Malicious IP Address List

[Asphyxia]

Today around an hour ago from this post, I am noticing an influx of Layer 7 DDoS (Distributed Denial of Service) traffic from these origin IP addresses. The number prefixing signifies the request count within just an hour of log time.

539: 189.89.246.242
573: 69.65.65.178
646: 207.154.200.199
807: 66.7.113.39
838: 54.36.150.1
884: 173.213.208.232
919: 167.71.182.183
931: 167.71.182.175
932: 167.71.106.246
936: 167.71.250.73
938: 167.71.105.170
941: 167.71.186.103
945: 104.236.248.219
949: 167.71.97.146
980: 51.158.120.84
985: 51.158.111.229
989: 163.172.154.72
997: 167.71.105.166
1004: 51.158.68.133
1027: 51.158.98.121
1033: 163.172.148.62
1041: 51.158.68.26
1043: 163.172.190.160
2356: 198.20.123.168
2646: 198.37.105.132
2700: 62.87.151.135
7314: 46.8.28.17
9061: 212.172.74.14
9174: 65.36.119.212
9308: 191.102.90.238
9868: 51.68.176.9
9972: 198.98.58.178
10353: 186.47.82.6
10354: 206.189.60.238
11082: 95.168.185.183
13091: 95.141.36.112
13131: 186.154.93.139
14118: 208.108.122.233
14369: 164.68.108.140
14535: 167.71.243.93
14798: 148.217.94.54
14927: 167.71.97.196
15065: 167.71.186.105
15083: 187.62.45.130
15117: 167.71.103.168
15173: 167.71.254.86
15256: 167.71.182.13
15468: 198.98.54.241
15544: 159.203.87.130
16116: 51.158.106.54
16180: 51.158.123.35
16654: 104.244.75.26
16687: 51.158.111.242
16738: 163.172.162.215
16759: 51.158.108.135
16772: 163.172.189.32

These hosts should be known as associated with a botnet.

...

FILE=access.log; for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`; do { COUNT=`grep ^$ip $FILE |wc -l`; if [[ "$COUNT" -gt "500" ]]; then echo "$COUNT: $ip"; fi }; done

This is the method I used for extracting the IP addresses out with counts.

 

[danieljc]

Where are the servers hosted?

 

[Asphyxia]

Where are the servers hosted?

Source:

ipapi - Bulk IP Lookup Tool | Locate IP Address on a Map

Batch IP Geolocation GUI. View 1000 IPs on a map, download as CSV, PDF, Excel. Spreadsheet interface to search, sort & print city, country, currency & more.

app.ipapi.co

IP	Domain	Country	Region	City	ISP	ASN
189.89.246.242	18989246242.prontonet.com.br	Brazil	Para	Barcarena	Pronto Net Ltda.	28188
69.65.65.178	crlspr-69.65.65.178.myacc.net	United States	Florida	Pompano Beach	Blue Stream	30404
207.154.200.199	vpn.euroant.com	Germany	Hesse	Frankfurt am Main	DigitalOcean, LLC	14061
66.7.113.39		United States	Utah	Cedar City	Off Campus Telecommunications	29933
54.36.150.1	ip-54-36-150-1.a.ahrefs.com	France			OVH SAS	16276
173.213.208.232	altanyh232.nbcuni.com	United States	New York	New York	NBCUniversal	54040
167.71.182.183		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.182.175		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.106.246		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.250.73		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.105.170		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.186.103		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
104.236.248.219		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.97.146		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
51.158.120.84	84-120-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
51.158.111.229	229-111-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
163.172.154.72	72-154-172-163.rev.cloud.scaleway.com	France			Online S.a.s.	12876
167.71.105.166		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
51.158.68.133	133-68-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
51.158.98.121	121-98-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
163.172.148.62	62-148-172-163.rev.cloud.scaleway.com	France			Online S.a.s.	12876
51.158.68.26	26-68-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
163.172.190.160	160-190-172-163.rev.cloud.scaleway.com	France			Online S.a.s.	12876
198.20.123.168	.	Netherlands	North Holland	Amsterdam	SingleHop LLC	32475
198.37.105.132	105.37.198-132.dc74.net	United States	Florida	Indialantic	DC74 LLC	17216
62.87.151.135	CLIENT-tvkgaj-1-903.wroclaw.dialog.net.pl	Poland	Kujawsko-Pomorskie	Sepolno Krajenskie	Netia SA	12741
46.8.28.17		Ukraine	Transcarpathia	Uzhhorod	Wireless network and communications PE	204684
212.172.74.14		Germany			ecotel communication ag	12312
65.36.119.212	65-36-119-212.static.grandenetworks.net	United States	Texas	Austin	Grande Communications Networks, LLC	7459
191.102.90.238	azteca-comunicaciones.com	Colombia	Bogota D.C.	Bogotá	TV AZTECA SUCURSAL COLOMBIA	262186
51.68.176.9		France			OVH SAS	16276
198.98.58.178	sing2d.top	United States	New York	Buffalo	FranTech Solutions	53667
186.47.82.6	6.82.47.186.static.anycast.cnt-grms.ec	Ecuador	Provincia de Loja	Macara	CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP	28006
206.189.60.238		Germany	Hesse	Frankfurt am Main	DigitalOcean, LLC	14061
95.168.185.183		Algeria			Leaseweb Uk Limited	205544
95.141.36.112		Italy	Trentino-Alto Adige		Seflow S.N.C. Di Marco Brame' & C.	49367
186.154.93.139	static-186-154-93-139.static.etb.net.co	Colombia	Bogota D.C.	Bogotá	Colombia	19429
208.108.122.233		United States	Ohio	Defiance	Northwest Ohio Computer Association	62724
164.68.108.140	vmi284004.contaboserver.net	Germany			Contabo GmbH	51167
167.71.243.93		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
148.217.94.54	rimd.reduaz.mx	Mexico	Zacatecas	Zacatecas City	Uninet S.A. de C.V.	8151
167.71.97.196		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.186.105		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
187.62.45.130	r335-pf-jangada.ibys.com.br	Brazil	Parana	Londrina	Sercomtel Participações S.A.	22689
167.71.103.168		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.254.86		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
167.71.182.13		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
198.98.54.241	.	United States	New York	Buffalo	FranTech Solutions	53667
159.203.87.130		United States	New Jersey	Clifton	DigitalOcean, LLC	14061
51.158.106.54	54-106-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
51.158.123.35	35-123-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
104.244.75.26	.	United States	Arizona	Phoenix	FranTech Solutions	53667
51.158.111.242	242-111-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
163.172.162.215	215-162-172-163.rev.cloud.scaleway.com	France			Online S.a.s.	12876
51.158.108.135	135-108-158-51.rev.cloud.scaleway.com	France	Paris	Paris	Online S.a.s.	12876
163.172.189.32	32-189-172-163.rev.cloud.scaleway.com	France			Online S.a.s.	12876

Source:

Domain and IP bulk lookup tool

Domain and IP bulk lookup tool

www.infobyip.com

 

[Primo]

What do they want from us? Why are they attacking ...

 

[danieljc]

Well, when he realized the attack he made, did he block the IP addresses?
Should you block the IP as you did?

 

[mkll11one]

Bueno, cuando se dio cuenta del ataque que hizo, ¿bloqueó las direcciones IP?
En caso de bloquear la IP como lo hizo?

English only here! =)

 

[Asphyxia]

By the way, if anyone is curious as to how you would rip IP addresses out of your "lastb" command with counts - the method is rather similar. I will give you a one-liner*.
*Not a one-line but easy copy/paste to get a Termbin extract of your top 20 bad hosts

First let us take a second to showcase examples of utmpdump.
1. Similar to last is utmpdump /var/log/wtmp
2. Similar to lastb is utmpdump /var/log/btmp
3. Follow lastb for active changes utmpdump -f /var/log/btmp



Keep in mind some versions of utmpdump support -o or --output which allows you to write the dump out, in the case of CentOS we do not have this luxury Ferrari feature. I guess our Honda features will have to do, let's get dumping and counting IP addresses.

First I am going to simply play with dumping wtmp since this should be considerably smaller in size, good sample data.

utmpdump /var/log/wtmp > /root/logins.txt

Now if we cat this file we can look for a delimiter to explode the data into pizza slices to take only what we need.



I count the [ characters, since this will prefix our IP record we want to pull out.

Always add 1 to your cuts, because 1 is to the left if that makes sense:

[root@lipaydi log]# cat /root/logins.txt | cut -d '[' -f 8

Slight problem, we do not want ] in with our data so what character can we cut by to trim that space bullshit? Why, a space character should do!

cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1

Now we have beautifully tamed IP addresses. This can conclude our testing after we get our IP address sorted and counted.

If we wanted, this could be all we do:

cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -n

But I like to make things way beautiful and so I am going to make this go this way:

utmpdump /var/log/wtmp > /root/logins.txt
cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr

So to conclude, getting our count of failed logins by IP address:

utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
cat /root/evil.txt | less

Using your pgdn key, you can sort through the hosts containing their respective number of failed SSH logins.

If we just want to get a list of the top 20 bad hosts:

utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt

If you want to get your top 20 list and share, I'd go about that like this:

utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt
cat /root/top20.txt | nc termbin.com 9999

I then receive something like
https://termbin.com/3h8a which is good to paste into a list in a code block to share threat intel.

  21676 49.88.112.113
    755 49.88.112.111
    435 222.186.180.8
    402 222.186.180.142]
    393 222.186.15.158
    327 222.186.30.218
    323 222.186.30.31
    318 222.186.31.127
    317 222.186.31.83
    314 222.186.175.163]
    314 222.186.175.154]
    290 154.85.38.58
    285 222.186.31.144
    273 222.186.175.23
    273 222.186.15.10
    270 222.186.42.155
    270 222.186.30.145
    266 222.186.30.59
    244 222.186.173.180]
    243 222.186.30.248

After a while, you may get tired of having the same old hosts at the top of your list. You can flush your logs out to get new top bad hosts.

Flush bad login logs:

cat /dev/null > /var/log/btmp

Within just seconds of me flushing this log I am already noticing:

[root@lipaydi ~]# utmpdump /var/log/btmp
Utmp dump of /var/log/btmp
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:36 2020 UTC]
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:38 2020 UTC]
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:40 2020 UTC]

China really does not love us, eh?

Also I have an old btmp file to scan through:

cd /var/log/ | ls -lah | grep "btmp"
-rw-------   1 root   utmp   1.2K Jan 13 16:42 btmp
-rw-------   1 root   utmp   125M Jan  1 03:33 btmp-20200101

SIMPLE!

utmpdump /var/log/btmp-20200101> /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt
cat /root/top20.txt | nc termbin.com 9999

RESULTS:

  40852 49.88.112.113
   4693 166.62.33.2
   2976 220.88.40.41
    745 222.186.175.202]
    676 49.235.180.194
    666 222.186.173.183]
    627 222.186.175.148]
    615 222.186.42.4
    593 222.186.173.180]
    583 222.186.173.142]
    579 222.186.175.155]
    558 222.186.175.154]
    552 222.186.180.8
    534 222.186.173.238]
    533 222.186.175.147]
    532 222.186.180.147]
    532 219.65.66.129
    528 61.177.172.128
    487 222.186.173.154]
    486 222.186.175.220]

You may see a few stray ] characters, this is fine and can be corrected if highly bothersome. I do not care enough to fix that right now but feel free to throw in if you want!!

Using a tool like https://www.toolsvoid.com/extract-ip-addresses/ or your own Linux bash script, you can pull all IP addresses out and map them using a tool like https://www.infobyip.com/ipbulklookup.php



tl;dr China sucks, block China - always.

 

[Asphyxia]

I have another bad IP list from a different host:

   5834 222.186.52.78
    771 139.198.4.44
    749 187.141.122.148]
    585 75.142.74.23
    357 143.92.53.8
    217 222.186.15.18
    182 49.88.112.111
    163 222.186.15.33
    152 49.88.112.118
    147 118.70.216.153
    110 49.88.112.110
     93 222.186.31.204
     77 188.127.172.98
     75 27.78.12.22
     60 185.153.199.210]
     60 185.153.199.155]
     40 45.141.86.128
     38 195.9.74.38
     35 222.186.175.216]
     34 61.177.172.128

Is anyone interested in knowing how to block these?

 

[mkll11one]

Ya me. @Asphyxia