[Top Page view in: Github Code or Github Page]
IoT Intrusion Payload Infrastructure Abuse Report for August 2020
This report is from the data recorded in August 2020.
The global map of the recorded data can be viewed below, following by the report’s detail.
(Memo: above map contains BGP collision between DE and RU, the RU result is incorrect)
1. The most abused ASN/Hosters/Countries (67)
| No | Hoster name | ASN | Country | Amount of abuse |
|---|---|---|---|---|
| 1 | DIGITALOCEAN | AS14061 | US | 10 |
| 2 | AS-COLOCROSSING | AS16628 | US | 2 |
| 2 | (same) | AS36352 | US | 5 |
| 3 | MYLOC-AS | AS24961 | DE | 6 |
| 4 | OVH | AS16276 | FR | 3 |
| 5 | SERVERIUS-AS | AS50673 | NL | 2 |
| 6 | SQUITTER-NETWORKS | AS213371 | NL | 2 |
| 7 | IPCONNECT | AS213373 | NL | 2 |
| 8 | COGENT-174 | ASN174 | US | 2 |
| 9 | MICROSOFT | AS8075 | US | 2 |
| 10 | VERDINA | AS201133 | BZ | 2 |
| 11 | (others) |
2. The most abused broadband by P2P payloads (645)
P2P infection sources in GeoIP map:
| No | Country | P2P-IP Total |
|---|---|---|
| 1 | Taiwan | 129 |
| 2 | United States | 84 |
| 3 | Korea | 69 |
| 4 | Brazil | 31 |
| 5 | China | 31 |
| 6 | Mexico | 28 |
| 7 | Israel | 24 |
| 8 | Vietnam | 21 |
| 9 | Italy | 19 |
| 10 | Turkey | 18 |
| 11 | Iran | 14 |
| 12 | Spain | 14 |
| 13 | Romania | 14 |
| 14 | Thailand | 9 |
| 15 | Russia | 8 |
| 16 | Georgia | 8 |
| 17 | India | 8 |
| 18 | United Kingdom | 8 |
| 19 | France | 7 |
| 20 | Canada | 6 |
3. The record of loader names per infection source IP
| No | Payload IP | loader script name |
|---|---|---|
| 1 | 1.240.99.253 | Pemex.sh |
| 2 | 104.131.33.43 | axisbins.sh |
| 3 | 104.237.255.248 | GhOul.sh |
| 4 | 104.244.78.107 | infectedn.sh |
| 5 | 107.172.197.101 | bot.sh |
| 6 | 107.172.197.101 | infectedn.sh |
| 7 | 13.85.152.27 | SnOoPy.sh |
| 8 | 134.122.97.93 | GhOul.sh |
| 9 | 142.93.114.32 | yoyobins.sh |
| 0 | 142.93.12.237 | EkSgbins.sh |
| 11 | 149.3.170.197 | vividbins.sh |
| 12 | 149.3.170.217 | t.sh |
| 13 | 157.245.210.104 | axisbins.sh |
| 14 | 158.69.32.40 | GoOgle.sh |
| 15 | 161.35.172.98 | yoyobins.sh |
| 16 | 165.22.102.42 | vidbins.sh |
| 17 | 167.99.64.250 | yoyobins.sh |
| 18 | 172.245.104.116 | t.sh |
| 19 | 178.128.208.58 | axisbins.sh |
| 20 | 185.10.68.175 | bins.sh |
| 21 | 185.101.105.189 | BabaBitch.sh |
| 22 | 185.101.105.189 | SnOoPy.sh |
| 23 | 185.172.111.189 | infn.sh |
| 24 | 185.206.93.87 | GhOul.sh |
| 25 | 185.30.233.145 | EkSgbins.sh |
| 26 | 192.236.193.29 | 8UsA.sh |
| 27 | 192.3.251.67 | sensi.sh |
| 28 | 192.87.139.108 | yoyobins.sh |
| 29 | 193.228.91.124 | pwnInfect.sh |
| 30 | 194.15.36.136 | yoyobins.sh |
| 31 | 194.15.36.242 | 8UsA.sh |
| 32 | 194.87.138.118 | Oryxbins.sh |
| 33 | 194.87.138.45 | axisbins.sh |
| 34 | 194.87.139.108 | GhOul.sh |
| 35 | 194.87.139.108 | SnOoPy.sh |
| 36 | 194.87.139.108 | bins.sh |
| 37 | 194.87.139.108 | yoyobins.sh |
| 38 | 195.144.21.208 | arksbins.sh |
| 39 | 198.46.209.159 | bins.sh |
| 40 | 2.57.122.186 | infn.sh |
| 41 | 206.126.81.113 | update.sh |
| 42 | 206.81.14.160 | EkSgbins.sh |
| 43 | 217.160.172.236 | axisbins.sh |
| 44 | 23.94.25.166 | yoyobins.sh |
| 45 | 31.7.62.110 | bins.sh |
| 46 | 37.49.224.229 | GhOul.sh |
| 47 | 37.49.224.229 | fuze.sh |
| 48 | 45.132.242.232 | SnOoPy.sh |
| 49 | 45.145.185.187 | update.sh |
| 50 | 45.156.185.218 | skid.sh |
| 51 | 45.43.18.171 | Ganis.sh |
| 52 | 45.43.18.171 | Nape.sh |
| 53 | 45.84.196.145 | update.sh |
| 54 | 45.95.168.112 | EkSgbins.sh |
| 55 | 45.95.168.185 | Vividbins.sh |
| 56 | 5.206.227.43 | apple.sh |
| 57 | 50.115.170.104 | bins.sh |
| 58 | 50.3.177.110 | AkSgbins.sh |
| 59 | 51.103.34.254 | negrobins.sh |
| 60 | 51.222.56.152 | ESbins.sh |
| 61 | 66.70.225.223 | bins.sh |
| 62 | 66.70.225.223 | skid.sh |
| 63 | 66.70.225.223 | yoyobins.sh |
| 64 | 78.142.18.20 | fetch.sh |
| 65 | 79.124.78.143 | infnx.sh |
| 66 | 79.124.78.43 | fuze.sh |
| 67 | 85.239.35.124 | SnOoPy.sh |
| 68 | 88.218.16.16 | GhOul.sh |
| 69 | 88.218.16.235 | GhOul.sh |
| 70 | 88.99.123.146 | BSBDbins.sh |
| 71 | 94.100.28.201 | GhOul.sh |
| No | Loader uniq filename |
|---|---|
| 1 | 8UsA.sh |
| 2 | AkSgbins.sh |
| 3 | BSBDbins.sh |
| 4 | BabaBitch.sh |
| 5 | ESbins.sh |
| 6 | EkSgbins.sh |
| 7 | Ganis.sh |
| 8 | GhOul.sh |
| 9 | GoOgle.sh |
| 10 | Nape.sh |
| 11 | Oryxbins.sh |
| 12 | Pemex.sh |
| 13 | SnOoPy.sh |
| 14 | Vividbins.sh |
| 15 | apple.sh |
| 16 | arksbins.sh |
| 17 | axisbins.sh |
| 18 | bins.sh |
| 19 | bot.sh |
| 20 | fetch.sh |
| 21 | fuze.sh |
| 22 | infectedn.sh |
| 23 | infn.sh |
| 24 | infnx.sh |
| 25 | negrobins.sh |
| 26 | pwnInfect.sh |
| 27 | sensi.sh |
| 28 | skid.sh |
| 29 | t.sh |
| 30 | update.sh |
| 31 | vidbins.sh |
| 32 | vividbins.sh |
| 33 | yoyobins.sh |
4. The ISP networks were the attacks are coming from (abused ISP)
| No | Payload C2 IP | FQDN | ASN | Network prefix | ASN-ID | Country | ISP Name | |
|---|---|---|---|---|---|---|---|---|
| 1 | 1.240.99.253 | 9318 | 1.240.0.0/13 | SKB-AS | KR | SK Broadband Co Ltd | ||
| 2 | 104.131.33.43 | 14061 | 104.131.0.0/18 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 3 | 104.237.255.248 | 104-237-255-248-host.colocrossing.com. | 16628 | 104.237.255.0/24 | DEDICATED-FIBER-COMM | US | DEDICATED-FIBER | |
| 4 | 104.244.78.107 | by.jeejk.nl. | 53667 | 104.244.78.0/24 | PONYNET | US | PONYNET | |
| 5 | 107.172.197.101 | 107-172-197-101-host.colocrossing.com. | 36352 | 107.172.197.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING | |
| 6 | 13.85.152.27 | 8075 | 13.64.0.0/11 | MICROSOFT-CORP-MSN-A | US | MICROSOFT-CORP-MSN-A | ||
| 7 | 134.122.97.93 | falconstratfordhotel.wpmudev.host. | 14061 | 134.122.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 8 | 142.93.114.32 | anhlyvps-07.gz-s-1vcpu-1gb-nyc1-01. | 14061 | 142.93.112.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 9 | 142.93.12.237 | 14061 | 142.93.0.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 10 | 149.3.170.197 | 213373 | 149.3.170.0/24 | IPCONNECT | NL | IPCONNECT | ||
| 11 | 149.3.170.217 | 213373 | 149.3.170.0/24 | IPCONNECT | NL | IPCONNECT | ||
| 12 | 157.245.210.104 | 14061 | 157.245.208.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 13 | 158.69.32.40 | 16276 | 158.69.0.0/16 | OVH | FR | OVH | ||
| 14 | 161.35.172.98 | 14061 | 161.35.160.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 15 | 165.22.102.42 | 14061 | 165.22.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 16 | 167.99.64.250 | 14061 | 167.99.64.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 17 | 172.245.104.116 | 172-245-104-116-host.thakimhost.com. | 36352 | 172.245.104.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING | |
| 18 | 178.128.208.58 | 14061 | 178.128.208.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 19 | 185.10.68.175 | 175.68.10.185.ro.ovo.sc. | 200651 | 185.10.68.0/24 | FLOKINET | SC | FLOKINET | |
| 20 | 185.101.105.189 | 57673 | 185.101.105.0/24 | HOSTCLEAN-SRL | RO | HOSTCLEAN-SRL | ||
| 21 | 185.172.111.189 | 206898 | 185.172.110.0/23 | BLADESERVERS | AU | BLADESERVERS | ||
| 22 | 185.206.93.87 | 202468 | 185.206.92.0/22 | ABRARVAN-AS | IR | AbrArvan CDN and IaaS | ||
| 23 | 185.30.233.145 | black.host-145.233.30.185.in-addr.arpa. | 174 | 185.30.233.0/24 | COGENT-174 | US | COGENT-174 | |
| 24 | 190.141.196.80 | 18809 | 190.141.192.0/21 | PA | Cable Onda | |||
| 25 | 192.236.193.29 | box.adegbenga.com. | 54290 | 192.236.192.0/22 | HOSTWINDS | US | HOSTWINDS | |
| 26 | 192.3.251.67 | 192-3-251-67-host.colocrossing.com. | 36352 | 192.3.248.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING | |
| 27 | 192.87.139.108 | 1103 | 192.87.0.0/16 | SURFNET-NL | NL | SURFnet, The Netherlands | ||
| 28 | 193.228.91.124 | RebeccaHost | US | RebeccaHost | ||||
| 29 | 194.15.36.136 | sv3.koalahost.pt. | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 30 | 194.15.36.242 | malvantos.org.uk. | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 31 | 194.87.138.118 | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | ||
| 32 | 194.87.138.45 | prt0.greenpath-logistics.com. | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 33 | 194.87.139.108 | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | ||
| 34 | 195.144.21.208 | black.host-208.21.144.195.in-addr.arpa. | 174 | 195.144.21.0/24 | COGENT-174 | US | COGENT-174 | |
| 35 | 198.46.209.159 | 198-46-209-159-host.colocrossing.com. | 36352 | 198.46.209.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING | |
| 36 | 2.57.122.186 | 48090 | 2.57.122.0/24 | PPTECHNOLOGY | GB | PPTECHNOLOGY | ||
| 37 | 206.126.81.113 | potshoes.ru. | 36493 | 206.126.80.0/20 | 295CA-TOR-ASN | CA | 295CA-TOR-ASN | |
| 38 | 206.81.14.160 | 14061 | 206.81.0.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | ||
| 39 | 217.160.172.236 | 8560 | 217.160.0.0/16 | IONOS-AS | DE | Joint network IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1 | ||
| 40 | 23.94.25.166 | 23-94-25-166-host.colocrossing.com. | 36352 | 23.94.25.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING | |
| 41 | 31.7.62.110 | abx.publicvm.com. | 51852 | 31.7.56.0/21 | PLI-AS | PA | PLI-AS | |
| 42 | 37.49.224.229 | www.shinigami.shop. | 213371 | 37.49.224.0/24 | SQUITTER-NETWORKS | NL | SQUITTER-NETWORKS | |
| 43 | 37.49.224.231 | 213371 | 37.49.224.0/24 | SQUITTER-NETWORKS | NL | SQUITTER-NETWORKS | ||
| 44 | 45.132.242.232 | 47583 | 45.132.240.0/22 | AS-HOSTINGER | CY | AS-HOSTINGER | ||
| 45 | 45.145.185.187 | 213035 | 45.145.185.0/24 | SERVERION-AS | NL | Serverion B.V. | ||
| 46 | 45.156.185.218 | hosted-by.parsvds.com. | 208161 | 45.156.185.0/24 | PARSVDS | IR | PARSVDS | |
| 47 | 45.43.18.171 | 40676 | 45.43.18.0/24 | AS40676 | US | AS40676 | - | |
| 48 | 45.84.196.145 | slot0.merkez-trading.ga. | 24961 | 45.84.196.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 49 | 45.88.148.250 | 35913 | 45.88.148.0/24 | DEDIPATH-LLC | US | DEDIPATH-LL | ||
| 50 | 45.95.168.112 | ch.chaincircuit.live. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co | |
| 51 | 45.95.168.185 | fo.forcecube.live. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co | |
| 52 | 5.206.227.43 | srv1.governance.fun. | 47674 | 5.206.227.0/24 | NETSOLUTIONS | NL | NETSOLUTIONS | |
| 53 | 50.115.170.104 | 32875 | 50.115.160.0/20 | VIRP | US | VIRP | ||
| 54 | 50.3.177.110 | 62904 | 50.3.176.0/22 | EONIX-COMMUNICATIONS | US | EONIX-COMMUNICATIONS | ||
| 55 | 51.103.34.254 | 8075 | 51.103.0.0/16 | MICROSOFT-CORP-MSN-A | US | MICROSOFT-CORP-MSN-A | ||
| 56 | 51.222.56.152 | ip152.ip-51-222-56.net. | 16276 | 51.222.0.0/16 | OVH | FR | OVH | |
| 57 | 62.4.16.167 | 12876 | 62.4.0.0/19 | FR | Online SAS | |||
| 58 | 62.103.77.120 | okxoxw.static.otenet.gr. | 6799 | 62.103.0.0/16 | OTENET-GR | GR | Athens - Greece | |
| 59 | 66.70.225.223 | ip223.ip-66-70-225.net. | 16276 | 66.70.128.0/17 | OVH | FR | OVH | |
| 60 | 78.142.18.20 | 208046 | 78.142.18.0/24 | HOSTSLICK-GERMANY | DE | Dedicated Server Provider | ||
| 61 | 79.124.78.143 | 201133 | 79.124.78.0/24 | VERDINA | BZ | VERDINA | ||
| 62 | 79.124.78.43 | 201133 | 79.124.78.0/24 | VERDINA | BZ | VERDINA | ||
| 63 | 85.239.35.124 | 43624 | 85.239.35.0/24 | PQ-HOSTING-AS | MD | PQ-HOSTING-AS | ||
| 64 | 88.218.16.16 | 50673 | 88.218.16.0/24 | SERVERIUS-AS | NL | SERVERIUS-AS | ||
| 65 | 88.218.16.235 | 50673 | 88.218.16.0/24 | SERVERIUS-AS | NL | SERVERIUS-AS | ||
| 66 | 88.99.123.146 | static.146.123.99.88.clients.your-server.de. | 24940 | 88.99.0.0/16 | HETZNER-AS | DE | HETZNER-AS | |
| 67 | 94.100.28.201 | 94-100-28-201.static.hvvc.us. | 29802 | 94.100.28.0/24 | HVC-AS | US | HVC-AS |
(please re-check the network details above due to a possible geodb or network database inaccuracy)
Mon Dec 21 19:15:03 JST 2020 @unixfreaxjp
MalwareMustDie,NPO (malwaremustdie.org)