[Top Page view in: Github Code or Github Page]
IoT Intrusion Payload Infrastructure Abuse Report for October 2020
This report is compiled from the data recorded in October 2020.
The global heatmap of the recorded data can be viewed below, following by the report’s detail.
(Memo: above map contains BGP collision between DE and RU, the RU result is incorrect)
1. The most abused ASN/Hosters/Countries (59)
| No | Hoster name | ASN | Country | Amount of abuse |
|---|---|---|---|---|
| 1 | SERVERION-AS | AS213035 | NL | 12 |
| 2 | MYLOC-AS | AS24961 | DE | 8 |
| 3 | AS-COLOCROSSING | AS36352 | US | 7 |
| 4 | GIGANET-HU | AS42864 | HU | 5 |
| 5 | DIGITALOCEAN | AS14061 | US | 4 |
| 6 | OVH | AS16276 | FR | 2 |
| 7 | AS-CHOOPA | AS20473 | US | 2 |
| 8 | COGENT-174 | AS174 | US | 2 |
| 9 | (others) |
2. The most abused broadband by P2P payloads (432)
P2P infection sources in GeoIP map:
| No | Country | P2P-IP Total |
|---|---|---|
| 1 | Taiwan | 79 |
| 2 | USA | 59 |
| 3 | Korea | 48 |
| 4 | Italy | 27 |
| 5 | Israel | 20 |
| 6 | Mexico | 20 |
| 7 | Brazil | 19 |
| 8 | Vietnam | 15 |
| 9 | China | 12 |
| 10 | Romania | 12 |
| 11 | Hungary | 7 |
| 12 | Spain | 7 |
| 13 | UK | 7 |
| 14 | Iran | 6 |
| 15 | Turkey | 5 |
| 16 | Georgia | 5 |
| 17 | Portugal | 5 |
| 18 | Canada | 4 |
| 19 | Australia | 4 |
| 20 | Russia | 4 |
3. The record of loader names per infection source IP
| No | Payload IP | loader script name |
|---|---|---|
| 1 | 104.131.125.249 | bins.sh |
| 2 | 104.168.46.115 | RiPli.sh |
| 3 | 107.173.140.154 | longbins.sh |
| 4 | 107.173.176.172 | bins.sh |
| 5 | 107.173.176.172 | roots.sh |
| 6 | 146.71.79.163 | Ripli.sh |
| 7 | 146.71.79.163 | bins.sh |
| 8 | 147.135.120.246 | Pemex.sh |
| 9 | 155.138.234.117 | SnOoPy.sh |
| 10 | 157.230.232.29 | 8UsA.sh |
| 11 | 157.245.75.134 | Sinfull.sh |
| 12 | 158.69.32.40 | GoOgle.sh |
| 13 | 162.221.204.211 | MPT.sh |
| 14 | 172.105.250.27 | SnOoPy.sh |
| 15 | 172.245.205.123 | Jailed.sh |
| 16 | 176.105.255.184 | tftp.sh |
| 17 | 176.123.7.234 | TEMPbins.sh |
| 18 | 185.10.68.175 | AydSbins.sh |
| 19 | 185.132.53.167 | EkSgbins.sh |
| 20 | 185.224.144.200 | 8UsA.sh |
| 21 | 185.224.144.200 | Pandora.sh |
| 22 | 185.249.198.41 | bins.sh |
| 23 | 185.30.233.163 | Pandora.sh |
| 24 | 185.30.233.178 | bins.sh |
| 25 | 192.210.239.115 | Vividbins.sh |
| 26 | 192.210.239.89 | Vividbins.sh |
| 27 | 192.241.136.217 | yoyobins.sh |
| 28 | 193.228.91.110 | mitac.sh |
| 29 | 193.239.147.44 | c1.sh |
| 30 | 193.239.147.44 | w1.sh |
| 31 | 194.15.36.137 | Pemex.sh |
| 32 | 194.62.6.90 | 8UsA.sh |
| 33 | 194.62.6.90 | Gbotbins.sh |
| 34 | 194.62.6.90 | Pandora.sh |
| 35 | 194.87.138.76 | GhOul.sh |
| 36 | 194.87.138.76 | aaabins.sh |
| 37 | 194.87.138.97 | Pemex.sh |
| 38 | 194.87.138.97 | Pemex1.sh |
| 39 | 195.58.39.105 | SnOoPy.sh |
| 40 | 195.58.39.117 | bin.sh |
| 41 | 195.58.39.183 | axisbins.sh |
| 42 | 2.57.122.214 | EkSgbins.sh |
| 43 | 23.95.116.135 | 8UsA.sh |
| 44 | 23.95.116.135 | EkSgbins.sh |
| 45 | 23.95.116.135 | RiPli.sh |
| 46 | 23.95.116.135 | Sakura.sh |
| 47 | 37.46.150.204 | Snoopy.sh |
| 48 | 37.46.150.37 | Mercury.sh |
| 49 | 37.46.150.37 | Pandora.sh |
| 50 | 37.46.150.54 | Nullsbins.sh |
| 51 | 37.46.150.64 | 8UsA.sh |
| 52 | 37.46.150.64 | Pandora.sh |
| 53 | 45.13.58.4 | MPT.sh |
| 54 | 45.148.10.186 | s.sh |
| 55 | 45.153.203.113 | skid.sh |
| 56 | 45.153.203.122 | Angelbins.sh |
| 57 | 45.153.203.158 | 8UsA.sh |
| 58 | 45.153.203.158 | Mercury.sh |
| 59 | 45.153.203.172 | 8UsA.sh |
| 60 | 45.153.203.175 | 8UsA.sh |
| 61 | 45.153.203.19 | Byebins.sh |
| 62 | 45.153.203.218 | 8UsA.sh |
| 63 | 45.153.203.218 | SnOoPy.sh |
| 64 | 45.80.184.213 | bins.sh |
| 65 | 45.84.196.241 | 8UsA.sh |
| 66 | 45.95.168.138 | Tempbins.sh |
| 67 | 45.95.168.138 | tempbins.sh |
| 68 | 45.95.168.173 | prod.sh |
| 69 | 45.95.168.227 | bins.sh |
| 70 | 45.95.168.238 | bins.sh |
| 71 | 45.95.168.87 | bins.sh |
| 72 | 66.42.127.129 | Sakura.sh |
| 73 | 83.97.20.90 | update.sh |
| 74 | 89.32.41.230 | EkSgbins.sh |
| 75 | 95.213.243.73 | c1.sh |
| 76 | 95.213.243.73 | w1.sh |
| No | Loader uniq filename |
|---|---|
| 1 | 8UsA.sh |
| 2 | Angelbins.sh |
| 3 | AydSbins.sh |
| 4 | Byebins.sh |
| 5 | EkSgbins.sh |
| 6 | Gbotbins.sh |
| 7 | GhOul.sh |
| 8 | GoOgle.sh |
| 9 | Jailed.sh |
| 10 | MPT.sh |
| 11 | Mercury.sh |
| 12 | Nullsbins.sh |
| 13 | Pandora.sh |
| 14 | Pemex.sh |
| 15 | Pemex1.sh |
| 16 | RiPli.sh |
| 17 | Ripli.sh |
| 18 | Sakura.sh |
| 19 | Sinfull.sh |
| 20 | SnOoPy.sh |
| 21 | Snoopy.sh |
| 22 | TEMPbins.sh |
| 23 | Tempbins.sh |
| 24 | Vividbins.sh |
| 25 | aaabins.sh |
| 26 | axisbins.sh |
| 27 | bin.sh |
| 28 | bins.sh |
| 29 | c1.sh |
| 30 | longbins.sh |
| 31 | mitac.sh |
| 32 | prod.sh |
| 33 | roots.sh |
| 34 | s.sh |
| 35 | skid.sh |
| 36 | tempbins.sh |
| 37 | tftp.sh |
| 38 | update.sh |
| 39 | w1.sh |
| 40 | yoyobins.sh |
4. The ISP networks were the attacks are coming from (abused ISP)
| No | Payload C2 IP | FQDN | ASN | Network prefix | ASN-ID | Country | ISP Name |
|---|---|---|---|---|---|---|---|
| 1 | 104.131.125.249 | 14061 | 104.131.64.0/18 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 2 | 104.168.46.115 | 104-168-46-115-host.colocrossing.com. | 36352 | 104.168.46.0/23 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 3 | 107.173.140.154 | 107-173-140-154-host.colocrossing.com. | 36352 | 107.173.140.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 4 | 107.173.176.172 | szcxkj.com. | 36352 | 107.173.176.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 5 | 146.71.79.163 | 18779 | 146.71.79.0/24 | EGIHOSTING | US | EGIHOSTING | |
| 6 | 147.135.120.246 | ip246.ip-147-135-120.us. | 16276 | 147.135.0.0/17 | OVH | FR | OVH |
| 7 | 155.138.234.117 | 155.138.234.117.vultr.com. | 20473 | 155.138.224.0/20 | AS-CHOOPA | US | AS-CHOOPA |
| 8 | 157.230.232.29 | 14061 | 157.230.224.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 9 | 157.245.75.134 | 14061 | 157.245.64.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 10 | 158.69.32.40 | 16276 | 158.69.0.0/16 | OVH | FR | OVH | |
| 11 | 162.221.204.211 | hml03.caixagong.info. | 11831 | 162.221.204.0/24 | ESECUREDATA | CA | ESECUREDATA |
| 12 | 172.105.250.27 | li2165-27.members.linode.com. | 63949 | 172.105.248.0/22 | LINODE-AP | US | Linode, LLC |
| 13 | 172.245.205.123 | 172-245-205-123-host.colocrossing.com. | 36352 | 172.245.205.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 14 | 176.105.255.184 | 62068 | 176.105.255.0/24 | SPECTRAIP | NL | SpectraIP B.V. | |
| 15 | 176.123.7.234 | ztzsgs.club. | 200019 | 176.123.0.0/21 | ALEXHOST | MD | ALEXHOST |
| 16 | 185.10.68.175 | 175.68.10.185.ro.ovo.sc. | 200651 | 185.10.68.0/24 | FLOKINET | SC | FLOKINET |
| 17 | 185.132.53.167 | mail.bestnewyearcoming.com. | 24961 | 185.132.53.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG |
| 18 | 185.224.144.200 | 212477 | 185.224.144.0/24 | ROYALE-AS | NL | ROYALE-AS | |
| 19 | 185.249.198.41 | 30823 | 185.249.198.0/24 | COMBAHTON | DE | combahton GmbH | |
| 20 | 185.30.233.163 | black.host-163.233.30.185.in-addr.arpa. | 174 | 185.30.233.0/24 | COGENT-174 | US | COGENT-174 |
| 21 | 185.30.233.178 | black.host-178.233.30.185.in-addr.arpa. | 174 | 185.30.233.0/24 | COGENT-174 | US | COGENT-174 |
| 22 | 192.210.239.115 | 192-210-239-115-host.colocrossing.com. | 36352 | 192.210.236.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 23 | 192.210.239.89 | 192-210-239-89-host.colocrossing.com. | 36352 | 192.210.236.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 24 | 192.241.136.217 | 14061 | 192.241.128.0/19 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 25 | 193.228.91.110 | REBECCA-HOST | US | Rebecca Host | |||
| 26 | 193.239.147.44 | 213035 | 193.239.147.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 27 | 194.15.36.137 | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 28 | 194.62.6.90 | 213251 | 194.62.6.0/24 | DE-SRV-2-MNT | DE | DE-SRV-2-MNT | |
| 29 | 194.87.138.76 | mail0.client-customerservice1.email. | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG |
| 30 | 194.87.138.97 | terret-variables.docstood.com. | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG |
| 31 | 195.58.39.105 | 24961 | 195.58.38.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 32 | 195.58.39.117 | 24961 | 195.58.38.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 33 | 195.58.39.183 | 24961 | 195.58.38.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 34 | 2.57.122.214 | 48090 | 2.57.122.0/24 | PPTECHNOLOGY | GB | PPTECHNOLOGY | |
| 35 | 23.95.116.135 | 23-95-116-135-host.colocrossing.com. | 36352 | 23.95.112.0/20 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 36 | 37.46.150.204 | slot0.grehuter.com. | 213035 | 37.46.150.0/24 | SERVERION-AS | NL | Serverion B.V. |
| 37 | 37.46.150.37 | 213035 | 37.46.150.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 38 | 37.46.150.54 | 213035 | 37.46.150.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 39 | 37.46.150.64 | 213035 | 37.46.150.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 40 | 45.13.58.4 | 40676 | 45.13.58.0/24 | AS40676 | US | AS40676 | |
| 41 | 45.148.10.186 | 48090 | 45.148.10.0/24 | PPTECHNOLOGY | GB | PPTECHNOLOGY | |
| 42 | 45.153.203.113 | slot0.rablecht.com. | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. |
| 43 | 45.153.203.122 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 44 | 45.153.203.158 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 45 | 45.153.203.172 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 46 | 45.153.203.175 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 47 | 45.153.203.19 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 48 | 45.153.203.218 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 49 | 45.80.184.213 | nordns.vps.hosteons.com. | 35913 | 45.80.184.0/22 | DEDIPATH-LLC | US | DEDIPATH-LLC |
| 50 | 45.84.196.241 | 24961 | 45.84.196.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 51 | 45.95.168.138 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 52 | 45.95.168.173 | sl.slingstack.live. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 53 | 45.95.168.227 | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co | |
| 54 | 45.95.168.238 | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co | |
| 55 | 45.95.168.87 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 56 | 66.42.127.129 | 66.42.127.129.vultr.com. | 20473 | 66.42.112.0/20 | AS-CHOOPA | US | AS-CHOOPA |
| 57 | 83.97.20.90 | 90.20.97.83.ro.ovo.sc. | 9009 | 83.97.20.0/24 | M247 | GB | M247 |
| 58 | 89.32.41.230 | 48874 | 89.32.41.0/24 | HOSTMAZE | RO | HOSTMAZE | |
| 59 | 95.213.243.73 | cfo04.bcfq7chj.io. | 49505 | 95.213.243.0/24 | SELECTEL | RU | SELECTEL |
(please re-check the network details above due to a possible geodb or network database inaccuracy)
Mon Dec 21 22:13:32 JST 2020 @unixfreaxjp
MalwareMustDie,NPO (malwaremustdie.org)