DDoS Botnet C2 Detections

Example DDoS botnet command-and-control (C2) servers detected by Bad Packets® Cyber Threat Intelligence

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 46.166.151.200 (🇳🇱)
Hosting provider: NFOrce Internet Services (AS43350)

C2 ports:
122/tcp
1212/tcp

Payload:
http://46.166.151.200/arm7 (https://t.co/qFjT6o5rKR)

Target:
JAWS web server RCE#threatintel pic.twitter.com/u2mEwctSpF

— Bad Packets Report (@bad_packets) December 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 5.79.70.165 (🇳🇱)
Hosting provider: Leaseweb (AS60781)

C2 ports:
158/tcp
9999/tcp

Payload:
http://5.79.70.165/snype.mips (https://t.co/D3aTQ6jQKP)

Target:
Huawei routers (CVE-2017-17215)#threatintel pic.twitter.com/mNK0HoBy1S

— Bad Packets Report (@bad_packets) December 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 194.50.171.185 (🇷🇺)
Hosting provider: JustHost[.]ru (AS49392)

C2 ports:
87/tcp
444/tcp

Payload:
http://194.50.171.185/Venom.sh
Ouija_M.ips (https://t.co/0ew0KrPAh1)

Target:
D-Link routers#threatintel pic.twitter.com/DjVezSC1Ne

— Bad Packets Report (@bad_packets) December 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 23.254.224.153 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
45/tcp
34712/tcp

Target: CVE-2014-8361
Payload: Oblivion.mips
(https://t.co/TJCWvj5esf)
http://23.254.224.153/bins/ #opendir #threatintel pic.twitter.com/sye7r01QPH

— Bad Packets Report (@bad_packets) November 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.112.249.39 (🇬🇧)
Hosting provider: SharkServers (AS202939)

C2 ports:
1024/tcp
1982/tcp

Target: CVE-2014-8361
Payload: UnHAnaAW.mips (https://t.co/ced5WdJ5kJ)
ftp://185.112.249.39/ #opendir #threatintel pic.twitter.com/3DXJebEz66

— Bad Packets Report (@bad_packets) November 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 165.227.35.105 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 port: 55312/tcp

Target: Netgear routers
Payload: http://165.227.35.105/mips (https://t.co/PezcqTXqat)
ftp://165.227.35.105/ #opendir #threatintel pic.twitter.com/KHlDvLUU6P

— Bad Packets Report (@bad_packets) November 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 51.79.66.236 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
87/tcp (logs)
444/tcp (panel)

Targets:
D-Link RCE
ThinkPHP RCE

Payload:
Venom[.]sh
Ouija_M.ips
Ouija_x.86https://t.co/wIx60659VK #threatintel pic.twitter.com/TUZx3LWC9g

— Bad Packets Report (@bad_packets) November 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 194.15.36.41 (🇩🇪)
Hosting provider: private-hosting[.]eu
Network provider: AS24961

C2 ports:
20/tcp (panel)
88/tcp (logs)

Target: CVE-2017-17215
Payload: orphic.mips (https://t.co/Qk8FiZCwec)#threatintel pic.twitter.com/2T2WS4HE1X

— Bad Packets Report (@bad_packets) November 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 2.56.8.188 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369

C2 ports:
9874/tcp
55312/tcp

Payload: http://2.56.8.188/axisbins.sh
ftp://2.56.8.188/ #opendir https://t.co/F47BnPQboH #threatintel pic.twitter.com/MD83yan6bX

— Bad Packets Report (@bad_packets) November 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 167.71.175.87 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
420/tcp
666/tcp

Payload:
http://167.71.175.87/axisbins.sh

Vulnerability exploited:
Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/7JJ2zia52n

— Bad Packets Report (@bad_packets) November 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 168.235.90.130 (🇺🇸)
Hosting provider: RamNode (AS3842)

C2 ports:
1738/tcp
6060/tcp

Target: JAWS web server RCE
Payload: http://168.235.90.130/love/trixbins.shhttps://t.co/GYGT7tTmyy #threatintel pic.twitter.com/rceBH1rsok

— Bad Packets Report (@bad_packets) November 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 2.56.8.157 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369

C2 ports:
748/tcp
1742/tcp

Target: JAWS web server RCE (60001/tcp)
Payload: http://2.56.8.157/UwUshhttps://t.co/ROqx7MBgIu #threatintel pic.twitter.com/RcTUm5ZdpP

— Bad Packets Report (@bad_packets) November 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 89.35.39.74 (🇷🇴)
Hosting provider: https://t.co/8DO0DSXr82 (AS206898)

C2 ports:
1092/tcp
1920/tcp

Vulnerabilities exploited:
CVE-2017-18368 (ZyXEL RCE)
Payload: https://t.co/WKvGAwFTuk #threatintel pic.twitter.com/n9bwiY5Ov9

— Bad Packets Report (@bad_packets) November 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 185.172.110.243 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
4554/tcp
56084/tcp

Vulnerabilities exploited:
CVE-2017-18368https://t.co/X236JYX65i
ftp://185.172.110.243/ #opendir #threatintel pic.twitter.com/097EjLemKb

— Bad Packets Report (@bad_packets) October 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.205.42 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
2848/tcp
46216/tcp

Payload: http://142.11.205.42/mipshttps://t.co/CBXuGq02L6
Target: CVE-2014-8361 (Realtek RCE)#threatintel pic.twitter.com/PFpibSnKLK

— Bad Packets Report (@bad_packets) October 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 35.236.44.15 (🇺🇸)
Hosting provider: Google Cloud (AS15169)

C2 ports:
1338/tcp
31337/tcp

Payload: http://35.236.44.15/zzz/mips.idopochttps://t.co/W5Ai2Owhjz
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/mkgOxTl7eI

— Bad Packets Report (@bad_packets) October 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet (fbot) C2 server detected!

IP address: 5.206.227.65 (🇵🇹)
Hosting provider: BlazingFast (AS49349)

C2 ports:
6592/tcp
6593/tcp

Payload: http://5.206.227.65/w.shhttps://t.co/6YwBq22BTL
Target: JAWS web server RCE (60001/tcp)#threatintel pic.twitter.com/S8SaHVlNMW

— Bad Packets Report (@bad_packets) October 29, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 34.94.100.213 (🇺🇸)
Hosting provider: Google Cloud (AS15169)

C2 ports:
1338/tcp
31337/tcp

Payload: http://jarry[.]online/zzz/mips.idopochttps://t.co/1q4iMaF86w
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/2zOSE9G3DK

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 190.2.156.118 (🇳🇱)
Hosting provider: WorldStream (AS49981)

C2 ports:
19992/tcp
26663/tcp#threatintel https://t.co/OIlTenu7Vf pic.twitter.com/mQwK9RP2fQ

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.227.208 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
81/tcp
21769/tcp

Payload: http://142.11.227.208/Realtek.shhttps://t.co/532YSMO70w
http://142.11.227.208/bins/ #opendir #threatintel pic.twitter.com/8GrOLhSZTi

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 5.252.193.53 (🇷🇺)
Hosting provider: IpServer (AS44812)

C2 port:
4201/tcp

Vulnerabilities exploited:
CVE-2014-8361
JAWS web server RCEhttps://t.co/kiZjqGSmBc
http://5.252.193.53/bins/ #opendir #threatintel pic.twitter.com/1uAZDpjVyy

— Bad Packets Report (@bad_packets) October 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 193.19.119.165 (🇺🇦)
Hosting provider: IpServer (AS44812)

C2 port:
4201/tcp (panel)

Vulnerability exploited: CVE-2017-17215
Payload: https://t.co/OyNwTYIPQm
http://193.19.119.165/bins/ #opendir #threatintel pic.twitter.com/JWj10gOSdp

— Bad Packets Report (@bad_packets) October 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 145.239.212.59 (🇫🇷)
Hosting provider: BungeeCloud
ASN: AS16276 (OVH)

C2 ports:
8080/tcp (user panel)
43210/tcp

Payload: http://145.239.212.59/bwget.sh
http://185.236.229.23/kkkk/linux.* #opendir #threatintel pic.twitter.com/YNcZHNZV3Y

— Bad Packets Report (@bad_packets) October 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 85.204.116.49 (🇷🇴)
Domain: http://prismware[.]ml/ #opendir
Hosting provider: Hostmaze (AS48874)

C2 ports:
131/tcp
3143/tcp

Vulnerability exploited:
CVE-2014-8361

Payload:https://t.co/7MXFI8WQTi #threatintel pic.twitter.com/9msoHk06IH

— Bad Packets Report (@bad_packets) October 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 64.44.40.242 (🇺🇸)
Hosting provider: Nexeon Technologies (AS20278)

C2 ports:
1024/tcp
1982/tcp

Vulnerability exploited:
Netgear RCEhttps://t.co/jACB1BEEuE
http://64.44.40.242/bins/ #opendir #threatintel pic.twitter.com/gk3FOL8teM

— Bad Packets Report (@bad_packets) September 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
55667/tcp
62333/tcp

Vulnerability exploited:
CVE-2014-9727

Payload:
fuze[.]sh
203Xmi39S.*
ftp://185.244.25.122/ #opendir #threatintel pic.twitter.com/m5TcRo9jf8

— Bad Packets Report (@bad_packets) September 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 45.95.168.161 (🇭🇷)
Hosting provider: MAXKO Hosting
ASN: AS42864 (🇭🇺)

C2 ports:
26662/tcp
46664/tcp
56378/tcp

"fatrat/test" #malware https://t.co/EJGc6ZYnBr

http://45.95.168.161/fatrat/ #opendir #threatintel pic.twitter.com/VwzagZdpac

— Bad Packets Report (@bad_packets) September 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.210.231 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
1791/tcp
21769/tcp

Vulnerabilities exploited:
D-Link RCE
CVE-2017-17215 (Huawei)

http://142.11.210.231/bins/ #malware #opendir #threatintel pic.twitter.com/xM4j5NmYiT

— Bad Packets Report (@bad_packets) September 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 165.227.93.168 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
23/tcp
666/tcp (user panel)

Exploit target:
Netgear routers

ftp://165.227.93.168/ #malware #opendir https://t.co/lFXc6q9OjZ #threatintel pic.twitter.com/btKwE5iCrw

— Bad Packets Report (@bad_packets) September 15, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 104.168.199.188 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
42069/tcp (user panel)
46216/tcp (command logs)

Vulnerability exploited:
ZyXEL router RCE (CVE-2017-18368)#threatintel

— Bad Packets Report (@bad_packets) September 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 164.132.4.31 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)

C2 ports:
36335/tcp
42689/tcp (user panel)

Payload: http://164.132.4.31/armv7l

Exploit source IP: 37.59.163.230 (🇫🇷)#threatintel

— Bad Packets Report (@bad_packets) September 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 50.115.162.6 (🇺🇸)
Hosting provider: @virpus
ASN: AS32875 (Wowrack)

C2 ports:
23/tcp (logs)
4352/tcp (panel)

Vulnerability exploited:
CVE-2017-17215 (Huawei RCE)

Payload: mips.light #malware #threatintel pic.twitter.com/13vdu9EFLU

— Bad Packets Report (@bad_packets) September 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 137.74.237.193 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)

C2 ports:
151/tcp (logs)
666/tcp (panel)

Payload: TacoBellGodYo.*https://t.co/uINwaNMM4W

ftp://137.74.237.193/ #opendir #threatintel https://t.co/w5d70vS7lb pic.twitter.com/hrbLkFQQmm

— Bad Packets Report (@bad_packets) September 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 31.13.195.65 (🇧🇬)
DNS: switchnets[.]net
Hosting provider: @VPSBG_EU
ASN: AS34224

C2 port:
79/tcp (panel)

Vulnerability exploited:
JAWS web server RCE

http://31.13.195.65/b/ #malware #opendir #threatintel pic.twitter.com/ABzppENJv7

— Bad Packets Report (@bad_packets) September 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 31.13.195.116 (🇧🇬)
DNS: anunna[.]club
Hosting provider: @VPSBG_EU
ASN: AS34224

C2 ports:
34567/tcp
64756/tcp

Vulnerabilities exploited:
JAWS web server RCE

http://anunna[.]club/x #malware payload#threatintel pic.twitter.com/58nhynOd5w

— Bad Packets Report (@bad_packets) September 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 206.72.206.82 (🇺🇸)
Hosting provider: InterServer (AS19318)

C2 ports:
8372/tcp
36496/tcp

Vulnerabilities exploited:
D-Link RCE
Huawei RCE CVE-2017-17215
http://206.72.206.82/bins/ #malware #opendir #threatintel pic.twitter.com/9NOkV85t2x

— Bad Packets Report (@bad_packets) September 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
6667/tcp
32957/tcp

Vulnerability exploited:
FRITZ!Box RCE (CVE-2014-9727)#threatintel pic.twitter.com/vwRhg0YI6A

— Bad Packets Report (@bad_packets) August 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 80.82.65.213 (🇳🇱)
DNS: cc.stresser[.]cc
Hosting provider: IP Volume (AS202425)

C2 ports:
123/tcp
9060/tcp
37420/tcp

VirusTotal detections: 3/53https://t.co/foOKJLNxb7
http://80.82.65.213/moo #malware #opendir pic.twitter.com/SDXmpivcjj

— Bad Packets Report (@bad_packets) August 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 199.19.225.2 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
1024/tcp
1982/tcp

Vulnerability exploited:
Netgear router RCEhttps://t.co/6PisHwc30Q #malware
http://199.19.225.2/bins/ #opendir #threatintel pic.twitter.com/URGl4G7GkK

— Bad Packets Report (@bad_packets) August 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.217.116 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 port:
5301/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215
CVE-2017-18368

http://142.11.217.116/bins/ #malware #opendir #threatintel pic.twitter.com/uzKNe4nsnQ

— Bad Packets Report (@bad_packets) August 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 147.135.124.113 (🇺🇸)
Hosting provider: OVH (AS16276)

C2 ports:
396/tcp
455/tcp
3465/tcp

Vulnerability exploited:
CVE-2019-15107 (Webmin RCE)

http://147.135.124.113/bins/ #opendir #threatintel pic.twitter.com/bDXxiXUbCO

— Bad Packets Report (@bad_packets) August 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.73 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
81/tcp
6996/tcp

Payload:
m-i.p-s.SNOOPYhttps://t.co/tOxqmfFlsS
ftp://185.244.25.73/ #opendir #threatintel pic.twitter.com/zvK4UVCPkO

— Bad Packets Report (@bad_packets) August 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.244.39.124 (🇳🇱)
Hosting provider: SKB Enterprise (AS64425)

C2 ports:
5555/tcp
10019/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215

http://185.244.39.124/gaybub/ #malware #opendir #threatintel pic.twitter.com/HVOsP49kT7

— Bad Packets Report (@bad_packets) August 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 199.195.253.85 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
2323/tcp
10444/tcp
64334/tcp

Vulnerability exploited:
HiSilicon DVR RCE https://t.co/qaFAEk7lkF #threatintel

— Bad Packets Report (@bad_packets) August 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 198.98.62.146 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
23/tcp
91/tcp

Vulnerability exploited: CVE-2014-9727

Malware payload script: https://t.co/Um0xNXbBuz #threatintel pic.twitter.com/N1n47hQh1z

— Bad Packets Report (@bad_packets) August 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
Hosting provider: Infinity Hosting

C2 ports:
8811/tcp
12345/tcp

Payload:
arm6https://t.co/wg7Y65kbm5
ftp://51.91.202.137/ #malware #opendir #threatintel https://t.co/dI5w8SLDb6 pic.twitter.com/oc9h62GQWn

— Bad Packets Report (@bad_packets) August 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 185.172.110.224 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
993/tcp
11751/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-18368

ftp://185.172.110.224/ #malware #opendir #threatintel pic.twitter.com/WN2RnLQ3S5

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 45.95.147.26 (🇳🇱)
DNS: switchnets[.]net
Hosting provider: Alsycon
ASN: AS51942

C2 ports:
79/tcp
6968/tcp

Payload:
"unstable" https://t.co/pccK4P2Qra
http://45.95.147.26/b/ #opendir #malware #threatintel pic.twitter.com/6JiL8XNITr

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 164.68.116.122 (🇩🇪)
Hosting provider: Contabo (AS51167)

C2 ports:
1337/tcp
65535/tcp

Exploit target:
Linksys routers

Malware payload:
"mipsel"https://t.co/69FzpKONBF #threatintel pic.twitter.com/IHbj1NJrOD

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 213.139.205.242 (🇳🇱)
Hosting provider: @ShockHosting
ASN: AS136175 (Serverhosh)

C2 ports:
35668/tcp
455/tcp

Multiple "cloudbot" malware binaries:https://t.co/bPxvVRnDYa #threatintel https://t.co/Xm1lKNqdWi pic.twitter.com/Vd1bv1MhVA

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 142.44.251.105 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
11751/tcp
65535/tcp

Vulnerabilities exploited:
CVE-2017-18368
CVE-2014-8361
Linksys RCE

ftp://142.44.251.105/ #malware #opendir #threatintel pic.twitter.com/mgeZuxnmCW

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) C2 server detected!

IP address: 31.13.195.49 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS34224 (Neterra)

C2 ports:
79/tcp
6968/tcp

Vulnerabilities exploited:
JAWS web server RCE

Payload:
http://31.13.195.49/x #malware #threatintel pic.twitter.com/4XV9dyLjl2

— Bad Packets Report (@bad_packets) August 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 141.105.69.49 (🇷🇺)
Hosting provider: @Hostkey_Rus (AS49335)
C2 port: 8915/tcp

Exploit target: ZyXEL routers (CVE-2017-18368)
ftp://141.105.69.49/ #malware #opendir #threatintel pic.twitter.com/2pxycZoXiS

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.82.202.24 (🇳🇱)
Hosting provider: HostSailor (🇦🇪)
ASN: AS60117

C2 ports:
11751/tcp
65535/tcp

Malware payload:
arm7https://t.co/INtpCkIRTg

ftp://185.82.202.24/ #opendir #threatintel pic.twitter.com/PXSVRuoCBB

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 23.254.204.46 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
5301/tcp
9545/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2018-10561

Payload scripts:
/cool
/poo#threatintel https://t.co/Mfptg6GGXf pic.twitter.com/M99SC2ZAhN

— Bad Packets Report (@bad_packets) August 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 167.71.128.164 (🇬🇧)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
1337/tcp
3663/tcp

Payload: /rep/zyxel.sh

Exploit target: ZyXEL routers (CVE-2017-18368)

ftp://167.71.128.164/ #opendir #threatintel pic.twitter.com/qtcQACqEnp

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 40.89.175.73 (🇫🇷)
Hosting provider: Microsoft Azure (AS8075)

C2 ports:
1280/tcp
44460/tcp

Payload: http://40.89.175.73/distortion.mips
Exploit target: Linksys routers#threatintel pic.twitter.com/DAQ9jTGf9X

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.134.120.7 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

C2 ports:
666/tcp
850/tcp

Payload: https://t.co/kDIqJHkUS5
ftp://164.132.213.119 #malware #opendir #threatintel pic.twitter.com/43uiyQcxV1

— Bad Packets Report (@bad_packets) August 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.92.66.192 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS60355 (Neterra)

C2 port:
63236/tcp

Vulnerabilities exploited:
JAWS RCE
Realtek RCE (CVE-2014-8361)

http://91.92.66.192/ #malware #opendir #threatintel pic.twitter.com/ODC4mv2IXw

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.185 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
1312/tcp (panel)
3912/tcp
43195/tcp

Payload:
Jaws[.]sh
http://185.244.25.185/loot/ #malware #opendir #threatintel pic.twitter.com/FDxxFiHoRN

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.35.138.156 (🇳🇱)
C2 port: 655/tcp
Hosting provider: Zyztm Research Division (AS62454)

Payload:
http://185.35.138.156/c
ftp://185.35.138.156/ #malware #opendir #threatintel pic.twitter.com/okhMp8kkvO

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 164.132.213.119 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)
C2 ports:
54268/tcp
1098/tcp

Malware payload:https://t.co/QThjOvn4KR
ftp://164.132.213.119 #opendir #threatintel pic.twitter.com/8JQS4Whv6j

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.77 (🇳🇱)
Hosting provider: KV Solutions (AS60355)
C2 ports:
88/tcp (panel)
1/tcp (logs)

Payload:
m-i.p-s.SNOOPY Gafgyt-like #malware https://t.co/pKh9dvamuM #threatintel pic.twitter.com/DHTEMgxE8U

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.75 (🇳🇱)
C2 ports:
7318/tcp (panel)
43594/tcp (logs)
Hosting provider: KV Solutions (AS60355)

Payload:
SinixV4.armv6l Gafgyt-like #malware https://t.co/crpjCEGtIF #threatintel pic.twitter.com/qIK5BQkbg6

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 158.255.5.216 (🇷🇺)
C2 port: 8915/tcp
ftp://158.255.5.216/ #opendir
Hosting provider: @Hostkey_Rus (AS49335)

Exploit targets:
D-Link routers
ZyXEL routers (CVE-2017-18368)#threatintel pic.twitter.com/Pmn4dnIGnt

— Bad Packets Report (@bad_packets) August 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 45.129.3.130 (🇷🇺)
C2 port: 1994/tcp (h/t @0xrb)
Hosting provider: https://t.co/D690YPqKCi (AS51659)#threatintel https://t.co/D3b8J89ZH9 pic.twitter.com/pBybObfP7I

— Bad Packets Report (@bad_packets) August 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 9375/tcp
Hosting provider: KV Solutions (AS60355)#Malware payload:
z3hir.mips https://t.co/SSEbT7YV2d
http://185.244.25.77/zehir/ #opendir #threatintel pic.twitter.com/dlTKpfdI6W

— Bad Packets Report (@bad_packets) August 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 server still active!

IP address: 185.244.25.181 (🇳🇱)
Hosting provider: KV Solutions

New C2 ports:
Panel: 121/tcp
Logs: 8361/tcp

Malware payload: NENAVIST2https://t.co/jQ1h7wChIw

PDoS (bricker) functionality per @MasafumiNegishi.#threatintel https://t.co/svWPsvrqPR pic.twitter.com/Lq32WYt1Wg

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.150.111 (🇳🇱)
C2 port: 38344/tcp
Hosting provider: Host Sailor (🇦🇪)
ASN: AS60117

http://185.244.150.111/b/ #opendir

Malware payload:https://t.co/3GIwISL5X1 #threatintel pic.twitter.com/jMbQtNEvT2

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 147.135.116.64 (🇫🇷)
C2 port: 45/tcp

ftp://147.135.116.64/Hilix.* #opendir
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

Malware payload:https://t.co/8UnnQ2yIRu #threatintel pic.twitter.com/qpLxabCATS

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 131/tcp
Hosting provider: KV Solutions (AS60355)

Payload:
NENAVIST2https://t.co/jQ1h7wChIw
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/1reyZPomYm

— Bad Packets Report (@bad_packets) August 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 103.1.186.118 (🇦🇺)
C2 port: 44/tcp (logs via 6949/tcp)
Hosting provider: Mammoth Cloud (AS133159)

Payload:
a.arm5https://t.co/qYcm2vlPLa
http://103.1.186.118/bins/ #opendir

Type: Mirai-like #malware #threatintel pic.twitter.com/O231zjZDTL

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.216 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
/Jaws.shhttps://t.co/e8yX6eDY0J
http://185.172.110.216/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/DQzgH2RKiF

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
C2 port: 9999/tcp

Payload:
a-r.m-4.SNOOPY
a-r.m-6.SNOOPY
a-r.m-7.SNOOPY
ftp://51.91.202.137/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel https://t.co/UlJ4YEtsQo pic.twitter.com/q3nSbxHPz1

— Bad Packets Report (@bad_packets) July 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 165.22.209.154 (🇮🇳)
C2 port: 26663/tcp
Hosting provider: DigitalOcean (AS14061)

Payload:
r4z0r.mipshttps://t.co/nm5COeFb6C
Type: Mirai-like #malware
ftp://165.22.209.154/ #opendir #threatintel pic.twitter.com/zAxmo34R54

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 142.11.238.236 (🇺🇸)
C2 port: 34/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
arm7 (https://t.co/6zvHH2WZsC)
ftp://142.11.238.236/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/4DM9PebG6v

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.246.152.89 (🇳🇱)
C2 port: 37212/tcp
Hosting provider: Melbicom (🇱🇹)
ASN: AS56630

Payload:
http://185.246.152.89/bins/telnet.* #opendir https://t.co/Fd6dQCr7wz

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/nOOETagFpk

— Bad Packets Report (@bad_packets) July 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.203 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.203/Jaws.sh
http://185.172.110.203/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/rxDsuHJ5m4

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 159.89.41.188 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: DigitalOcean

Payload:
http://159.89.41.188/bin
http://159.89.41.188/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/5gapuwXiTM

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 67.205.169.73 (🇺🇸)
C2 port: 1791/tcp
Hosting provider: DigitalOcean

Payload:
arm7.akiraghttps://t.co/ByGukMWvCR
ftp://67.205.169.73/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/OxrjKGe28r

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 104.168.215.139 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
http://104.168.215.139/mips
http://104.168.215.139/arm7

Type:
Mirai-like (DDoS) #malware #threatintel pic.twitter.com/MKurB6rlax

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.172.110.224 (🇳🇱)
C2 port: 70/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.224/mipshttps://t.co/wLCAOB3OcZ
Type: Mirai-like (DDoS) #malware #threatintel https://t.co/WD2T3jtRJh pic.twitter.com/65mQIlAHFN

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 87.120.37.148 (🇧🇬)
C2 port: 38/tcp

Payload:
http://87.120.37.148/bins/autism.* #opendir https://t.co/Kb5G9eHkJ9

Type: Mirai-like (DDoS) #malware #threatintel https://t.co/ceO9rfM4rG pic.twitter.com/h4vE976Evo

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 80.211.90.245 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
C2 port: 6666/tcp

Payload:
http://80.211.90.245/k1337.*
ftp://80.211.90.245/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel pic.twitter.com/hBfPXJttCx

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.25.134 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: KV Solutions

Payload:
loligang.mipshttps://t.co/x2PnIj7GsQ

Target: Huawei routers
Vulnerability exploited: CVE-2017-17215#threatintel https://t.co/rTk8y1XOpG pic.twitter.com/tEmSjoOupT

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 80.211.9.40 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
DNS: ch.silynigr[.]xyz
C2 port: 495/tcp

Payload:
http://ch.silynigr[.]xyz/bins/u.*
http://ch.silynigr[.]xyz/bins/adb.*

Type: Mirai-like #malware #threatintel pic.twitter.com/2DUVZ9ZUf4

— Bad Packets Report (@bad_packets) July 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!
IP address: 195.231.6.216 (🇮🇹)
C2 port: 48/tcp
Hosting provider: Aruba Cloud
ASN: AS202242#threatintel https://t.co/rZ6Or7RVR6 pic.twitter.com/iXN5NQzQpS

— Bad Packets Report (@bad_packets) July 20, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 51.91.202.137 (🇫🇷)
C2 port: 5301/tcp
Hosting provider: OVH
ASN: AS16276#threatintel https://t.co/prnFtujy49 pic.twitter.com/HRpecl5OUC

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 46.246.38.178 (🇸🇪)
DNS: ardp.hldns[.]ru
C2 port: 1791/tcp

Payload:
loligang.mipshttps://t.co/9kHLgjBYs8
loligang.mpsl https://t.co/l3q9IMg0qk

Type: Mirai-like #malware

Target: Linksys and D-Link routers#threatintel https://t.co/Oj5jvo9IWu pic.twitter.com/ltWFIyncii

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 89.248.174.198 (🇳🇱)
C2 port: 9999/tcp
Hosting provider: IP Volume Inc
ASN: AS202425

Ports mass scanned with ZMap:
34567/tcp
50000/tcp
60001/tcp (see below)#threatintel https://t.co/tHj0H3eaaY

— Bad Packets Report (@bad_packets) July 18, 2019

Active Mirai-like botnet C2 detected:
89.248.174.198 (IP Volume Inc 🇳🇱)

C2 port:
9999/tcp

Exploit attempts targeting:
60001/tcp (JAWS Web Server – MVPower DVR RCE)

Payload:
http://89.248.174.198/jaws.sh
arm (https://t.co/ww1yQQ8geg)
arm7 (https://t.co/CZAWpe7z3r)#threatintel pic.twitter.com/SekQpD6CnU

— Bad Packets Report (@bad_packets) July 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 192.236.162.197 (🇺🇸)
New C2 port: 1791/tcp
Hosting provider: Hostwinds
ASN: AS54290#threatintel https://t.co/MJToNHi8Sm pic.twitter.com/2kD0YncQ7s

— Bad Packets Report (@bad_packets) July 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
209.141.55.8 (🇺🇸)

C2 port:
6666/tcp

Payload:
puss.arm7 #malware https://t.co/FNrPn7DhlO
ftp://209.141.55.8/ #opendir

Exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)

Exploit source IPs:
37.49.230.21 (🇮🇸)#threatintel pic.twitter.com/CT54gbxi0V

— Bad Packets Report (@bad_packets) July 16, 2019

Exploit attempt (https://t.co/Jawhp0SAZg) source IPs:
101.108.14.144 🇹🇭
49.117.81.101 🇨🇳
109.116.203.139 🇮🇹
151.70.138.75 🇮🇹
2.45.252.16 🇮🇹
114.235.35.12 🇨🇳#threatintel

— Bad Packets Report (@bad_packets) July 16, 2019

Active Mirai-like botnet C2 detected:
192.236.162.197 (Hostwinds 🇺🇸)

C2 port:
4426/tcp

Exploit attempts targeting:
Linksys routers (https://t.co/Jawhp0SAZg)

Payload:
Amakano.mpslhttps://t.co/KXFXHInsy8 #malware
http://192.236.162.197/vb/ #opendir #threatintel pic.twitter.com/skgxeJ7YQj

— Bad Packets Report (@bad_packets) July 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
169.239.128.18 (🇿🇦)

C2 port: 5301/tcp
Payload:
http://169.239.128.18/mips
http://169.239.128.18/arm7

Type: Mirai-like #malware https://t.co/qejUbpYWmA https://t.co/mD25CFLHrM #threatintel pic.twitter.com/a3TEemvzSA

— Bad Packets Report (@bad_packets) July 14, 2019

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)
JAWS Web Server (MVPower DVR RCE)

Exploit attempt source IPs:
165.22.107.99 (DigitalOcean 🇸🇬)
165.22.206.167 (DigitalOcean 🇳🇱)
188.166.60.205 (DigitalOcean 🇳🇱)#threatintel pic.twitter.com/SNvE5CdoqS

— Bad Packets Report (@bad_packets) July 14, 2019

Active botnet C2 detected:
91.209.70.174 (🇷🇺)

C2 port: 40/tcp
Payload: http://91.209.70.174/Corona.mips
Type: Gafgyt #malware variant

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)

Exploit source IPs:
165.22.244.168 (DigitalOcean 🇸🇬)#threatintel pic.twitter.com/BddyZ59TTA

— Bad Packets Report (@bad_packets) July 14, 2019

Active Mirai-like botnet C2:
194.99.22.138 (🇩🇪)

Ongoing exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)
Realtek UPnP SOAP RCE (CVE-2014-8361)
GPON routers (CVE-2018-10561)

Exploit source IPs:
209.97.168.152 (🇸🇬)
165.22.107.99 (🇸🇬)
188.166.60.205 (🇳🇱)#threatintel https://t.co/NancSne6GJ pic.twitter.com/41FQaBCTjr

— Bad Packets Report (@bad_packets) July 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/19fDRoC2eo

— Bad Packets Report (@bad_packets) July 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 194.99.22.138 (🇩🇪)
C2 port: 5301/tcp
Hosting provider: MVPS LTD
ASN: AS202448#threatintel https://t.co/B8xmWdP450 pic.twitter.com/84QuaVXCH9

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/S132qANef2 pic.twitter.com/hrWbOjnU7h

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 209.141.56.142 (🇺🇸)
C2 port: 37215/tcp
Hosting provider: Frantech
ASN: AS53667#threatintel https://t.co/ts1NKiPkgD pic.twitter.com/SbLN6nPbB3

— Bad Packets Report (@bad_packets) July 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 89.190.159.178 (🇳🇱)
C2 port: 85/tcp
Hosting provider: Alsycon B.V.
Network provider: SpectraIP B.V. (AS62068)#threatintel https://t.co/HOm7FuDdU0 pic.twitter.com/8a6vM6PjPi

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected
IP address: 176.31.78.54 (🇫🇷)
http://176.31.78.54/bins/5743.* #opendir
Hosting provider: Infinity Hosting
C2 port: 45587/tcp

Type: Mirai-like #malware https://t.co/3tWlbyM5Rh

Exploit source IP: 125.227.22.243 (🇹🇼)#threatintel pic.twitter.com/ZuHx43svoa

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65532/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/Eq7GtzzsbH pic.twitter.com/tsZogpCLuJ

— Bad Packets Report (@bad_packets) July 10, 2019

Botnet C2 IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel pic.twitter.com/ffmf31uIZz

— Bad Packets Report (@bad_packets) July 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/lTYo8EcZRE

— Bad Packets Report (@bad_packets) July 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 is still active.
Exploit attempts targeting Huawei routers are ongoing.#threatintel https://t.co/ex4Rv6xSfj pic.twitter.com/GzvSIhcxoQ

— Bad Packets Report (@bad_packets) July 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 198.98.59.176 (🇺🇸)
C2 port: 90/tcp
Hosting provider: Frantech#threatintel https://t.co/Wxm1v0qm47 pic.twitter.com/XgGWvzo2Sq

— Bad Packets Report (@bad_packets) July 6, 2019

Looks like someone logged out of the C2 after our tweet. pic.twitter.com/Axi7WiPGGl

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/axADWUZU8T

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 188.166.87.227 (🇳🇱)
C2 port: 5301/tcp
Hosting provider: DigitalOcean (AS14061)#threatintel https://t.co/QOen6TGFae

— Bad Packets Report (@bad_packets) July 6, 2019

New payload targeting #GPON routers detected:
http://188.166.87.227/bin (DigitalOcean 🇳🇱)
http://188.166.87.227/bins/ #opendir https://t.co/wIIYSZ5JQS
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 68.183.167.121 (DigitalOcean 🇺🇸)#threatintel pic.twitter.com/yHdidmVhFO

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 128.199.235.119 (🇸🇬)
C2 port: 81/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/OSxregNnrJ pic.twitter.com/fA2WyNbz7G

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 159.89.143.217 (🇺🇸)
C2 port: 2269/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/FgjKPxhrfi pic.twitter.com/yKktKmbDj8

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: @centerhopcom
ASN: AS17831#threatintel https://t.co/LgojxLVqdy

— Bad Packets Report (@bad_packets) July 4, 2019

New payload targeting #GPON routers detected:
http://103.83.157.46/gai (🇸🇬)
http://103.83.157.46/bins/ #opendir https://t.co/rYnZBBEwBY
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 165.22.206.167 (Digital Ocean 🇳🇱)#threatintel pic.twitter.com/LnN5sHo4UE

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.226 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: @BladeServers_eu (AS206898)#threatintel https://t.co/HswW0KDsdp

— Bad Packets Report (@bad_packets) July 3, 2019

Active payload targeting 60001/tcp (IP camera interface/JAWS) detected:
http://185.172.110.226/lmaoWTF/Jaws.sh (🇳🇱)
http://185.172.110.226/lmaoWTF/ #opendir https://t.co/LkS7JKqYLe
Type: Mirai-like #malware
C2 port: 1791/tcp
Exploit source IP: 185.244.25.84 (🇳🇱)#threatintel pic.twitter.com/NdBPdqglXY

— Bad Packets Report (@bad_packets) July 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 198.98.59.176 (🇺🇸)
C2 port: 3301/tcp#threatintel https://t.co/UqPTvSioFa pic.twitter.com/igVioXdTQ3

— Bad Packets Report (@bad_packets) July 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.244.25.241 (🇳🇱 KV Solutions AS60355)
C2 port: 38344/tcp#threatintel https://t.co/Y7cS169YYM pic.twitter.com/F7P5kwMuYq

— Bad Packets Report (@bad_packets) June 30, 2019

Active botnet C2: 103.83.157.41 (🇸🇬)#threatintel pic.twitter.com/wiblOelpCm

— Bad Packets Report (@bad_packets) June 30, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected. #threatintel https://t.co/ugaYD6M5BE

— Bad Packets Report (@bad_packets) June 27, 2019

New payload targeting #Huawei routers detected:
http://103.83.157.41/bins/mips (🇸🇬)
http://103.83.157.41/bins/#opendir
C2 port: 5301/tcp
Type: Mirai-like #malware https://t.co/CfJOoDZTBB
Vulnerability exploited: CVE-2017-17215
Source IP: 167.71.64.218 (🇺🇸)#threatintel pic.twitter.com/vVhiYmvwgA

— Bad Packets Report (@bad_packets) June 27, 2019

Active botnet C2 and payload:
http://185.244.25.241/b/mips (🇳🇱 KV Solutions AS60355)https://t.co/olalKAGfD9 #threatintel https://t.co/ClcDuCdAix

— Bad Packets Report (@bad_packets) June 26, 2019

Active payload targeting #Huawei routers detected:
http://104.248.93.159/bins/frosty.mips (🇳🇱)
http://104.248.93.159/bins/ #opendir
C2 port: 8372/tcp
Type: Mirai-like #malware https://t.co/ghvpHMmhF4
Exploit source IP: 68.183.151.62 (🇺🇸)
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/YIZumv5k9B

— Bad Packets Report (@bad_packets) June 23, 2019

⚠️ WARNING ⚠️
Mirai-like botnet C2 server detected: 91.134.120.5 (🇫🇷)
Hosting provider: Infinity Hosting Services (🇩🇪)
Network provider: OVH (AS16276 🇫🇷)#threatintel pic.twitter.com/sDwnBFhtPR

— Bad Packets Report (@bad_packets) June 20, 2019

🚨 ALERT 🚨
Active command-and-control (C2) server detected. https://t.co/unTTHRfMp8

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting #Huawei routers detected:
http://178.62.27.133/bins/frosty.mips (🇬🇧)
http://178.62.27.133/bins/ #opendir
Type: Mirai-like #malware https://t.co/mr8u5HFPdL
C2 IP: 68.183.151.62 (DigitalOcean 🇺🇸)
C2 port: 8372/tcp
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/SYZYqZBjuf

— Bad Packets Report (@bad_packets) June 18, 2019

C2 server: 185.244.25.157
C2 port: 5034/tcp https://t.co/ViNKvvCPb2 pic.twitter.com/XOJBbAbsnI

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting @SchneiderElec "U.motion LifeSpace Management Systems" detected:
http://31.13.195.251/EC (🇧🇬 @VPSBG_EU)
Vulnerability exploited: CVE-2018-7841
Exploit (C2) IP: 188.165.179.9 (🇫🇷 @infinityhostcom)
C2 ports: 666, 358/tcp
Recon scan: Mirai-like#threatintel

— Bad Packets Report (@bad_packets) June 17, 2019

C2 server: 68.183.55.5
C2 port: 9375/tcp (Telnet) pic.twitter.com/ppTmHCfQbw

— Bad Packets Report (@bad_packets) June 17, 2019

⚠️ WARNING ⚠️
Ongoing exploit attempts
Active C2 server#threatintel https://t.co/G8soHUAa8w pic.twitter.com/ssIdF9Ejmm

— Bad Packets Report (@bad_packets) June 16, 2019

New payload targeting #Linksys routers detected:
http://79.137.123.208/bins/mpsl (🇫🇷)https://t.co/vTYSzWkrhM
ftp://79.137.123.208/ #opendir
C2 port: 555/tcp (Telnet)
Type: Mirai-like #malware
Exploit source IP: 74.210.238.108 (🇨🇦)
Target Port: 8080/tcp pic.twitter.com/eVCifhPw9U

— Bad Packets Report (@bad_packets) June 15, 2019

ANDYPANDY botnet C2 detections last 7 days:
104.244.76.15 (🇱🇺)
209.141.55.73 (🇺🇸)
193.70.26.48 (🇫🇷)
181.197.5.215 (🇵🇦)

Mainly targets #Android Debug Bridge (ADB) endpoints (5555/tcp). Recon scan uses ZMap.

— Bad Packets Report (@bad_packets) June 13, 2019

⚠️ WARNING ⚠️
New payload targeting D-Link devices detected:
http://62.210.207.229/t (🇫🇷)
http://62.210.207.229/bins/owari.* #opendir
C2 port: 89/tcp (Telnet)

Type: Mirai-like #malware https://t.co/H80SNjpLuF

Exploit source IPs:
209.141.37.17 (🇺🇸)
27.121.223.185 (🇯🇵) pic.twitter.com/mvO7WSwMb6

— Bad Packets Report (@bad_packets) June 1, 2019

New payload targeting Linksys routers detected:
http://205.185.126.154/AB4g5/Extendo.mpsl (🇺🇸)https://t.co/t6qyUxKKnl
C2 port: 1024/tcp (Telnet)
Exploit source IP: 209.141.37.173 (🇺🇸)
Recon scan: ZMap
Target Ports: 8088, 8080/tcp
Mirai-like #malware #opendir pic.twitter.com/UtP1qKoA4F

— Bad Packets Report (@bad_packets) May 25, 2019

A week later, this C2 is still active. The service provider @Scaleway acknowledged our report, yet took no action.

Meanwhile, a new payload called "z3hir" was detected: https://t.co/SL9INIWvDx pic.twitter.com/govU3heKaS

— Bad Packets Report (@bad_packets) May 20, 2019

New #malware payload and C2 detected
Exploit target: Realtek devices (CVE-2014-8361)
Target port: 52869/tcp
Payload: http://62.210.207.229/ntpd (https://t.co/vmMWAs3EmU)#OpenDir: ftp://62.210.207.229/
C2 port: 89/tcp (telnet) pic.twitter.com/PiRA8lRnrq

— Bad Packets Report (@bad_packets) May 13, 2019

Mirai-like botnet C2: 88.218.94.20 (🇺🇸)
Status: Active
Realtek exploit CVE-2014-8361 payload: http://88.218.94.20/ntpd (https://t.co/dsp82tTR1V)
✅ Added to monitoring pic.twitter.com/rIlYd1IAro

— Bad Packets Report (@bad_packets) May 11, 2019