Malicious IP Address List

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Today around an hour ago from this post, I am noticing an influx of Layer 7 DDoS (Distributed Denial of Service) traffic from these origin IP addresses. The number prefixing signifies the request count within just an hour of log time.

539: 189.89.246.242
573: 69.65.65.178
646: 207.154.200.199
807: 66.7.113.39
838: 54.36.150.1
884: 173.213.208.232
919: 167.71.182.183
931: 167.71.182.175
932: 167.71.106.246
936: 167.71.250.73
938: 167.71.105.170
941: 167.71.186.103
945: 104.236.248.219
949: 167.71.97.146
980: 51.158.120.84
985: 51.158.111.229
989: 163.172.154.72
997: 167.71.105.166
1004: 51.158.68.133
1027: 51.158.98.121
1033: 163.172.148.62
1041: 51.158.68.26
1043: 163.172.190.160
2356: 198.20.123.168
2646: 198.37.105.132
2700: 62.87.151.135
7314: 46.8.28.17
9061: 212.172.74.14
9174: 65.36.119.212
9308: 191.102.90.238
9868: 51.68.176.9
9972: 198.98.58.178
10353: 186.47.82.6
10354: 206.189.60.238
11082: 95.168.185.183
13091: 95.141.36.112
13131: 186.154.93.139
14118: 208.108.122.233
14369: 164.68.108.140
14535: 167.71.243.93
14798: 148.217.94.54
14927: 167.71.97.196
15065: 167.71.186.105
15083: 187.62.45.130
15117: 167.71.103.168
15173: 167.71.254.86
15256: 167.71.182.13
15468: 198.98.54.241
15544: 159.203.87.130
16116: 51.158.106.54
16180: 51.158.123.35
16654: 104.244.75.26
16687: 51.158.111.242
16738: 163.172.162.215
16759: 51.158.108.135

16772: 163.172.189.32

These hosts should be known as associated with a botnet.

...

Code:
FILE=access.log; for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`; do { COUNT=`grep ^$ip $FILE |wc -l`; if [[ "$COUNT" -gt "500" ]]; then echo "$COUNT: $ip"; fi }; done

This is the method I used for extracting the IP addresses out with counts.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Where are the servers hosted?
1572265339088.png
Source:




IPDomainCountryRegionCityISPASN
189.89.246.24218989246242.prontonet.com.br
Brazil flag
Brazil
ParaBarcarenaPronto Net Ltda.28188
69.65.65.178crlspr-69.65.65.178.myacc.net
United States flag
United States
FloridaPompano BeachBlue Stream30404
207.154.200.199vpn.euroant.com
Germany flag
Germany
HesseFrankfurt am MainDigitalOcean, LLC14061
66.7.113.39
United States flag
United States
UtahCedar CityOff Campus Telecommunications29933
54.36.150.1ip-54-36-150-1.a.ahrefs.com
France flag
France
OVH SAS16276
173.213.208.232altanyh232.nbcuni.com
United States flag
United States
New YorkNew YorkNBCUniversal54040
167.71.182.183
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.182.175
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.106.246
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.250.73
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.105.170
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.186.103
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
104.236.248.219
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.97.146
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
51.158.120.8484-120-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
51.158.111.229229-111-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
163.172.154.7272-154-172-163.rev.cloud.scaleway.com
France flag
France
Online S.a.s.12876
167.71.105.166
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
51.158.68.133133-68-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
51.158.98.121121-98-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
163.172.148.6262-148-172-163.rev.cloud.scaleway.com
France flag
France
Online S.a.s.12876
51.158.68.2626-68-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
163.172.190.160160-190-172-163.rev.cloud.scaleway.com
France flag
France
Online S.a.s.12876
198.20.123.168.
Netherlands flag
Netherlands
North HollandAmsterdamSingleHop LLC32475
198.37.105.132105.37.198-132.dc74.net
United States flag
United States
FloridaIndialanticDC74 LLC17216
62.87.151.135CLIENT-tvkgaj-1-903.wroclaw.dialog.net.pl
Poland flag
Poland
Kujawsko-PomorskieSepolno KrajenskieNetia SA12741
46.8.28.17
Ukraine flag
Ukraine
TranscarpathiaUzhhorodWireless network and communications PE204684
212.172.74.14
Germany flag
Germany
ecotel communication ag12312
65.36.119.21265-36-119-212.static.grandenetworks.net
United States flag
United States
TexasAustinGrande Communications Networks, LLC7459
191.102.90.238azteca-comunicaciones.com
Colombia flag
Colombia
Bogota D.C.BogotáTV AZTECA SUCURSAL COLOMBIA262186
51.68.176.9
France flag
France
OVH SAS16276
198.98.58.178sing2d.top
United States flag
United States
New YorkBuffaloFranTech Solutions53667
186.47.82.66.82.47.186.static.anycast.cnt-grms.ec
Ecuador flag
Ecuador
Provincia de LojaMacaraCORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP28006
206.189.60.238
Germany flag
Germany
HesseFrankfurt am MainDigitalOcean, LLC14061
95.168.185.183
Algeria flag
Algeria
Leaseweb Uk Limited205544
95.141.36.112
Italy flag
Italy
Trentino-Alto AdigeSeflow S.N.C. Di Marco Brame' & C.49367
186.154.93.139static-186-154-93-139.static.etb.net.co
Colombia flag
Colombia
Bogota D.C.BogotáColombia19429
208.108.122.233
United States flag
United States
OhioDefianceNorthwest Ohio Computer Association62724
164.68.108.140vmi284004.contaboserver.net
Germany flag
Germany
Contabo GmbH51167
167.71.243.93
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
148.217.94.54rimd.reduaz.mx
Mexico flag
Mexico
ZacatecasZacatecas CityUninet S.A. de C.V.8151
167.71.97.196
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.186.105
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
187.62.45.130r335-pf-jangada.ibys.com.br
Brazil flag
Brazil
ParanaLondrinaSercomtel Participações S.A.22689
167.71.103.168
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.254.86
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
167.71.182.13
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
198.98.54.241.
United States flag
United States
New YorkBuffaloFranTech Solutions53667
159.203.87.130
United States flag
United States
New JerseyCliftonDigitalOcean, LLC14061
51.158.106.5454-106-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
51.158.123.3535-123-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
104.244.75.26.
United States flag
United States
ArizonaPhoenixFranTech Solutions53667
51.158.111.242242-111-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
163.172.162.215215-162-172-163.rev.cloud.scaleway.com
France flag
France
Online S.a.s.12876
51.158.108.135135-108-158-51.rev.cloud.scaleway.com
France flag
France
ParisParisOnline S.a.s.12876
163.172.189.3232-189-172-163.rev.cloud.scaleway.com
France flag
France
Online S.a.s.12876
Source:
 

danieljc

New Member
May 29, 2019
25
15
19
Well, when he realized the attack he made, did he block the IP addresses?
Should you block the IP as you did?
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
By the way, if anyone is curious as to how you would rip IP addresses out of your "lastb" command with counts - the method is rather similar. I will give you a one-liner*.
*Not a one-line but easy copy/paste to get a Termbin extract of your top 20 bad hosts

First let us take a second to showcase examples of utmpdump.
1. Similar to last is utmpdump /var/log/wtmp
2. Similar to lastb is utmpdump /var/log/btmp
3. Follow lastb for active changes utmpdump -f /var/log/btmp

1578930655692.png

Keep in mind some versions of utmpdump support -o or --output which allows you to write the dump out, in the case of CentOS we do not have this luxury Ferrari feature. I guess our Honda features will have to do, let's get dumping and counting IP addresses.

First I am going to simply play with dumping wtmp since this should be considerably smaller in size, good sample data.

Code:
utmpdump /var/log/wtmp > /root/logins.txt

Now if we cat this file we can look for a delimiter to explode the data into pizza slices to take only what we need.

1578931210706.png

I count the [ characters, since this will prefix our IP record we want to pull out.

Always add 1 to your cuts, because 1 is to the left if that makes sense:
Code:
[root@lipaydi log]# cat /root/logins.txt | cut -d '[' -f 8

1578931355075.png

Slight problem, we do not want ] in with our data so what character can we cut by to trim that space bullshit? Why, a space character should do!

Code:
cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1

Now we have beautifully tamed IP addresses. This can conclude our testing after we get our IP address sorted and counted.

If we wanted, this could be all we do:
Code:
cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -n

But I like to make things way beautiful and so I am going to make this go this way:
Code:
utmpdump /var/log/wtmp > /root/logins.txt
cat /root/logins.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr

So to conclude, getting our count of failed logins by IP address:
Code:
utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
cat /root/evil.txt | less

Using your pgdn key, you can sort through the hosts containing their respective number of failed SSH logins.

If we just want to get a list of the top 20 bad hosts:
Code:
utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt

If you want to get your top 20 list and share, I'd go about that like this:
Code:
utmpdump /var/log/btmp > /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt
cat /root/top20.txt | nc termbin.com 9999

I then receive something like
https://termbin.com/3h8a which is good to paste into a list in a code block to share threat intel.
Code:
  21676 49.88.112.113
    755 49.88.112.111
    435 222.186.180.8
    402 222.186.180.142]
    393 222.186.15.158
    327 222.186.30.218
    323 222.186.30.31
    318 222.186.31.127
    317 222.186.31.83
    314 222.186.175.163]
    314 222.186.175.154]
    290 154.85.38.58
    285 222.186.31.144
    273 222.186.175.23
    273 222.186.15.10
    270 222.186.42.155
    270 222.186.30.145
    266 222.186.30.59
    244 222.186.173.180]
    243 222.186.30.248

After a while, you may get tired of having the same old hosts at the top of your list. You can flush your logs out to get new top bad hosts.

Flush bad login logs:
Code:
cat /dev/null > /var/log/btmp

Within just seconds of me flushing this log I am already noticing:
Code:
[root@lipaydi ~]# utmpdump /var/log/btmp
Utmp dump of /var/log/btmp
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:36 2020 UTC]
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:38 2020 UTC]
[6] [09183] [    ] [root    ] [ssh:notty   ] [49.88.112.113       ] [49.88.112.113  ] [Mon Jan 13 16:42:40 2020 UTC]

China really does not love us, eh?

Also I have an old btmp file to scan through:
Code:
cd /var/log/ | ls -lah | grep "btmp"
-rw-------   1 root   utmp   1.2K Jan 13 16:42 btmp
-rw-------   1 root   utmp   125M Jan  1 03:33 btmp-20200101

SIMPLE!
Code:
utmpdump /var/log/btmp-20200101> /root/badlogin.txt
cat /root/badlogin.txt | cut -d '[' -f 8 | cut -d " " -f 1 |sort | uniq -c | sort -nr > /root/evil.txt
head -20 /root/evil.txt > /root/top20.txt
cat /root/top20.txt | nc termbin.com 9999

RESULTS:
Code:
  40852 49.88.112.113
   4693 166.62.33.2
   2976 220.88.40.41
    745 222.186.175.202]
    676 49.235.180.194
    666 222.186.173.183]
    627 222.186.175.148]
    615 222.186.42.4
    593 222.186.173.180]
    583 222.186.173.142]
    579 222.186.175.155]
    558 222.186.175.154]
    552 222.186.180.8
    534 222.186.173.238]
    533 222.186.175.147]
    532 222.186.180.147]
    532 219.65.66.129
    528 61.177.172.128
    487 222.186.173.154]
    486 222.186.175.220]

You may see a few stray ] characters, this is fine and can be corrected if highly bothersome. I do not care enough to fix that right now but feel free to throw in if you want!!

Using a tool like https://www.toolsvoid.com/extract-ip-addresses/ or your own Linux bash script, you can pull all IP addresses out and map them using a tool like https://www.infobyip.com/ipbulklookup.php

1578934052175.png

tl;dr China sucks, block China - always.
 

Attachments

  • 1578931063743.png
    1578931063743.png
    6.2 KB · Views: 3

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
I have another bad IP list from a different host:
Code:
   5834 222.186.52.78
    771 139.198.4.44
    749 187.141.122.148]
    585 75.142.74.23
    357 143.92.53.8
    217 222.186.15.18
    182 49.88.112.111
    163 222.186.15.33
    152 49.88.112.118
    147 118.70.216.153
    110 49.88.112.110
     93 222.186.31.204
     77 188.127.172.98
     75 27.78.12.22
     60 185.153.199.210]
     60 185.153.199.155]
     40 45.141.86.128
     38 195.9.74.38
     35 222.186.175.216]
     34 61.177.172.128

Is anyone interested in knowing how to block these?
 
Top