[Top Page view in: Github Code or Github Page]
IoT Intrusion Payload Infrastructure Abuse Report for December 2020 (up to Christmas day)
This report is compiled from the data recorded in December 2020 (up to Christmas day).
The global heatmap of the recorded data can be viewed below, following by the report’s detail.
1. The most abused ASN/Hosters/Countries (45)
| No | Hoster name | ASN | Ctry | Amount of abuse |
|---|---|---|---|---|
| 1 | AS-COLOCROSSING | AS36352 | US | 9 |
| 2 | DIGITALOCEAN | AS14061 | US | 8 |
| 3 | SERVERION-AS | AS213035 | NL | 6 |
| 4 | GIGANET-HU | AS42864 | HU | 3 |
| 5 | OVH | AS16276 | FR | 2 |
| 6 | PONYNET/FRANTECH | AS53667 | US | 2 |
| 7 | HOSTWINDS | AS54290 | US | 2 |
| 8 | MICROSOFT | AS8075 | US | 1 |
| 9 | VMSNETWORKS | AS398468 | US | 1 |
| 10 | AS-CHOOPA | AS20473 | US | 1 |
| 11 | HVC-AS | AS29802 | US | 1 |
| 12 | PPTECHNOLOGY | AS48090 | UK | 1 |
| 13 | M247 | AS9009 | UK | 1 |
| 14 | SKB-ENTERPRISE | AS64425 | NL | 1 |
| 15 | BELCLOUD | AS44901 | BG | 1 |
| 16 | MYLOC-AS | AS24961 | DE | 1 |
| 17 | AS-HOSTINGER | AS47583 | CY | 1 |
| 18 | YURTEH-AS | AS30860 | UA | 1 |
| 19 | PIHL-AS | AS213058 | RU | 1 |
| 20 | BLADESERVERS | AS206898 | AU | 1 |
2. The most abused broadband by P2P payloads (404)
P2P infection sources in GeoIP map:
| No | Country | P2P-IP Total |
|---|---|---|
| 1 | Taiwan | 70 |
| 2 | USA | 63 |
| 3 | Korea | 43 |
| 4 | Brazil | 25 |
| 5 | Mexico | 21 |
| 6 | Israel | 20 |
| 7 | Spain | 18 |
| 8 | Vietnam | 16 |
| 9 | Italy | 13 |
| 10 | Turkey | 8 |
| 11 | Iran | 8 |
| 12 | Malaysia | 8 |
| 13 | India | 7 |
| 14 | China | 6 |
| 15 | Romania | 6 |
| 16 | Russia | 5 |
| 17 | Indonesia | 5 |
| 18 | Ukraine | 4 |
| 19 | UK | 4 |
| 20 | Australia | 3 |
3. The record of loader names per infection source IP (54)
| No | Payload IP | loader script name |
|---|---|---|
| 1 | 104.168.96.11 | bins.sh |
| 2 | 104.248.238.30 | yoyobins.sh |
| 3 | 107.173.125.167 | gtop.sh |
| 4 | 107.173.91.136 | bins.sh |
| 5 | 108.174.62.168 | gtop.sh |
| 6 | 134.209.195.231 | Snoopy.sh |
| 7 | 139.59.105.123 | bins.sh |
| 8 | 142.93.255.221 | yoyobins.sh |
| 9 | 144.202.65.86 | bins.sh |
| 10 | 167.172.42.154 | 8UsA.sh |
| 11 | 167.71.81.188 | 8UsA.sh |
| 12 | 185.132.53.218 | SnOoPy.sh |
| 13 | 185.132.53.218 | bins.sh |
| 14 | 185.172.110.213 | net.sh |
| 15 | 185.239.242.93 | bobbabins.sh |
| 16 | 185.239.242.93 | pXdN91.sh |
| 17 | 185.244.39.248 | angelbins.sh |
| 18 | 192.119.86.133 | EkSgbins.sh |
| 19 | 192.227.147.157 | pwnInfect.sh |
| 20 | 193.239.147.144 | 8UsA.sh |
| 21 | 193.239.147.144 | Fourloko.sh |
| 22 | 193.239.147.144 | Sakura.sh |
| 23 | 193.239.147.245 | bin.sh |
| 24 | 193.42.137.107 | pXdN91.sh |
| 25 | 198.23.157.36 | bins.sh |
| 26 | 198.98.55.83 | test.sh |
| 27 | 2.57.122.227 | EkSgbins.sh |
| 28 | 209.141.34.144 | virum.sh |
| 29 | 212.73.150.149 | EkSgbins.sh |
| 30 | 23.254.229.253 | update.sh |
| 31 | 23.94.4.168 | bins.sh |
| 32 | 23.94.4.170 | 8UsA.sh |
| 33 | 23.94.4.170 | pXdN91.sh |
| 34 | 23.95.246.244 | EkSgbins.sh |
| 35 | 23.95.246.244 | modzbins.sh |
| 36 | 37.46.150.158 | Yumeko.sh |
| 37 | 45.15.25.65 | lordhades.sh |
| 38 | 45.153.203.116 | 8UsA.sh |
| 39 | 45.153.203.152 | aodbins.sh |
| 40 | 45.95.168.113 | GhOul.sh |
| 41 | 45.95.168.113 | bins.sh |
| 42 | 45.95.169.200 | Sakura.sh |
| 43 | 45.95.169.218 | virum.sh |
| 44 | 46.21.147.68 | 8UsA.sh |
| 45 | 5.196.162.1 | GhOul.sh |
| 46 | 5.196.162.1 | bins.sh |
| 47 | 51.81.91.243 | bins.sh |
| 48 | 52.255.172.167 | ASUNA.sh |
| 49 | 62.182.86.37 | ISIS.sh |
| 50 | 68.183.28.103 | EkSgbins.sh |
| 51 | 68.183.97.186 | Snoopy.sh |
| 52 | 89.249.65.230 | EkSgbins.sh |
| 53 | 91.234.99.47 | Mercury.sh |
| 54 | 91.234.99.47 | Pemex.sh |
| No | Loader uniq filename (27) |
|---|---|
| 1 | 8UsA.sh |
| 2 | ASUNA.sh |
| 3 | EkSgbins.sh |
| 4 | Fourloko.sh |
| 5 | GhOul.sh |
| 6 | ISIS.sh |
| 7 | Mercury.sh |
| 8 | Pemex.sh |
| 9 | Sakura.sh |
| 10 | SnOoPy.sh |
| 11 | Snoopy.sh |
| 12 | Yumeko.sh |
| 13 | angelbins.sh |
| 14 | aodbins.sh |
| 15 | bin.sh |
| 16 | bins.sh |
| 17 | bobbabins.sh |
| 18 | gtop.sh |
| 19 | lordhades.sh |
| 20 | modzbins.sh |
| 21 | net.sh |
| 22 | pXdN91.sh |
| 23 | pwnInfect.sh |
| 24 | test.sh |
| 25 | update.sh |
| 26 | virum.sh |
| 27 | yoyobins.sh |
4. The ISP networks where the attacks are coming from (abused ISP)
| No | Payload C2 IP | FQDN | ASN | Network prefix | ASN-ID | Country | ISP Name |
|---|---|---|---|---|---|---|---|
| 1 | 104.168.96.11 | 104-168-96-11-host.colocrossing.com. | 36352 | 104.168.96.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 2 | 104.248.238.30 | runner.gitlab. | 14061 | 104.248.224.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN |
| 3 | 107.173.125.167 | 107-173-125-167-host.colocrossing.com. | 36352 | 107.173.125.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 4 | 107.173.91.136 | 107-173-91-136-host.colocrossing.com. | 36352 | 107.173.88.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 5 | 108.174.62.168 | 108-174-62-168-host.colocrossing.com. | 36352 | 108.174.62.0/23 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 6 | 134.209.195.231 | 14061 | 134.209.192.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 7 | 139.59.105.123 | 14061 | 139.59.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 8 | 142.93.255.221 | 14061 | 142.93.240.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 9 | 144.202.65.86 | 144.202.65.86. | 20473 | 144.202.64.0/20 | AS-CHOOPA | US | AS-CHOOPA |
| 10 | 167.172.42.154 | 14061 | 167.172.32.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 11 | 167.71.81.188 | 14061 | 167.71.80.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 12 | 185.132.53.218 | 24961 | 185.132.53.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 13 | 185.172.110.213 | 206898 | 185.172.110.0/23 | BLADESERVERS | AU | BLADESERVERS | |
| 14 | 185.239.242.93 | 213035 | 185.239.242.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 15 | 185.244.39.248 | 64425 | 185.244.39.0/24 | SKB-ENTERPRISE | NL | SKB-ENTERPRISE | |
| 16 | 192.119.86.133 | client-192-119-86-133.hostwindsdns.com. | 54290 | 192.119.64.0/18 | HOSTWINDS | US | HOSTWINDS |
| 17 | 192.227.147.157 | 192-227-147-157-host.colocrossing.com. | 36352 | 192.227.147.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 18 | 193.239.147.144 | 213035 | 193.239.147.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 19 | 193.239.147.245 | 213035 | 193.239.147.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 20 | 193.42.137.107 | 398468 | 193.42.137.0/24 | VMSNETWORKS | US | VMSNETWORKS | |
| 21 | 198.23.157.36 | 198-23-157-36-host.colocrossing.com. | 36352 | 198.23.156.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 22 | 198.98.55.83 | 53667 | 198.98.48.0/20 | PONYNET | US | PONYNET | |
| 23 | 2.57.122.227 | 48090 | 2.57.122.0/24 | PPTECHNOLOGY | GB | PPTECHNOLOGY | |
| 24 | 209.141.34.144 | 53667 | 209.141.32.0/19 | PONYNET | US | PONYNET | |
| 25 | 212.73.150.149 | 44901 | 212.73.150.0/24 | BELCLOUD | BG | BELCLOUD | |
| 26 | 23.254.229.253 | client-23-254-229-253.hostwindsdns.com. | 54290 | 23.254.224.0/21 | HOSTWINDS | US | HOSTWINDS |
| 27 | 23.94.4.168 | 23-94-4-168-host.colocrossing.com. | 36352 | 23.94.4.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 28 | 23.94.4.170 | 23-94-4-170-host.colocrossing.com. | 36352 | 23.94.4.0/22 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 29 | 23.95.246.244 | 23-95-246-244-host.colocrossing.com. | 36352 | 23.95.246.0/24 | AS-COLOCROSSING | US | AS-COLOCROSSING |
| 30 | 37.46.150.158 | 213035 | 37.46.150.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 31 | 45.15.25.65 | 47583 | 45.15.24.0/22 | AS-HOSTINGER | CY | AS-HOSTINGER | |
| 32 | 45.153.203.116 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 33 | 45.153.203.152 | 213035 | 45.153.203.0/24 | SERVERION-AS | NL | Serverion B.V. | |
| 34 | 45.95.168.113 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 35 | 45.95.169.200 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 36 | 45.95.169.218 | maxko-hosting.com. | 42864 | 45.95.168.0/22 | GIGANET-HU | HU | GigaNet Internet Service Provider Co |
| 37 | 46.21.147.68 | 68.147.21.46.in-addr.arpa. | 29802 | 46.21.147.0/24 | HVC-AS | US | HVC-AS |
| 38 | 5.196.162.1 | ip1.ip-5-196-162.eu. | 16276 | 5.196.0.0/16 | OVH | FR | OVH |
| 39 | 51.81.91.243 | ip51-81-91-243.fantasy.ovh. | 16276 | 51.81.0.0/17 | OVH | FR | OVH |
| 40 | 52.255.172.167 | 8075 | 52.224.0.0/11 | MICROSOFT-CORP-MSN-A | US | MICROSOFT-CORP-MSN-A | |
| 41 | 62.182.86.37 | host-37.dedicated.vsys.host. | 30860 | 62.182.86.0/24 | YURTEH-AS | UA | YURTEH-AS |
| 42 | 68.183.28.103 | 14061 | 68.183.16.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 43 | 68.183.97.186 | 14061 | 68.183.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 44 | 89.249.65.230 | no-rdns.m247.com. | 9009 | 89.249.65.0/24 | M247 | GB | M247 |
| 45 | 91.234.99.47 | 213058 | 91.234.99.0/24 | PIHL-AS | RU | PIHL-AS |
(please re-check the network details above due to a possible geodb or network database inaccuracy)
Fri Dec 25 19:23:00 JST 2020 @unixfreaxjp
MalwareMustDie,NPO (malwaremustdie.org)