[Top Page view in: Github Code or Github Page]
IoT Intrusion Payload Infrastructure Abuse Report for May 2020
This report is compiled from the data recorded in May 2020.
The global heatmap of the recorded data can be viewed below, following by the report’s detail.
1. The most abused ASN/Hosters
| ASN | Hoster name | Amount of abuse |
|---|---|---|
| AS14061 | DigitalOcean | 12 |
| AS16276 | OVH | 6 |
| AS42864 | MAXKO/GIGANET-HU | 4 |
| AS54290 | HOSTWINDS | 4 |
| AS208666 | ESTROWEB | 3 |
| AS50673 | SERVERIUS-AS | 2 |
| (Other ASN) | - | 22 |
2. The record of payload name per infection source IP
| Payload C2 IP | loader script name |
|---|---|
| 134.122.93.162 | Axisbins.sh |
| 134.209.229.144 | axisbins.sh |
| 134.209.94.132 | sora.sh |
| 142.44.151.27 | Joker.sh |
| 145.239.139.202 | yoyobins.sh |
| 147.135.173.224 | axisbins.sh |
| 157.245.235.243 | nasubins.sh |
| 159.65.108.249 | EkSgbins.sh |
| 159.65.218.241 | axisbins.sh |
| 161.35.115.99 | yoyobins.sh |
| 167.71.180.188 | shoxbins.sh |
| 172.245.52.231 | telnet.sh |
| 185.158.249.191 | axisbins.sh |
| 185.172.110.234 | 8UsA.sh |
| 185.172.110.234 | update.sh |
| 185.198.57.27 | Pemex.sh |
| 185.233.186.129 | bins.sh |
| 192.119.67.62 | Pemex.sh |
| 192.236.155.109 | EkSgbins.sh |
| 192.236.176.143 | g0away.sh |
| 193.142.146.30 | sensi.sh |
| 193.228.91.105 | 8UsA.sh |
| 193.228.91.105 | vsUerS.sh |
| 194.15.36.36 | axisbins.sh |
| 196.53.114.199 | update.sh |
| 217.61.22.186 | oofbins.sh |
| 217.61.22.186 | yebins.sh |
| 23.254.227.105 | EkSgbins.sh |
| 23.95.11.48 | yoyobins.sh |
| 34.239.205.245 | GGWP.sh |
| 37.49.226.130 | Pemex.sh |
| 37.49.230.171 | EkSgbins.sh |
| 37.49.230.190 | SnOoPy.sh |
| 45.136.244.44 | sensi.sh |
| 45.136.245.7 | 8UsA.sh |
| 45.14.151.249 | SnOoPy.sh |
| 45.14.224.106 | bins.sh |
| 45.14.224.106 | nig.sh |
| 45.148.10.64 | kyelbins.sh |
| 45.95.168.110 | sora.sh |
| 45.95.168.175 | g0away.sh |
| 45.95.168.207 | Irisbins.sh |
| 45.95.168.84 | EkSgbins.sh |
| 50.3.177.68 | Axisbins.sh |
| 51.195.51.31 | Axisbins.sh |
| 51.68.197.96 | Pemex.sh |
| 51.68.197.96 | sensi.sh |
| 51.89.119.154 | bins.sh |
| 64.225.103.213 | sensi.sh |
| 64.227.14.200 | Axisbins.sh |
| 64.227.14.200 | SnOoPy.sh |
| 64.227.57.139 | Pemex.sh |
| 68.183.57.185 | SnOoPy.sh |
| 77.73.69.50 | yoyobins.sh |
| 82.118.242.107 | 8UsA.sh |
| 88.218.17.42 | bins.sh |
| 92.119.159.40 | Faithful.sh |
| 94.102.63.52 | ARES.sh |
| 95.217.166.15 | bins.sh |
3. The ISP networks were the attacks are coming from (abused ISP)
| Payload C2 IP | FQDN | ASN | Network prefix | ASN-ID | Country | ISP Name |
|---|---|---|---|---|---|---|
| 134.122.93.162 | 14061 | 134.122.80.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 134.209.229.144 | iongue.com. | 14061 | 134.209.224.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN |
| 134.209.94.132 | 14061 | 134.209.80.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 142.44.151.27 | ip27.ip-142-44-151.net. | 16276 | 142.44.128.0/17 | OVH | FR | OVH |
| 145.239.139.202 | ip202.ip-145-239-139.eu. | 16276 | 145.239.0.0/16 | OVH | FR | OVH |
| 147.135.173.224 | ip224.ip-147-135-173.eu. | 16276 | 147.135.128.0/17 | OVH | FR | OVH |
| 157.245.235.243 | 14061 | 157.245.224.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 159.65.108.249 | 14061 | 159.65.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 159.65.218.241 | 14061 | 159.65.216.0/21 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 161.35.115.99 | 14061 | 161.35.112.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 167.71.180.188 | prod-nyc3.qencode-encoder-21e8b812a1ed11eaaf6776050b26adc7. | 14061 | 167.71.176.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN |
| 172.245.52.231 | 172-245-52-231-host.colocrossing.com. | 36352 | 172.245.52.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 185.158.249.191 | enews-body.riffduit.com. | 58329 | 185.158.249.0/24 | RACKPLACE | DE | RACKPLACE |
| 185.172.110.234 | 206898 | 185.172.110.0/23 | BLADESERVERS | NL | BLADESERVERS | |
| 185.198.57.27 | 60117 | 185.198.57.0/24 | HS | AE | HS | |
| 185.233.186.129 | 30860 | 185.233.186.0/24 | YURTEH-AS | UA | YURTEH-AS | |
| 192.119.67.62 | hwsrv-723912.hostwindsdns.com. | 54290 | 192.119.64.0/18 | HOSTWINDS | US | HOSTWINDS |
| 192.236.155.109 | hwsrv-726594.hostwindsdns.com. | 54290 | 192.236.154.0/23 | HOSTWINDS | US | HOSTWINDS |
| 192.236.176.143 | hwsrv-733973.hostwindsdns.com. | 54290 | 192.236.176.0/22 | HOSTWINDS | US | HOSTWINDS |
| 193.142.146.30 | freeresellerserver.com. | 208046 | 193.142.146.0/24 | HOSTSLICK-GERMANY | NL | HOSTSLICK-GERMANY |
| 193.228.91.105 | 44685 | 193.228.91.0/24 | REBECCAHOST | US | REBECCAHOST | |
| 194.15.36.36 | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 196.53.114.199 | 50673 | 196.53.114.0/24 | SERVERIUS-AS | NL | SERVERIUS-AS | |
| 217.61.22.186 | host186-22-61-217.static.arubacloud.com. | 199883 | 217.61.16.0/21 | ARUBACLOUDLTD-ASN | GB | ARUBACLOUDLTD-ASN |
| 23.254.227.105 | hwsrv-727285.hostwindsdns.com. | 54290 | 23.254.224.0/21 | HOSTWINDS | US | HOSTWINDS |
| 23.95.11.48 | 23-95-11-48-host.colocrossing.com. | 36352 | 23.95.8.0/21 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 34.239.205.245 | ec2-34-239-205-245.compute-1.amazonaws.com. | 14618 | 34.224.0.0/12 | AMAZON-AES | US | AMAZON-AES |
| 37.49.226.130 | 208666 | 37.49.226.0/24 | ESTROWEB | NL | ESTROWEB | |
| 37.49.230.171 | 208666 | 37.49.230.0/24 | ESTROWEB | NL | ESTROWEB | |
| 37.49.230.190 | 208666 | 37.49.230.0/24 | ESTROWEB | NL | ESTROWEB | |
| 45.136.244.44 | 51659 | 45.136.244.0/23 | ASBAXET | RU | ASBAXET | |
| 45.136.245.7 | 51659 | 45.136.244.0/23 | ASBAXET | RU | ASBAXET | |
| 45.14.151.249 | 44220 | 45.14.148.0/22 | PARFUMURI-FEMEI-AS | RO | PARFUMURI-FEMEI-AS | |
| 45.14.224.106 | vm1930.spectraip.eu. | 62068 | 45.14.224.0/24 | SPECTRAIP | NL | SpectraIP B.V. |
| 45.148.10.64 | 48090 | 45.148.10.0/24 | PPTECHNOLOGY | GB | PPTECHNOLOGY | |
| 45.95.168.110 | slot0.dadropbox.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 45.95.168.175 | slot0.ovasorty.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 45.95.168.207 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 45.95.168.84 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 50.3.177.68 | 62904 | 50.3.176.0/22 | EONIX-COMMUNICATIONS | US | EONIX-COMMUNICATIONS | |
| 51.195.51.31 | ip31.ip-51-195-51.eu. | 16276 | 51.195.0.0/16 | OVH | FR | OVH |
| 51.68.197.96 | vps-f28f81fb.vps.ovh.net. | 16276 | 51.68.0.0/16 | OVH | FR | OVH |
| 51.89.119.154 | 16276 | 51.89.0.0/16 | OVH | FR | OVH | |
| 64.225.103.213 | 14061 | 64.225.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 64.227.14.200 | 14061 | 64.227.0.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 64.227.57.139 | 14061 | 64.227.48.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 68.183.57.185 | 5naehvggf2rd-06.gz-s-1vcpu-1gb-nyc3-01. | 14061 | 68.183.48.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN |
| 77.73.69.50 | 43317 | 77.73.64.0/21 | FISHNET-AS | RU | FISHNET-AS | |
| 82.118.242.107 | 201133 | 82.118.242.0/24 | VERDINA | BZ | VERDINA | |
| 88.218.17.42 | 50673 | 88.218.17.0/24 | SERVERIUS-AS | NL | SERVERIUS-AS | |
| 92.119.159.40 | 44812 | 92.119.159.0/24 | IPSERVER-RU-NET | RU | Fiord | |
| 94.102.63.52 | 202425 | 94.102.63.0/24 | INT-NETWORK | SC | INT-NETWORK | |
| 95.217.166.15 | static.15.166.217.95.clients.your-server.de. | 24940 | 95.217.0.0/16 | HETZNER-AS | DE | HETZNER-AS |
(please re-check the network details above due to a possible geodb database difference)
Sun May 31 00:38:07 JST 2020 MalwareMustDie,NPO (malwaremustdie.org)