would love to have your inputs right here.
On my side, if you want your contribution to be part of @Ultimate-Hosts-Blacklist (directly) let me know!
Stay safe and healthy. Nissar
Have spot a report of a botnet - with listing nodes and IP's. Perhaps that is worthy an addition. I post the content i found - with brackets [] !
Case 1=
This are nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic start-bootstrap design (with a Laptop) - Example screenshot for node design done with Urlscan tracing tool=
https://urlscan.io/screenshots/93ada930-f663-4574-874f-f929047ba6cc.png
Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (r.php + parameters). Nodes are also using Namecheap domains!
Example parameter - valid for single access so we add them just for explanatory reasons= r.php?t=c&d=20107&l=264&c=39072 r.php?t=o&d=20102&l=264&c=65216
Example spam link forwarding screencapture on Urlscan with one of the nodes= https://urlscan.io/result/1bfe3598-e26f-4101-a0ff-45a8639ef045/
Final redirect goal= https://specialoffer[.]cannablisslabs[.]com/unsubscribe/?s1=20&s2=31027&s3=748&s4=62043
Active nodes - Digital Ocean=
167[.]71[.]94[.]158 kinda[.]press
67[.]205[.]130[.]76 classscience[.]club
104[.]248[.]11[.]231 healtbeautymale[.]xyz
159[.]89[.]86[.]21
165[.]22[.]221[.]148 fungoods[.]xyz
104[.]131[.]223[.]171 lamanovix[.]website
68[.]183[.]95[.]125 piamonfree[.]club
165[.]22[.]65[.]34 houfabia[.]club
188[.]166[.]104[.]151 askorali[.]club
159[.]65[.]218[.]178 matrixlucky[.]sytes[.]net
67[.]205[.]165[.]189 gactay[.]club
206[.]81[.]24[.]120 constitueqzs[.]loan
Active nodes - Random hosts=
93[.]118[.]34[.]205 brandingnews[.]us
185[.]173[.]178[.]4 tech98-c2[.]newtimebearth[.]press
212[.]114[.]109[.]117 starsplay[.]club
Active nodes - Aruba-IT=
94[.]177[.]246[.]26 ibismo[.]us
Active nodes - Hetzner Germany=
95[.]216[.]176[.]255 http://goldtechonline[.]xyz
116[.]203[.]198[.]230 cruiset[.]space
116[.]203[.]194[.]166 bluntt[.]fun
Active nodes - Online/Scaleway=
51[.]15[.]172[.]219 cbsnews[.]press
212[.]83[.]173[.]74 poney[.]cbsnews[.]press
212[.]83[.]184[.]240 telecom[.]cbsnews[.]press
Active nodes - Selectel-RU=
79[.]143[.]30[.]36 sarrion[.]xyz
79[.]143[.]31[.]116 sauronn[.]host
IP= 31[.]184[.]254[.]112 maxvalue[.]icu
37[.]228[.]117[.]29 rainit[.]xyz
37[.]228[.]117[.]128 mrtcom[.]space
37[.]228[.]117[.]242 sidom[.]online
37[.]228[.]117[.]75 malikom[.]xyz
Active nodes - OVH=
Active nodes - Amazon=
3[.]16[.]55[.]7 hobad[.]xyz
3[.]87[.]40[.]41 champion[.]viewdns[.]net
Case2=
Report for nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic clone design - Example screenshot for node design
https://urlscan.io/thumbs/727b47e9-245b-4878-b120-1f59d4849431.png
Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (s.php + parameters). Nodes are also using Namecheap domains!
Example parameter - added them for explanatory reasons= s.php?935291_0_30169_a1b2c3d4e5 s.php?929989_0_30298_a1b2c3d4e5
Spot Active nodes=
109[.]238[.]14[.]205 resolving domain= http://groete[.]org
65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10
185[.]103[.]196[.]107 - resolving domain= http://wisby[.]org
185[.]98[.]63[.]84 - resolving domain= http://unflecked[.]com https://www[.]spamhaus[.]org/query/ip/185[.]98[.]63[.]84
185[.]93[.]71[.]112 - resolving domain= http://ganoblast[.]com https://www[.]spamhaus[.]org/query/ip/185[.]93[.]71[.]112
89[.]42[.]31[.]178 - resolving domain= http://unsooty[.]com https://www[.]spamhaus[.]org/query/ip/89[.]42[.]31[.]178
65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10
What does the final redirection link do? (i acidentaly almost opened it)
urlscan.io - Website scanner for suspicious and malicious URLs
