Example DDoS botnet command-and-control (C2) servers detected by Bad Packets® Cyber Threat Intelligence
Active DDoS malware command-and-control (C2) server detected.
IP address: 194.37.82.252 (🇬🇧)
Hosting provider: Clouvider (AS62240)C2 ports:
281/tcp
1010/tcpPayload:
http://194.37.82.252/bins.sh
http://194.37.82.252/ #opendir#threatintel pic.twitter.com/nRtCFNGmWR— Bad Packets (@bad_packets) January 21, 2021
Active DDoS malware command-and-control (C2) server detected.
IP address: 46.249.33.97 (🇳🇱)
Hosting provider: Serverius (AS50673)C2 ports:
999/tcp
55312/tcpPayload:
http://46.249.33.97/cache
ftp://46.249.33.97/ #opendirExploit target:
CVE-2018-10561#threatintel pic.twitter.com/8MMSY0DKh8— Bad Packets (@bad_packets) January 21, 2021
Active DDoS malware command-and-control (C2) server detected.
IP address: 75.127.6.23 (🇺🇸)
Hosting provider: VirMach (AS36352)C2 ports:
666/tcp
775/tcpPayload:https://t.co/zMshQQrRbX
http://75.127.6.23/SBIDIOT/ #opendirExploit target:
CVE-2017-17215#threatintel pic.twitter.com/yVyLacCYMx— Bad Packets (@bad_packets) November 20, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 5.253.84.197 (🇳🇱)
Hosting provider: HostSlick (AS208046)C2 ports:
666/tcp
6660/tcp
9999/tcpTarget:
AVTECH IP camera / DVR RCE (multiple)Payload:
http://5.253.84.197/bins/mirai.arm7#threatintel pic.twitter.com/CCC0d18tg9— Bad Packets (@bad_packets) October 24, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 5.252.194.137 (🇷🇺)
Hosting provider: IpServer[.]su (AS44812)C2 ports:
51847/tcp
56412/tcpPayload:
http://5.252.194.137/usb.shTarget: Tenda router RCE (CVE-2020–10987)#threatintel pic.twitter.com/YMuxZ0HVjY
— Bad Packets (@bad_packets) October 16, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 5.252.194.29 (🇷🇺)
C2 ports:
4321/tcp
31847/tcp
56412/tcpPayloads:
/netis
/usb.shVulnerabilities targeted:
Netis router RCE (CVE-2019-19356)
Tenda router RCE (CVE-2020–10987)#threatintel pic.twitter.com/tQGsDkox0j— Bad Packets (@bad_packets) October 5, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 192.210.214.51 (🇺🇸)
Hosting provider: VirMach (AS36352)C2 ports:
36457/tcp
55665/tcpPayload: "Astra.mpsl" https://t.co/GGCFRaN4wJ
Target: Linksys router RCE vulnerability#threatintel
— Bad Packets (@bad_packets) October 2, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 78.142.18.20 (🇳🇱)
Hosting provider: HostSlick (AS208046)C2 ports:
1312/tcp
3912/tcpPayload:
http://78.142.18.20/fetch.shTarget:
vBulletin RCE vulnerability CVE-2020-17496 #threatintel pic.twitter.com/FGEZmc8K0c— Bad Packets (@bad_packets) September 1, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 5.206.227.136 (🇵🇹)
Hosting provider: BlazingFast (AS49349)C2 ports:
45/tcp
34712/tcpPayload:
http://5.206.227.136/zzz/wowe.*
http://5.206.227.136/zzz/ #opendir#threatintel pic.twitter.com/9PfCmwx9UC— Bad Packets (@bad_packets) August 22, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 185.172.110.185 (🇳🇱)
Hosting provider: BladeServers (AS206898)Vulnerabilities exploited:
D-Link router RCE
MVPower DVR (JAWS) RCE
Netlink GPON router RCE
ZyXEL router RCE CVE-2017-18368#threatintel pic.twitter.com/9fnhKyZyes— Bad Packets (@bad_packets) August 17, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 185.172.111.181 (🇳🇱)
Hosting provider: BladeServers (AS206898)C2 ports:
45/tcp
34712/tcpPayload:
http://190.115.18.144/g
http://185.172.111.181/bins #opendirTarget: HiSilicon DVR RCE#threatintel pic.twitter.com/mfpWgce6Kr
— Bad Packets (@bad_packets) July 20, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 198.211.110.4 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
733/tcp
961/tcpTarget:
Realtek RCE CVE-2014-8361
DrayTek RCE CVE-2020-8515Payload:
"mips"https://t.co/fIiXWHtm3M#threatintel pic.twitter.com/fM7Jqqw2kP— Bad Packets (@bad_packets) July 19, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 185.172.110.243 (🇳🇱)
Hosting provider: BladeServers (AS206898)C2 ports:
4554/tcp
56084/tcpPayload:https://t.co/1WsjJS6Hzf
Target:
Huawei RCE vulnerability CVE-2017-17215#threatintel pic.twitter.com/CqsbzwcU2c— Bad Packets (@bad_packets) July 13, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 194.15.36.47 (🇩🇪)
Hosting provider: private-hosting[.]eu (AS24961)C2 ports:
5034/tcp
59314/tcpVulnerabilities targeted:
Huawei RCE (CVE-2017-17215)
Realtek RCE (CVE-2014-8361)
ZTE RCE #threatintel pic.twitter.com/gOAkTllq3u— Bad Packets (@bad_packets) June 27, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 80.82.70.140 (🇳🇱)
Hosting provider: IP Volume (AS202425)C2 ports:
49152/tcp
65535/tcpPayload:
(see attached tweet)Target:
MVPower DVR (JAWS web server) RCE#threatintel https://t.co/NqSn5V5QdQ— Bad Packets (@bad_packets) June 24, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 192.236.146.153 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
12942/tcp
17244/tcpPayload: https://t.co/SeFLOPZKhQ
Target:
MVPower DVR (JAWS Web Server) RCE vulnerability#threatintel pic.twitter.com/8ZBF8WhBOG— Bad Packets Report (@bad_packets) June 14, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 37.49.224.183 (🇳🇱)
Hosting provider: AS199264C2 ports:
50821/tcp
58666/tcpPayload:https://t.co/vNJmrdazIX
Target:
ZyXEL router RCE vulnerability CVE-2017-1836#threatintel pic.twitter.com/2lXYhNBtC6— Bad Packets Report (@bad_packets) June 11, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 85.204.116.87 (🇷🇴)
Hosting provider: Hostmaze (AS48874)C2 ports:
131/tcp
16850/tcpPayload: https://t.co/GMAtorDuhL
Target:
Routers vulnerable to CVE-2014-8361 (Realtek RCE)#threatintel https://t.co/TrPTvYu89X— Bad Packets Report (@bad_packets) June 10, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 37.49.224.159 (🇳🇱)
Hosting provider: AS199264 https://t.co/M6eJ69nQycC2 ports:
420/tcp
666/tcpPayload:
arm4https://t.co/ppotHh6xre
arm6https://t.co/GxNzuGsl1FTarget:
MVPower DVR RCE#threatintel pic.twitter.com/8KLFFVG5te— Bad Packets Report (@bad_packets) June 4, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 23.254.164.76 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
89/tcp
1337/tcpPayload:
"mmmmh.mips"https://t.co/HvL48Sv9c0Target:
Netgear router RCE vulnerability#threatintel pic.twitter.com/NDQvD0Npmp— Bad Packets Report (@bad_packets) May 30, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 37.49.226.220 (🇳🇱)
Hosting provider: AS208666 (https://t.co/ZusFyn1YfH)C2 ports:
666/tcp
1111/tcpPayload: https://t.co/eohzQhqxY3
Target:
ZyXEL router RCE CVE-2017-18368
MVPower DVR RCE#threatintel pic.twitter.com/lN6kQqqzkg— Bad Packets Report (@bad_packets) May 30, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 172.245.52.231 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352C2 ports:
5555/tcp
17012/tcpPayload: "mpsl" https://t.co/0dh22U77OS
Target: Linksys router RCE vulnerability#threatintel pic.twitter.com/Ohz5DHSBt1
— Bad Packets Report (@bad_packets) May 29, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 94.102.63.52 (🇳🇱)
Hosting provider: IP Volume (AS202425)C2 ports:
9102/tcpTarget:
Linksys router RCE
Eir D1000 router RCE
MVPower DVR (JAWS web server) RCEftp://94.102.63.52/ #opendir#threatintel pic.twitter.com/t69KTt7lu5
— Bad Packets Report (@bad_packets) May 28, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 134.209.86.250 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
420/tcp
999/tcpTarget:
AVTECH IP camera / NVR / DVR RCE (multiple)Payload:
*.SNOOPYhttps://t.co/vc0LrVRMp0#threatintel pic.twitter.com/wxHrxasTJt— Bad Packets Report (@bad_packets) May 20, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 45.14.151.249 (🇷🇴)
Hosting provider: hostsolutions[.]ro (AS44220)C2 ports:
1920/tcp
3099/tcpTarget: Linksys router remote code execution vulnerability
ftp://45.14.151.249/ #opendir#threatintel pic.twitter.com/tlnif0ZBls
— Bad Packets Report (@bad_packets) May 16, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 139.99.237.109 (🇦🇺)
Hosting provider: OVH (AS16276)C2 ports:
114/tcp
60010/tcpTarget:
CVE-2018-10561 (GPON router RCE)Payload: https://t.co/vePp7NKj10
ftp://139.99.237.109/ #opendir#threatintel pic.twitter.com/mRIAAvCkir— Bad Packets Report (@bad_packets) May 12, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 193.228.91.105 (🇺🇸)
Hosting provider: RebeccaHost (AS44685)C2 ports:
1024/tcp
1982/tcpTarget:
DrayTek RCE (CVE-2020-8515)
Grandstream RCE (CVE-2020-5722)Payload: https://t.co/vQL15HbNXi #threatintel pic.twitter.com/YdI5oe0PtB
— Bad Packets Report (@bad_packets) May 10, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 45.95.169.249 (🇭🇷)
Hosting provider: MAXKO (AS42864)C2 ports:
3074/tcp
65535/tcpTarget:
Routers vulnerable to CVE-2014-8361 (Realtek RCE)
ZTE router RCEPayload: https://t.co/0dRGnIcUPZ#threatintel pic.twitter.com/hQ2Owjlutk
— Bad Packets Report (@bad_packets) May 5, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 159.203.2.6 (🇨🇦)
Hosting provider: DigitalOcean (AS14061)C2 ports:
34241/tcp
39284/tcpTarget:
AVTECH IP camera / NVR / DVR RCE
MVPower DVR (JAWS) RCE
Netgear router RCE#threatintel pic.twitter.com/A6jVCH3ZT8— Bad Packets Report (@bad_packets) May 3, 2020
Active #DDoS malware command-and-control (C2) server detected.
IP address: 37.49.226.230 (🇳🇱)
Hosting provider: Estroweb/Vitox/Cloudstar/Xemu/other fake names AS208666 (🇳🇱)C2 ports:
9993/tcp
55451/tcpTarget: Netgear router remote code execution vulnerability #threatintel pic.twitter.com/Xq4o4iRhor
— Bad Packets Report (@bad_packets) May 3, 2020
Active #DDoS malware command-and-control (C2) server detected. https://t.co/JK5C5ZBLEX
IP address: 194.36.188.170 (🇳🇱)
Hosting provider: HostSailor (AS60117) 🇦🇪C2 ports:
3002/tcp
60552/tcpTarget: MVPower DVR (JAWS Web Server) RCE
ftp://194.36.188.170/ #opendir#threatintel pic.twitter.com/j9laVdYRlf
— Bad Packets Report (@bad_packets) May 1, 2020
Active DDoS malware command-and-control (C2) server detected.
IP address: 45.14.151.249 (🇷🇴)
Hosting provider: https://t.co/8DO0DSXr82 (AS44220)C2 ports:
1920/tcp
9090/tcpVulnerability exploited: MVPower DVR (JAWS Web Server) RCE
ftp://45.14.151.249/ #opendir#threatintel pic.twitter.com/4geX0wni6E
— Bad Packets Report (@bad_packets) April 28, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 185.244.217.126 (🇳🇱)
Hosting provider: Zomro B.V. (AS204601)C2 ports:
449/tcp
1253/tcpVulnerability exploited: AVTECH RCE (multiple)
Payload: arm7.samourahttps://t.co/oTIdJjkHPz#malware #threatintel pic.twitter.com/7KH1r2836z
— Bad Packets Report (@bad_packets) March 31, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 159.203.45.44 (🇨🇦)
Hosting provider: DigitalOcean (AS14061)C2 ports: 23 & 1111/tcp
Exploit attempt source IP: 62.171.161.248 (🇩🇪)
Vulnerability exploited: MVPower DVR (JAWS Web Server) RCE#threatintel pic.twitter.com/qJvMVQdpoa
— Bad Packets Report (@bad_packets) March 19, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 144.91.79.5 (🇩🇪)
Hosting provider: Contabo (AS51167)C2 ports:
733/tcp
1337/tcpVulnerability exploited: ZyXEL NAS Remote Command Injection (CVE-2020-9054) https://t.co/nitzqZ9YkR#threatintel https://t.co/GVn4zBJBaz
— Bad Packets Report (@bad_packets) March 15, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 172.245.6.129 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352C2 ports:
52/tcp
8122/tcpPayload: "nvitpj" https://t.co/3hh2YEtGpM
Target: MVPower DVR (JAWS web server) RCE#threatintel pic.twitter.com/ucrOvhSBXp
— Bad Packets Report (@bad_packets) March 13, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 45.84.196.178 (🇩🇪)
Hosting provider: private-hosting[.]eu (AS24961)C2 ports:
666/tcp
747/tcpPayload: "armv6l"https://t.co/lz8GpOel2N
Target: MVPower DVR (JAWS web server) RCE#threatintel #malware pic.twitter.com/d3w7YbPGZE
— Bad Packets Report (@bad_packets) March 12, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 104.248.231.220 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
282/tcp
922/tcpVulnerability exploited: AVTECH RCE
Payload: roots.arm7 (https://t.co/1vrvZ3gnYs) #malware #threatintel pic.twitter.com/mpNESF3PCh
— Bad Packets Report (@bad_packets) March 6, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 5.39.217.219 (🇳🇱)
Hosting provider: HOSTKEY (AS57043)C2 ports:
7/tcp
936/tcpPayload: "mips"(https://t.co/zFcN867cxf)
http://5.39.217.219/SBIDIOT/ #opendir
Target: ZTE router RCE#threatintel https://t.co/NcluvuJWgc
— Bad Packets Report (@bad_packets) March 4, 2020
Active DDoS botnet command-and-control (C2) server detected.
IP address: 45.148.10.194 (🇳🇱)
Hosting provider: dmzhost[.]co (AS48090)C2 ports:
24136/tcp
38565/tcpPayload: "mips"(https://t.co/uBvS42kGBG)
Target: D-Link router RCE vulnerability#threatintel pic.twitter.com/5EwRdQnDIX
— Bad Packets Report (@bad_packets) February 28, 2020
🚨 ALERT 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 172.245.6.129 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352C2 ports:
42/tcp
45637/tcpPayload: orbitclien.armv7l (https://t.co/9y7737LS9P)
Target: JAWS webserver RCE#threatintel pic.twitter.com/Ruv6SylHiJ
— Bad Packets Report (@bad_packets) February 27, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 167.172.251.116 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
9506/tcp
9621/tcpTarget: AVTECH devices RCE
Payload: xd.arm7 (https://t.co/95hBVF3mvF) #malware #threatintel pic.twitter.com/SfqoznKQfa
— Bad Packets Report (@bad_packets) February 24, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 104.155.220.235 (🇺🇸)
Hosting provider: Google Cloud (AS15169)C2 ports:
18819/tcp
40666/tcpTarget: Netgear and Huawei router RCE
Payload: https://t.co/APhvKnZgUe #malware #threatintel https://t.co/zWa8XCNtR4
— Bad Packets Report (@bad_packets) February 24, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 51.79.70.163 (🇨🇦)
Hosting provider: OVH (AS16276)C2 ports:
3455/tcp
64537/tcpPayload: Bread.*(https://t.co/1baGdxg2Em) #malware
http://breadsecurity[.]xyz/bins/ #opendir#threatintel https://t.co/buasN4VCsm pic.twitter.com/9p61j0ZR57
— Bad Packets Report (@bad_packets) February 15, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 37.49.226.137 (🇳🇱)
Hosting provider: Cloud Star Hosting Services (AS208666)C2 ports:
9375/tcp
39284/tcpPayload: z3hir.mips (https://t.co/n2zSxxz4aX) #malware#threatintel pic.twitter.com/4vSAUWAfS5
— Bad Packets Report (@bad_packets) February 12, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 164.132.92.139 (🇫🇷)
Hosting provider: DefineQuality
Network provider: OVH (AS16276)C2 ports:
187/tcp
2525/tcpPayload: vbrxmr.arm7 (https://t.co/SFfZ0lbfxe) #malware #threatintel pic.twitter.com/GXly2Rkl8S
— Bad Packets Report (@bad_packets) February 11, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 190.115.18.86 (🇧🇿)
Hosting provider: DDoS-GUARD (AS262254)C2 ports:
6323/tcp
8744/tcpPayload: arm7 (https://t.co/LFdCS73rj6) #malware
http://190.115.18.86/b/ #opendir#threatintel pic.twitter.com/rkVIE5Zm4t— Bad Packets Report (@bad_packets) February 11, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 178.128.183.31 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
24136/tcp
38565/tcpPayload: http://178.128.183.31/arm7 (https://t.co/Re6WxZZj0O)
Target: MVPower DVR (JAWS web server) RCE#threatintel pic.twitter.com/Vjl6LHp8Hz— Bad Packets Report (@bad_packets) February 11, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 131.153.30.60 (🇺🇸)
Hosting provider: Host4Fun
Network provider: AS11572C2 ports:
420/tcp
6969/tcpPayload:
Depression.armv7l #malwarehttps://t.co/6BE62q1mNe
ftp://131.153.30.60/ #opendir#threatintel pic.twitter.com/FvrreUUgjM— Bad Packets Report (@bad_packets) February 10, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 192.210.239.102 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352C2 ports:
3/tcp
1111/tcpPayloads:
m-i.p-s.GHOULhttps://t.co/ntOiaH8vPo
a-r.m-7.GHOULhttps://t.co/N9DpG41V39#malware #threatintel pic.twitter.com/ZtQ62Ov6ov— Bad Packets Report (@bad_packets) February 10, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 205.134.182.116 (🇺🇸)
Hosting provider: AiNET (AS6405)C2 ports:
120/tcp
1028/tcpftp://205.134.182.116/ #opendir
Payload: Heartless~Security.*(https://t.co/XfDVUJ5Pq6) #malware #threatintel pic.twitter.com/C28hXkrhZ2— Bad Packets Report (@bad_packets) February 4, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 207.154.212.220 (🇩🇪)
Hosting provider: DigitalOcean (AS14061)C2 ports:
5301/tcp
9545/tcphttp://207.154.212.220/bins/ #opendir
Payload: Stanleyy.* (https://t.co/MuqjJLhdTg) #malware #threatintel pic.twitter.com/IwQhouLJ0H— Bad Packets Report (@bad_packets) February 2, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 206.81.1.189 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
9375/tcp
39284/tcphttp://206.81.1.189/beastmode/ #opendir
Payload: b3astmode.* (https://t.co/v0KK1op7D8) #malware#threatintel https://t.co/6yADjxygDk pic.twitter.com/4kH9P1QBky— Bad Packets Report (@bad_packets) January 27, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 89.34.27.57 (🇷🇴)
Hosting provider: ZetServers (AS25198)C2 ports:
8348/tcp
34529/tcpPayload:
http://89.34.27.57/sh
*.okuma (https://t.co/l0VdTfbQK2)
http://89.34.27.57/bins/ #opendir#threatintel— Bad Packets Report (@bad_packets) January 23, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 68.183.219.115 (🇩🇪)
Hosting provider: DigitalOcean (AS14061)C2 ports:
28194/tcp
52921/tcphttp://68.183.219.115/QpasYU/ #opendir
Payload: IpvLye.* (https://t.co/l029qmvuRq)
Target: CVE-2017-18368#threatintel https://t.co/wYXtuh1E8S pic.twitter.com/7c9AB4DXhj— Bad Packets Report (@bad_packets) January 10, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 45.148.10.160 (🇳🇱)
Hosting provider: DMZHOST (AS48090)C2 ports:
45/tcp
34712/tcpftp://45.148.10.160/ #opendir
Payload: zyxel (https://t.co/amEQkkAGqR)
Target: CVE-2017-18368 (ZyXEL router RCE)#threatintel pic.twitter.com/CQYAYM6Riy— Bad Packets Report (@bad_packets) January 8, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 199.217.116.22 (🇺🇸)
Hosting provider: GoDaddy (AS30083)C2 ports:
420/tcp (panel)
65134/tcp (logs)Payload: PQKill.arm7 (https://t.co/LPHUe6sv1U)
Target: JAWS web server (MVPower DVR) RCE#threatintel https://t.co/SuvEstLqo1— Bad Packets Report (@bad_packets) January 3, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 158.69.236.40 (🇨🇦)
DNS: projectqishu[.]com
Hosting provider: OVH (AS16276)C2 ports:
420/tcp
65134/tcphttp://projectqishu[.]com/bins/ #malware #opendir
Payload: PQv1.* (https://t.co/nxMYlOmtYQ)#threatintel https://t.co/2LfuuU8DgH pic.twitter.com/3CSDfsW4ZP— Bad Packets Report (@bad_packets) January 2, 2020
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 176.123.4.234 (🇲🇩)
DNS: udptcp.packetsv4[.]tk
Hosting provider: AlexHost (AS200019)C2 port: 56473/tcp (panel)
Payload: Packets.* (https://t.co/bFUfWNqeG2)
http://176.123.4.234/bins/ #opendir#threatintel https://t.co/w7O6oa3l7D pic.twitter.com/KQ9Mhwmm6a— Bad Packets Report (@bad_packets) December 29, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 185.242.104.13 (🇷🇺)
Hosting provider: Veesp
Network provider: AS43317C2 ports:
666/tcp
64064/tcpPayload: yama.* (https://t.co/3vmQ0faHzW)
ftp://185.242.104.13/pub/ #opendir#threatintel https://t.co/hJGdrbVAA8— Bad Packets Report (@bad_packets) December 28, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 185.172.110.204 (🇳🇱)
C2 port: 7498/tcp
Hosting provider: BladeServers (AS206898)Payload: daddyscum.arm7 (https://t.co/WhKZ8wBmGV)
Target: JAWS web server RCE
http://185.172.110.204/nope/ #opendir#threatintel pic.twitter.com/85R0uzUPLh— Bad Packets Report (@bad_packets) December 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 104.168.149.5 (🇺🇸)
C2 port: 2001/tcp
Hosting provider: Hostwinds (AS54290)Payload: Packets.mips
(https://t.co/cM4CBjdVcN)
http://104.168.149.5/bins/ #opendir#threatintel pic.twitter.com/8eMEjN7Vti— Bad Packets Report (@bad_packets) December 26, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 165.22.193.111 (🇳🇱)
Hosting provider: DigitalOcean (AS14061)C2 ports:
9375/tcp
39284/tcpTarget: CVE-2017-17215
Payload: z3hir.mips
(https://t.co/5Lz78CyNwT)
ftp://165.22.193.111/ #opendir#threatintel pic.twitter.com/UMJUv2LHAN— Bad Packets Report (@bad_packets) December 26, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 198.211.59.149 (🇺🇸)
Hosting provider: Multacom (AS35916)C2 port: 2001/tcp
Malware payload: mybotnettrash.mips (https://t.co/0UFiaLeTJy)
Exploit target: Routers vulnerable to CVE-2014-8361#threatintel pic.twitter.com/R3Yg0trf3P— Bad Packets Report (@bad_packets) December 26, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 173.82.105.129 (🇺🇸)
Hosting provider: Multacom (AS35916)C2 ports:
1052/tcp
7474/tcpMalware payload: armv6l (https://t.co/WAGDW23zZP)
Target: JAWS web server RCE
ftp://173.82.105.129/ #opendir#threatintel pic.twitter.com/loboT5FjSk— Bad Packets Report (@bad_packets) December 23, 2019
DDoS botnet C2 active again.
IP address: 185.172.110.243 (🇳🇱)
C2 port: 4554/tcp
Payload: http://185.172.110.243/mips (https://t.co/giRXALU2Gy)
ftp://185.172.110.243/ #opendir
Hosting provider: BladeServers (AS206898)Exploit target: Huawei RCE (CVE-2017-17215)#threatintel https://t.co/j9YQv498Q3 pic.twitter.com/qlBi7kssQx
— Bad Packets Report (@bad_packets) December 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 50.115.166.137 (🇺🇸)
Hosting provider: Virpus (AS32875)C2 ports:
2416/tcp
3456/tcpExploit source IP: 104.248.230.48 (🇺🇸)
Target: Netgear RCE
Payload: Legacy.mips
(https://t.co/zitpsgsXoM)#threatintel pic.twitter.com/2G1dyqV6DY— Bad Packets Report (@bad_packets) December 18, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 46.166.151.200 (🇳🇱)
Hosting provider: NFOrce Internet Services (AS43350)C2 ports:
122/tcp
1212/tcpPayload:
http://46.166.151.200/arm7 (https://t.co/qFjT6o5rKR)Target:
JAWS web server RCE#threatintel pic.twitter.com/u2mEwctSpF— Bad Packets Report (@bad_packets) December 11, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 5.79.70.165 (🇳🇱)
Hosting provider: Leaseweb (AS60781)C2 ports:
158/tcp
9999/tcpPayload:
http://5.79.70.165/snype.mips (https://t.co/D3aTQ6jQKP)Target:
Huawei routers (CVE-2017-17215)#threatintel pic.twitter.com/mNK0HoBy1S— Bad Packets Report (@bad_packets) December 10, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 194.50.171.185 (🇷🇺)
Hosting provider: JustHost[.]ru (AS49392)C2 ports:
87/tcp
444/tcpPayload:
http://194.50.171.185/Venom.sh
Ouija_M.ips (https://t.co/0ew0KrPAh1)Target:
D-Link routers#threatintel pic.twitter.com/DjVezSC1Ne— Bad Packets Report (@bad_packets) December 4, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 23.254.224.153 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
45/tcp
34712/tcpTarget: CVE-2014-8361
Payload: Oblivion.mips
(https://t.co/TJCWvj5esf)
http://23.254.224.153/bins/ #opendir#threatintel pic.twitter.com/sye7r01QPH— Bad Packets Report (@bad_packets) November 30, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 185.112.249.39 (🇬🇧)
Hosting provider: SharkServers (AS202939)C2 ports:
1024/tcp
1982/tcpTarget: CVE-2014-8361
Payload: UnHAnaAW.mips (https://t.co/ced5WdJ5kJ)
ftp://185.112.249.39/ #opendir#threatintel pic.twitter.com/3DXJebEz66— Bad Packets Report (@bad_packets) November 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 165.227.35.105 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 port: 55312/tcp
Target: Netgear routers
Payload: http://165.227.35.105/mips (https://t.co/PezcqTXqat)
ftp://165.227.35.105/ #opendir#threatintel pic.twitter.com/KHlDvLUU6P— Bad Packets Report (@bad_packets) November 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 51.79.66.236 (🇨🇦)
Hosting provider: OVH (AS16276)C2 ports:
87/tcp (logs)
444/tcp (panel)Targets:
D-Link RCE
ThinkPHP RCEPayload:
Venom[.]sh
Ouija_M.ips
Ouija_x.86https://t.co/wIx60659VK#threatintel pic.twitter.com/TUZx3LWC9g— Bad Packets Report (@bad_packets) November 21, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 194.15.36.41 (🇩🇪)
Hosting provider: private-hosting[.]eu
Network provider: AS24961C2 ports:
20/tcp (panel)
88/tcp (logs)Target: CVE-2017-17215
Payload: orphic.mips (https://t.co/Qk8FiZCwec)#threatintel pic.twitter.com/2T2WS4HE1X— Bad Packets Report (@bad_packets) November 21, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 2.56.8.188 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369C2 ports:
9874/tcp
55312/tcpPayload: http://2.56.8.188/axisbins.sh
ftp://2.56.8.188/ #opendirhttps://t.co/F47BnPQboH#threatintel pic.twitter.com/MD83yan6bX— Bad Packets Report (@bad_packets) November 17, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 167.71.175.87 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
420/tcp
666/tcpPayload:
http://167.71.175.87/axisbins.shVulnerability exploited:
Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/7JJ2zia52n— Bad Packets Report (@bad_packets) November 13, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 168.235.90.130 (🇺🇸)
Hosting provider: RamNode (AS3842)C2 ports:
1738/tcp
6060/tcpTarget: JAWS web server RCE
Payload: http://168.235.90.130/love/trixbins.shhttps://t.co/GYGT7tTmyy#threatintel pic.twitter.com/rceBH1rsok— Bad Packets Report (@bad_packets) November 5, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 2.56.8.157 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369C2 ports:
748/tcp
1742/tcpTarget: JAWS web server RCE (60001/tcp)
Payload: http://2.56.8.157/UwUshhttps://t.co/ROqx7MBgIu#threatintel pic.twitter.com/RcTUm5ZdpP— Bad Packets Report (@bad_packets) November 1, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 89.35.39.74 (🇷🇴)
Hosting provider: https://t.co/8DO0DSXr82 (AS206898)C2 ports:
1092/tcp
1920/tcpVulnerabilities exploited:
CVE-2017-18368 (ZyXEL RCE)
Payload: https://t.co/WKvGAwFTuk#threatintel pic.twitter.com/n9bwiY5Ov9— Bad Packets Report (@bad_packets) November 1, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 185.172.110.243 (🇳🇱)
Hosting provider: BladeServers (AS206898)C2 ports:
4554/tcp
56084/tcpVulnerabilities exploited:
CVE-2017-18368https://t.co/X236JYX65i
ftp://185.172.110.243/ #opendir#threatintel pic.twitter.com/097EjLemKb— Bad Packets Report (@bad_packets) October 31, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 142.11.205.42 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
2848/tcp
46216/tcpPayload: http://142.11.205.42/mipshttps://t.co/CBXuGq02L6
Target: CVE-2014-8361 (Realtek RCE)#threatintel pic.twitter.com/PFpibSnKLK— Bad Packets Report (@bad_packets) October 30, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 35.236.44.15 (🇺🇸)
Hosting provider: Google Cloud (AS15169)C2 ports:
1338/tcp
31337/tcpPayload: http://35.236.44.15/zzz/mips.idopochttps://t.co/W5Ai2Owhjz
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/mkgOxTl7eI— Bad Packets Report (@bad_packets) October 30, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet (fbot) C2 server detected!IP address: 5.206.227.65 (🇵🇹)
Hosting provider: BlazingFast (AS49349)C2 ports:
6592/tcp
6593/tcpPayload: http://5.206.227.65/w.shhttps://t.co/6YwBq22BTL
Target: JAWS web server RCE (60001/tcp)#threatintel pic.twitter.com/S8SaHVlNMW— Bad Packets Report (@bad_packets) October 29, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 34.94.100.213 (🇺🇸)
Hosting provider: Google Cloud (AS15169)C2 ports:
1338/tcp
31337/tcpPayload: http://jarry[.]online/zzz/mips.idopochttps://t.co/1q4iMaF86w
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/2zOSE9G3DK— Bad Packets Report (@bad_packets) October 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 190.2.156.118 (🇳🇱)
Hosting provider: WorldStream (AS49981)C2 ports:
19992/tcp
26663/tcp#threatintel https://t.co/OIlTenu7Vf pic.twitter.com/mQwK9RP2fQ— Bad Packets Report (@bad_packets) October 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 142.11.227.208 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
81/tcp
21769/tcpPayload: http://142.11.227.208/Realtek.shhttps://t.co/532YSMO70w
http://142.11.227.208/bins/ #opendir#threatintel pic.twitter.com/8GrOLhSZTi— Bad Packets Report (@bad_packets) October 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 5.252.193.53 (🇷🇺)
Hosting provider: IpServer (AS44812)C2 port:
4201/tcpVulnerabilities exploited:
CVE-2014-8361
JAWS web server RCEhttps://t.co/kiZjqGSmBc
http://5.252.193.53/bins/ #opendir#threatintel pic.twitter.com/1uAZDpjVyy— Bad Packets Report (@bad_packets) October 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 193.19.119.165 (🇺🇦)
Hosting provider: IpServer (AS44812)C2 port:
4201/tcp (panel)Vulnerability exploited: CVE-2017-17215
Payload: https://t.co/OyNwTYIPQm
http://193.19.119.165/bins/ #opendir#threatintel pic.twitter.com/JWj10gOSdp— Bad Packets Report (@bad_packets) October 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 145.239.212.59 (🇫🇷)
Hosting provider: BungeeCloud
ASN: AS16276 (OVH)C2 ports:
8080/tcp (user panel)
43210/tcpPayload: http://145.239.212.59/bwget.sh
http://185.236.229.23/kkkk/linux.* #opendir#threatintel pic.twitter.com/YNcZHNZV3Y— Bad Packets Report (@bad_packets) October 22, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 85.204.116.49 (🇷🇴)
Domain: http://prismware[.]ml/ #opendir
Hosting provider: Hostmaze (AS48874)C2 ports:
131/tcp
3143/tcpVulnerability exploited:
CVE-2014-8361Payload:https://t.co/7MXFI8WQTi#threatintel pic.twitter.com/9msoHk06IH
— Bad Packets Report (@bad_packets) October 5, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 64.44.40.242 (🇺🇸)
Hosting provider: Nexeon Technologies (AS20278)C2 ports:
1024/tcp
1982/tcpVulnerability exploited:
Netgear RCEhttps://t.co/jACB1BEEuE
http://64.44.40.242/bins/ #opendir#threatintel pic.twitter.com/gk3FOL8teM— Bad Packets Report (@bad_packets) September 28, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)C2 ports:
55667/tcp
62333/tcpVulnerability exploited:
CVE-2014-9727Payload:
fuze[.]sh
203Xmi39S.*
ftp://185.244.25.122/ #opendir#threatintel pic.twitter.com/m5TcRo9jf8— Bad Packets Report (@bad_packets) September 26, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 45.95.168.161 (🇭🇷)
Hosting provider: MAXKO Hosting
ASN: AS42864 (🇭🇺)C2 ports:
26662/tcp
46664/tcp
56378/tcp"fatrat/test" #malwarehttps://t.co/EJGc6ZYnBr
http://45.95.168.161/fatrat/ #opendir#threatintel pic.twitter.com/VwzagZdpac
— Bad Packets Report (@bad_packets) September 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 142.11.210.231 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
1791/tcp
21769/tcpVulnerabilities exploited:
D-Link RCE
CVE-2017-17215 (Huawei)http://142.11.210.231/bins/ #malware #opendir#threatintel pic.twitter.com/xM4j5NmYiT
— Bad Packets Report (@bad_packets) September 21, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 165.227.93.168 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)C2 ports:
23/tcp
666/tcp (user panel)Exploit target:
Netgear routersftp://165.227.93.168/ #malware #opendirhttps://t.co/lFXc6q9OjZ#threatintel pic.twitter.com/btKwE5iCrw
— Bad Packets Report (@bad_packets) September 15, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 104.168.199.188 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
42069/tcp (user panel)
46216/tcp (command logs)Vulnerability exploited:
ZyXEL router RCE (CVE-2017-18368)#threatintel— Bad Packets Report (@bad_packets) September 13, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 164.132.4.31 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)C2 ports:
36335/tcp
42689/tcp (user panel)Payload: http://164.132.4.31/armv7l
Exploit source IP: 37.59.163.230 (🇫🇷)#threatintel
— Bad Packets Report (@bad_packets) September 11, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 50.115.162.6 (🇺🇸)
Hosting provider: @virpus
ASN: AS32875 (Wowrack)C2 ports:
23/tcp (logs)
4352/tcp (panel)Vulnerability exploited:
CVE-2017-17215 (Huawei RCE)Payload: mips.light #malware#threatintel pic.twitter.com/13vdu9EFLU
— Bad Packets Report (@bad_packets) September 6, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 137.74.237.193 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)C2 ports:
151/tcp (logs)
666/tcp (panel)Payload: TacoBellGodYo.*https://t.co/uINwaNMM4W
ftp://137.74.237.193/ #opendir#threatintel https://t.co/w5d70vS7lb pic.twitter.com/hrbLkFQQmm
— Bad Packets Report (@bad_packets) September 5, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 31.13.195.65 (🇧🇬)
DNS: switchnets[.]net
Hosting provider: @VPSBG_EU
ASN: AS34224C2 port:
79/tcp (panel)Vulnerability exploited:
JAWS web server RCEhttp://31.13.195.65/b/ #malware #opendir#threatintel pic.twitter.com/ABzppENJv7
— Bad Packets Report (@bad_packets) September 5, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 31.13.195.116 (🇧🇬)
DNS: anunna[.]club
Hosting provider: @VPSBG_EU
ASN: AS34224C2 ports:
34567/tcp
64756/tcpVulnerabilities exploited:
JAWS web server RCEhttp://anunna[.]club/x #malware payload#threatintel pic.twitter.com/58nhynOd5w
— Bad Packets Report (@bad_packets) September 4, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 206.72.206.82 (🇺🇸)
Hosting provider: InterServer (AS19318)C2 ports:
8372/tcp
36496/tcpVulnerabilities exploited:
D-Link RCE
Huawei RCE CVE-2017-17215
http://206.72.206.82/bins/ #malware #opendir #threatintel pic.twitter.com/9NOkV85t2x— Bad Packets Report (@bad_packets) September 3, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)C2 ports:
6667/tcp
32957/tcpVulnerability exploited:
FRITZ!Box RCE (CVE-2014-9727)#threatintel pic.twitter.com/vwRhg0YI6A— Bad Packets Report (@bad_packets) August 31, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 80.82.65.213 (🇳🇱)
DNS: cc.stresser[.]cc
Hosting provider: IP Volume (AS202425)C2 ports:
123/tcp
9060/tcp
37420/tcpVirusTotal detections: 3/53https://t.co/foOKJLNxb7
http://80.82.65.213/moo #malware #opendir pic.twitter.com/SDXmpivcjj— Bad Packets Report (@bad_packets) August 30, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 199.19.225.2 (🇺🇸)
Hosting provider: FranTech (AS53667)C2 ports:
1024/tcp
1982/tcpVulnerability exploited:
Netgear router RCEhttps://t.co/6PisHwc30Q #malware
http://199.19.225.2/bins/ #opendir#threatintel pic.twitter.com/URGl4G7GkK— Bad Packets Report (@bad_packets) August 28, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 142.11.217.116 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 port:
5301/tcpVulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215
CVE-2017-18368http://142.11.217.116/bins/ #malware #opendir#threatintel pic.twitter.com/uzKNe4nsnQ
— Bad Packets Report (@bad_packets) August 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 147.135.124.113 (🇺🇸)
Hosting provider: OVH (AS16276)C2 ports:
396/tcp
455/tcp
3465/tcpVulnerability exploited:
CVE-2019-15107 (Webmin RCE)http://147.135.124.113/bins/ #opendir#threatintel pic.twitter.com/bDXxiXUbCO
— Bad Packets Report (@bad_packets) August 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 185.244.25.73 (🇳🇱)
Hosting provider: KV Solutions (AS60355)C2 ports:
81/tcp
6996/tcpPayload:
m-i.p-s.SNOOPYhttps://t.co/tOxqmfFlsS
ftp://185.244.25.73/ #opendir#threatintel pic.twitter.com/zvK4UVCPkO— Bad Packets Report (@bad_packets) August 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!IP address: 185.244.39.124 (🇳🇱)
Hosting provider: SKB Enterprise (AS64425)C2 ports:
5555/tcp
10019/tcpVulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215http://185.244.39.124/gaybub/ #malware #opendir#threatintel pic.twitter.com/HVOsP49kT7
— Bad Packets Report (@bad_packets) August 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 199.195.253.85 (🇺🇸)
Hosting provider: FranTech (AS53667)C2 ports:
2323/tcp
10444/tcp
64334/tcpVulnerability exploited:
HiSilicon DVR RCE https://t.co/qaFAEk7lkF#threatintel— Bad Packets Report (@bad_packets) August 21, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 198.98.62.146 (🇺🇸)
Hosting provider: FranTech (AS53667)C2 ports:
23/tcp
91/tcpVulnerability exploited: CVE-2014-9727
Malware payload script: https://t.co/Um0xNXbBuz#threatintel pic.twitter.com/N1n47hQh1z
— Bad Packets Report (@bad_packets) August 18, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 51.91.202.137 (🇫🇷)
Hosting provider: Infinity HostingC2 ports:
8811/tcp
12345/tcpPayload:
arm6https://t.co/wg7Y65kbm5
ftp://51.91.202.137/ #malware #opendir#threatintel https://t.co/dI5w8SLDb6 pic.twitter.com/oc9h62GQWn— Bad Packets Report (@bad_packets) August 17, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 185.172.110.224 (🇳🇱)
Hosting provider: BladeServers (AS206898)C2 ports:
993/tcp
11751/tcpVulnerabilities exploited:
CVE-2014-8361
CVE-2017-18368ftp://185.172.110.224/ #malware #opendir#threatintel pic.twitter.com/WN2RnLQ3S5
— Bad Packets Report (@bad_packets) August 16, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!IP address: 45.95.147.26 (🇳🇱)
DNS: switchnets[.]net
Hosting provider: Alsycon
ASN: AS51942C2 ports:
79/tcp
6968/tcpPayload:
"unstable" https://t.co/pccK4P2Qra
http://45.95.147.26/b/ #opendir #malware#threatintel pic.twitter.com/6JiL8XNITr— Bad Packets Report (@bad_packets) August 16, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 164.68.116.122 (🇩🇪)
Hosting provider: Contabo (AS51167)C2 ports:
1337/tcp
65535/tcpExploit target:
Linksys routersMalware payload:
"mipsel"https://t.co/69FzpKONBF#threatintel pic.twitter.com/IHbj1NJrOD— Bad Packets Report (@bad_packets) August 16, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 213.139.205.242 (🇳🇱)
Hosting provider: @ShockHosting
ASN: AS136175 (Serverhosh)C2 ports:
35668/tcp
455/tcpMultiple "cloudbot" malware binaries:https://t.co/bPxvVRnDYa#threatintel https://t.co/Xm1lKNqdWi pic.twitter.com/Vd1bv1MhVA
— Bad Packets Report (@bad_packets) August 14, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 142.44.251.105 (🇨🇦)
Hosting provider: OVH (AS16276)C2 ports:
11751/tcp
65535/tcpVulnerabilities exploited:
CVE-2017-18368
CVE-2014-8361
Linksys RCEftp://142.44.251.105/ #malware #opendir#threatintel pic.twitter.com/mgeZuxnmCW
— Bad Packets Report (@bad_packets) August 14, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) C2 server detected!IP address: 31.13.195.49 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS34224 (Neterra)C2 ports:
79/tcp
6968/tcpVulnerabilities exploited:
JAWS web server RCEPayload:
http://31.13.195.49/x #malware#threatintel pic.twitter.com/4XV9dyLjl2— Bad Packets Report (@bad_packets) August 13, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 141.105.69.49 (🇷🇺)
Hosting provider: @Hostkey_Rus (AS49335)
C2 port: 8915/tcpExploit target: ZyXEL routers (CVE-2017-18368)
ftp://141.105.69.49/ #malware #opendir#threatintel pic.twitter.com/2pxycZoXiS— Bad Packets Report (@bad_packets) August 12, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 185.82.202.24 (🇳🇱)
Hosting provider: HostSailor (🇦🇪)
ASN: AS60117C2 ports:
11751/tcp
65535/tcpMalware payload:
arm7https://t.co/INtpCkIRTgftp://185.82.202.24/ #opendir#threatintel pic.twitter.com/PXSVRuoCBB
— Bad Packets Report (@bad_packets) August 12, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 23.254.204.46 (🇺🇸)
Hosting provider: Hostwinds (AS54290)C2 ports:
5301/tcp
9545/tcpVulnerabilities exploited:
CVE-2014-8361
CVE-2018-10561Payload scripts:
/cool
/poo#threatintel https://t.co/Mfptg6GGXf pic.twitter.com/M99SC2ZAhN— Bad Packets Report (@bad_packets) August 11, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 167.71.128.164 (🇬🇧)
Hosting provider: DigitalOcean (AS14061)C2 ports:
1337/tcp
3663/tcpPayload: /rep/zyxel.sh
Exploit target: ZyXEL routers (CVE-2017-18368)
ftp://167.71.128.164/ #opendir#threatintel pic.twitter.com/qtcQACqEnp
— Bad Packets Report (@bad_packets) August 10, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 40.89.175.73 (🇫🇷)
Hosting provider: Microsoft Azure (AS8075)C2 ports:
1280/tcp
44460/tcpPayload: http://40.89.175.73/distortion.mips
Exploit target: Linksys routers#threatintel pic.twitter.com/DAQ9jTGf9X— Bad Packets Report (@bad_packets) August 10, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 91.134.120.7 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)C2 ports:
666/tcp
850/tcpPayload: https://t.co/kDIqJHkUS5
ftp://164.132.213.119 #malware #opendir#threatintel pic.twitter.com/43uiyQcxV1— Bad Packets Report (@bad_packets) August 9, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 91.92.66.192 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS60355 (Neterra)C2 port:
63236/tcpVulnerabilities exploited:
JAWS RCE
Realtek RCE (CVE-2014-8361)http://91.92.66.192/ #malware #opendir#threatintel pic.twitter.com/ODC4mv2IXw
— Bad Packets Report (@bad_packets) August 8, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 185.244.25.185 (🇳🇱)
Hosting provider: KV Solutions (AS60355)C2 ports:
1312/tcp (panel)
3912/tcp
43195/tcpPayload:
Jaws[.]sh
http://185.244.25.185/loot/ #malware #opendir#threatintel pic.twitter.com/FDxxFiHoRN— Bad Packets Report (@bad_packets) August 8, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) command-and-control (C2) server detected!IP address: 185.35.138.156 (🇳🇱)
C2 port: 655/tcp
Hosting provider: Zyztm Research Division (AS62454)Payload:
http://185.35.138.156/c
ftp://185.35.138.156/ #malware #opendir#threatintel pic.twitter.com/okhMp8kkvO— Bad Packets Report (@bad_packets) August 8, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!IP address: 164.132.213.119 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)
C2 ports:
54268/tcp
1098/tcpMalware payload:https://t.co/QThjOvn4KR
ftp://164.132.213.119 #opendir#threatintel pic.twitter.com/8JQS4Whv6j— Bad Packets Report (@bad_packets) August 8, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 185.244.25.77 (🇳🇱)
Hosting provider: KV Solutions (AS60355)
C2 ports:
88/tcp (panel)
1/tcp (logs)Payload:
m-i.p-s.SNOOPY Gafgyt-like #malwarehttps://t.co/pKh9dvamuM#threatintel pic.twitter.com/DHTEMgxE8U— Bad Packets Report (@bad_packets) August 7, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 185.244.25.75 (🇳🇱)
C2 ports:
7318/tcp (panel)
43594/tcp (logs)
Hosting provider: KV Solutions (AS60355)Payload:
SinixV4.armv6l Gafgyt-like #malwarehttps://t.co/crpjCEGtIF#threatintel pic.twitter.com/qIK5BQkbg6— Bad Packets Report (@bad_packets) August 7, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!IP address: 158.255.5.216 (🇷🇺)
C2 port: 8915/tcp
ftp://158.255.5.216/ #opendir
Hosting provider: @Hostkey_Rus (AS49335)Exploit targets:
D-Link routers
ZyXEL routers (CVE-2017-18368)#threatintel pic.twitter.com/Pmn4dnIGnt— Bad Packets Report (@bad_packets) August 6, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 45.129.3.130 (🇷🇺)
C2 port: 1994/tcp (h/t @0xrb)
Hosting provider: https://t.co/D690YPqKCi (AS51659)#threatintel https://t.co/D3b8J89ZH9 pic.twitter.com/pBybObfP7I— Bad Packets Report (@bad_packets) August 4, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!IP address: 185.244.25.181 (🇳🇱)
C2 port: 9375/tcp
Hosting provider: KV Solutions (AS60355)#Malware payload:
z3hir.mips https://t.co/SSEbT7YV2d
http://185.244.25.77/zehir/ #opendir#threatintel pic.twitter.com/dlTKpfdI6W— Bad Packets Report (@bad_packets) August 3, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 server still active!IP address: 185.244.25.181 (🇳🇱)
Hosting provider: KV SolutionsNew C2 ports:
Panel: 121/tcp
Logs: 8361/tcpMalware payload: NENAVIST2https://t.co/jQ1h7wChIw
PDoS (bricker) functionality per @MasafumiNegishi.#threatintel https://t.co/svWPsvrqPR pic.twitter.com/Lq32WYt1Wg
— Bad Packets Report (@bad_packets) August 2, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!IP address: 185.244.150.111 (🇳🇱)
C2 port: 38344/tcp
Hosting provider: Host Sailor (🇦🇪)
ASN: AS60117http://185.244.150.111/b/ #opendir
Malware payload:https://t.co/3GIwISL5X1#threatintel pic.twitter.com/jMbQtNEvT2
— Bad Packets Report (@bad_packets) August 2, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!IP address: 147.135.116.64 (🇫🇷)
C2 port: 45/tcpftp://147.135.116.64/Hilix.* #opendir
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)Malware payload:https://t.co/8UnnQ2yIRu#threatintel pic.twitter.com/qpLxabCATS
— Bad Packets Report (@bad_packets) August 2, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 185.244.25.181 (🇳🇱)
C2 port: 131/tcp
Hosting provider: KV Solutions (AS60355)Payload:
NENAVIST2https://t.co/jQ1h7wChIw
Type: Mirai-like (DDoS) #malware#threatintel pic.twitter.com/1reyZPomYm— Bad Packets Report (@bad_packets) August 1, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!IP address: 103.1.186.118 (🇦🇺)
C2 port: 44/tcp (logs via 6949/tcp)
Hosting provider: Mammoth Cloud (AS133159)Payload:
a.arm5https://t.co/qYcm2vlPLa
http://103.1.186.118/bins/ #opendirType: Mirai-like #malware#threatintel pic.twitter.com/O231zjZDTL
— Bad Packets Report (@bad_packets) July 31, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!IP address: 185.172.110.216 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898Payload:
/Jaws.shhttps://t.co/e8yX6eDY0J
http://185.172.110.216/bins/ #opendirType: Mirai-like (DDoS) #malware#threatintel pic.twitter.com/DQzgH2RKiF
— Bad Packets Report (@bad_packets) July 31, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 51.91.202.137 (🇫🇷)
C2 port: 9999/tcpPayload:
a-r.m-4.SNOOPY
a-r.m-6.SNOOPY
a-r.m-7.SNOOPY
ftp://51.91.202.137/ #opendirType: Gafgyt (DDoS) #malware#threatintel https://t.co/UlJ4YEtsQo pic.twitter.com/q3nSbxHPz1
— Bad Packets Report (@bad_packets) July 28, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 165.22.209.154 (🇮🇳)
C2 port: 26663/tcp
Hosting provider: DigitalOcean (AS14061)Payload:
r4z0r.mipshttps://t.co/nm5COeFb6C
Type: Mirai-like #malware
ftp://165.22.209.154/ #opendir#threatintel pic.twitter.com/zAxmo34R54— Bad Packets Report (@bad_packets) July 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 142.11.238.236 (🇺🇸)
C2 port: 34/tcp
Hosting provider: Hostwinds
ASN: AS54290Payload:
arm7 (https://t.co/6zvHH2WZsC)
ftp://142.11.238.236/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/4DM9PebG6v— Bad Packets Report (@bad_packets) July 27, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!IP address: 185.246.152.89 (🇳🇱)
C2 port: 37212/tcp
Hosting provider: Melbicom (🇱🇹)
ASN: AS56630Payload:
http://185.246.152.89/bins/telnet.* #opendirhttps://t.co/Fd6dQCr7wzType: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/nOOETagFpk
— Bad Packets Report (@bad_packets) July 26, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!IP address: 185.172.110.203 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898Payload:
http://185.172.110.203/Jaws.sh
http://185.172.110.203/bins/ #opendirType: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/rxDsuHJ5m4
— Bad Packets Report (@bad_packets) July 25, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 159.89.41.188 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: DigitalOceanPayload:
http://159.89.41.188/bin
http://159.89.41.188/bins/ #opendirType: Mirai-like (DDoS) #malware#threatintel pic.twitter.com/5gapuwXiTM
— Bad Packets Report (@bad_packets) July 25, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 67.205.169.73 (🇺🇸)
C2 port: 1791/tcp
Hosting provider: DigitalOceanPayload:
arm7.akiraghttps://t.co/ByGukMWvCR
ftp://67.205.169.73/ #opendir
Type: Mirai-like (DDoS) #malware#threatintel pic.twitter.com/OxrjKGe28r— Bad Packets Report (@bad_packets) July 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 104.168.215.139 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: Hostwinds
ASN: AS54290Payload:
http://104.168.215.139/mips
http://104.168.215.139/arm7Type:
Mirai-like (DDoS) #malware #threatintel pic.twitter.com/MKurB6rlax— Bad Packets Report (@bad_packets) July 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 185.172.110.224 (🇳🇱)
C2 port: 70/tcp
Hosting provider: BladeServers
ASN: AS206898Payload:
http://185.172.110.224/mipshttps://t.co/wLCAOB3OcZ
Type: Mirai-like (DDoS) #malware #threatintel https://t.co/WD2T3jtRJh pic.twitter.com/65mQIlAHFN— Bad Packets Report (@bad_packets) July 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 87.120.37.148 (🇧🇬)
C2 port: 38/tcpPayload:
http://87.120.37.148/bins/autism.* #opendirhttps://t.co/Kb5G9eHkJ9Type: Mirai-like (DDoS) #malware #threatintel https://t.co/ceO9rfM4rG pic.twitter.com/h4vE976Evo
— Bad Packets Report (@bad_packets) July 24, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!IP address: 80.211.90.245 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
C2 port: 6666/tcpPayload:
http://80.211.90.245/k1337.*
ftp://80.211.90.245/ #opendirType: Gafgyt (DDoS) #malware #threatintel pic.twitter.com/hBfPXJttCx
— Bad Packets Report (@bad_packets) July 22, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!IP address: 185.244.25.134 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: KV SolutionsPayload:
loligang.mipshttps://t.co/x2PnIj7GsQTarget: Huawei routers
Vulnerability exploited: CVE-2017-17215#threatintel https://t.co/rTk8y1XOpG pic.twitter.com/tEmSjoOupT— Bad Packets Report (@bad_packets) July 22, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!IP address: 80.211.9.40 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
DNS: ch.silynigr[.]xyz
C2 port: 495/tcpPayload:
http://ch.silynigr[.]xyz/bins/u.*
http://ch.silynigr[.]xyz/bins/adb.*Type: Mirai-like #malware #threatintel pic.twitter.com/2DUVZ9ZUf4
— Bad Packets Report (@bad_packets) July 21, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!
IP address: 195.231.6.216 (🇮🇹)
C2 port: 48/tcp
Hosting provider: Aruba Cloud
ASN: AS202242#threatintel https://t.co/rZ6Or7RVR6 pic.twitter.com/iXN5NQzQpS— Bad Packets Report (@bad_packets) July 20, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 51.91.202.137 (🇫🇷)
C2 port: 5301/tcp
Hosting provider: OVH
ASN: AS16276#threatintel https://t.co/prnFtujy49 pic.twitter.com/HRpecl5OUC— Bad Packets Report (@bad_packets) July 19, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!IP address: 46.246.38.178 (🇸🇪)
DNS: ardp.hldns[.]ru
C2 port: 1791/tcpPayload:
loligang.mipshttps://t.co/9kHLgjBYs8
loligang.mpsl https://t.co/l3q9IMg0qkType: Mirai-like #malware
Target: Linksys and D-Link routers#threatintel https://t.co/Oj5jvo9IWu pic.twitter.com/ltWFIyncii
— Bad Packets Report (@bad_packets) July 19, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 89.248.174.198 (🇳🇱)
C2 port: 9999/tcp
Hosting provider: IP Volume Inc
ASN: AS202425Ports mass scanned with ZMap:
34567/tcp
50000/tcp
60001/tcp (see below)#threatintel https://t.co/tHj0H3eaaY— Bad Packets Report (@bad_packets) July 18, 2019
Active Mirai-like botnet C2 detected:
89.248.174.198 (IP Volume Inc 🇳🇱)C2 port:
9999/tcpExploit attempts targeting:
60001/tcp (JAWS Web Server – MVPower DVR RCE)Payload:
http://89.248.174.198/jaws.sh
arm (https://t.co/ww1yQQ8geg)
arm7 (https://t.co/CZAWpe7z3r)#threatintel pic.twitter.com/SekQpD6CnU— Bad Packets Report (@bad_packets) July 18, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 192.236.162.197 (🇺🇸)
New C2 port: 1791/tcp
Hosting provider: Hostwinds
ASN: AS54290#threatintel https://t.co/MJToNHi8Sm pic.twitter.com/2kD0YncQ7s— Bad Packets Report (@bad_packets) July 17, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
209.141.55.8 (🇺🇸)C2 port:
6666/tcpPayload:
puss.arm7 #malwarehttps://t.co/FNrPn7DhlO
ftp://209.141.55.8/ #opendirExploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)Exploit source IPs:
37.49.230.21 (🇮🇸)#threatintel pic.twitter.com/CT54gbxi0V— Bad Packets Report (@bad_packets) July 16, 2019
Exploit attempt (https://t.co/Jawhp0SAZg) source IPs:
101.108.14.144 🇹🇭
49.117.81.101 🇨🇳
109.116.203.139 🇮🇹
151.70.138.75 🇮🇹
2.45.252.16 🇮🇹
114.235.35.12 🇨🇳#threatintel— Bad Packets Report (@bad_packets) July 16, 2019
Active Mirai-like botnet C2 detected:
192.236.162.197 (Hostwinds 🇺🇸)C2 port:
4426/tcpExploit attempts targeting:
Linksys routers (https://t.co/Jawhp0SAZg)Payload:
Amakano.mpslhttps://t.co/KXFXHInsy8 #malware
http://192.236.162.197/vb/ #opendir#threatintel pic.twitter.com/skgxeJ7YQj— Bad Packets Report (@bad_packets) July 16, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
169.239.128.18 (🇿🇦)C2 port: 5301/tcp
Payload:
http://169.239.128.18/mips
http://169.239.128.18/arm7Type: Mirai-like #malware https://t.co/qejUbpYWmAhttps://t.co/mD25CFLHrM#threatintel pic.twitter.com/a3TEemvzSA
— Bad Packets Report (@bad_packets) July 14, 2019
Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)
JAWS Web Server (MVPower DVR RCE)Exploit attempt source IPs:
165.22.107.99 (DigitalOcean 🇸🇬)
165.22.206.167 (DigitalOcean 🇳🇱)
188.166.60.205 (DigitalOcean 🇳🇱)#threatintel pic.twitter.com/SNvE5CdoqS— Bad Packets Report (@bad_packets) July 14, 2019
Active botnet C2 detected:
91.209.70.174 (🇷🇺)C2 port: 40/tcp
Payload: http://91.209.70.174/Corona.mips
Type: Gafgyt #malware variantOngoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)Exploit source IPs:
165.22.244.168 (DigitalOcean 🇸🇬)#threatintel pic.twitter.com/BddyZ59TTA— Bad Packets Report (@bad_packets) July 14, 2019
Active Mirai-like botnet C2:
194.99.22.138 (🇩🇪)Ongoing exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)
Realtek UPnP SOAP RCE (CVE-2014-8361)
GPON routers (CVE-2018-10561)Exploit source IPs:
209.97.168.152 (🇸🇬)
165.22.107.99 (🇸🇬)
188.166.60.205 (🇳🇱)#threatintel https://t.co/NancSne6GJ pic.twitter.com/41FQaBCTjr— Bad Packets Report (@bad_packets) July 14, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/19fDRoC2eo— Bad Packets Report (@bad_packets) July 13, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 194.99.22.138 (🇩🇪)
C2 port: 5301/tcp
Hosting provider: MVPS LTD
ASN: AS202448#threatintel https://t.co/B8xmWdP450 pic.twitter.com/84QuaVXCH9— Bad Packets Report (@bad_packets) July 12, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/S132qANef2 pic.twitter.com/hrWbOjnU7h— Bad Packets Report (@bad_packets) July 12, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 209.141.56.142 (🇺🇸)
C2 port: 37215/tcp
Hosting provider: Frantech
ASN: AS53667#threatintel https://t.co/ts1NKiPkgD pic.twitter.com/SbLN6nPbB3— Bad Packets Report (@bad_packets) July 11, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 89.190.159.178 (🇳🇱)
C2 port: 85/tcp
Hosting provider: Alsycon B.V.
Network provider: SpectraIP B.V. (AS62068)#threatintel https://t.co/HOm7FuDdU0 pic.twitter.com/8a6vM6PjPi— Bad Packets Report (@bad_packets) July 10, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected
IP address: 176.31.78.54 (🇫🇷)
http://176.31.78.54/bins/5743.* #opendir
Hosting provider: Infinity Hosting
C2 port: 45587/tcpType: Mirai-like #malwarehttps://t.co/3tWlbyM5Rh
Exploit source IP: 125.227.22.243 (🇹🇼)#threatintel pic.twitter.com/ZuHx43svoa
— Bad Packets Report (@bad_packets) July 10, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65532/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/Eq7GtzzsbH pic.twitter.com/tsZogpCLuJ— Bad Packets Report (@bad_packets) July 10, 2019
Botnet C2 IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel pic.twitter.com/ffmf31uIZz— Bad Packets Report (@bad_packets) July 9, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/lTYo8EcZRE— Bad Packets Report (@bad_packets) July 8, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 is still active.
Exploit attempts targeting Huawei routers are ongoing.#threatintel https://t.co/ex4Rv6xSfj pic.twitter.com/GzvSIhcxoQ— Bad Packets Report (@bad_packets) July 7, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 198.98.59.176 (🇺🇸)
C2 port: 90/tcp
Hosting provider: Frantech#threatintel https://t.co/Wxm1v0qm47 pic.twitter.com/XgGWvzo2Sq— Bad Packets Report (@bad_packets) July 6, 2019
Looks like someone logged out of the C2 after our tweet. pic.twitter.com/Axi7WiPGGl
— Bad Packets Report (@bad_packets) July 6, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/axADWUZU8T— Bad Packets Report (@bad_packets) July 6, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 188.166.87.227 (🇳🇱)
C2 port: 5301/tcp
Hosting provider: DigitalOcean (AS14061)#threatintel https://t.co/QOen6TGFae— Bad Packets Report (@bad_packets) July 6, 2019
New payload targeting #GPON routers detected:
http://188.166.87.227/bin (DigitalOcean 🇳🇱)
http://188.166.87.227/bins/ #opendir https://t.co/wIIYSZ5JQS
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 68.183.167.121 (DigitalOcean 🇺🇸)#threatintel pic.twitter.com/yHdidmVhFO— Bad Packets Report (@bad_packets) July 6, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 128.199.235.119 (🇸🇬)
C2 port: 81/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/OSxregNnrJ pic.twitter.com/fA2WyNbz7G— Bad Packets Report (@bad_packets) July 4, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 159.89.143.217 (🇺🇸)
C2 port: 2269/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/FgjKPxhrfi pic.twitter.com/yKktKmbDj8— Bad Packets Report (@bad_packets) July 4, 2019
🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: @centerhopcom
ASN: AS17831#threatintel https://t.co/LgojxLVqdy— Bad Packets Report (@bad_packets) July 4, 2019
New payload targeting #GPON routers detected:
http://103.83.157.46/gai (🇸🇬)
http://103.83.157.46/bins/ #opendir https://t.co/rYnZBBEwBY
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 165.22.206.167 (Digital Ocean 🇳🇱)#threatintel pic.twitter.com/LnN5sHo4UE— Bad Packets Report (@bad_packets) July 4, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.226 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: @BladeServers_eu (AS206898)#threatintel https://t.co/HswW0KDsdp— Bad Packets Report (@bad_packets) July 3, 2019
Active payload targeting 60001/tcp (IP camera interface/JAWS) detected:
http://185.172.110.226/lmaoWTF/Jaws.sh (🇳🇱)
http://185.172.110.226/lmaoWTF/ #opendir https://t.co/LkS7JKqYLe
Type: Mirai-like #malware
C2 port: 1791/tcp
Exploit source IP: 185.244.25.84 (🇳🇱)#threatintel pic.twitter.com/NdBPdqglXY— Bad Packets Report (@bad_packets) July 3, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 198.98.59.176 (🇺🇸)
C2 port: 3301/tcp#threatintel https://t.co/UqPTvSioFa pic.twitter.com/igVioXdTQ3— Bad Packets Report (@bad_packets) July 2, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.244.25.241 (🇳🇱 KV Solutions AS60355)
C2 port: 38344/tcp#threatintel https://t.co/Y7cS169YYM pic.twitter.com/F7P5kwMuYq— Bad Packets Report (@bad_packets) June 30, 2019
Active botnet C2: 103.83.157.41 (🇸🇬)#threatintel pic.twitter.com/wiblOelpCm
— Bad Packets Report (@bad_packets) June 30, 2019
🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected. #threatintel https://t.co/ugaYD6M5BE— Bad Packets Report (@bad_packets) June 27, 2019
New payload targeting #Huawei routers detected:
http://103.83.157.41/bins/mips (🇸🇬)
http://103.83.157.41/bins/#opendir
C2 port: 5301/tcp
Type: Mirai-like #malwarehttps://t.co/CfJOoDZTBB
Vulnerability exploited: CVE-2017-17215
Source IP: 167.71.64.218 (🇺🇸)#threatintel pic.twitter.com/vVhiYmvwgA— Bad Packets Report (@bad_packets) June 27, 2019
Active botnet C2 and payload:
http://185.244.25.241/b/mips (🇳🇱 KV Solutions AS60355)https://t.co/olalKAGfD9 #threatintel https://t.co/ClcDuCdAix— Bad Packets Report (@bad_packets) June 26, 2019
Active payload targeting #Huawei routers detected:
http://104.248.93.159/bins/frosty.mips (🇳🇱)
http://104.248.93.159/bins/ #opendir
C2 port: 8372/tcp
Type: Mirai-like #malwarehttps://t.co/ghvpHMmhF4
Exploit source IP: 68.183.151.62 (🇺🇸)
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/YIZumv5k9B— Bad Packets Report (@bad_packets) June 23, 2019
⚠️ WARNING ⚠️
Mirai-like botnet C2 server detected: 91.134.120.5 (🇫🇷)
Hosting provider: Infinity Hosting Services (🇩🇪)
Network provider: OVH (AS16276 🇫🇷)#threatintel pic.twitter.com/sDwnBFhtPR— Bad Packets Report (@bad_packets) June 20, 2019
🚨 ALERT 🚨
Active command-and-control (C2) server detected. https://t.co/unTTHRfMp8— Bad Packets Report (@bad_packets) June 18, 2019
New payload targeting #Huawei routers detected:
http://178.62.27.133/bins/frosty.mips (🇬🇧)
http://178.62.27.133/bins/ #opendir
Type: Mirai-like #malwarehttps://t.co/mr8u5HFPdL
C2 IP: 68.183.151.62 (DigitalOcean 🇺🇸)
C2 port: 8372/tcp
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/SYZYqZBjuf— Bad Packets Report (@bad_packets) June 18, 2019
C2 server: 185.244.25.157
C2 port: 5034/tcp https://t.co/ViNKvvCPb2 pic.twitter.com/XOJBbAbsnI— Bad Packets Report (@bad_packets) June 18, 2019
New payload targeting @SchneiderElec "U.motion LifeSpace Management Systems" detected:
http://31.13.195.251/EC (🇧🇬 @VPSBG_EU)
Vulnerability exploited: CVE-2018-7841
Exploit (C2) IP: 188.165.179.9 (🇫🇷 @infinityhostcom)
C2 ports: 666, 358/tcp
Recon scan: Mirai-like#threatintel— Bad Packets Report (@bad_packets) June 17, 2019
C2 server: 68.183.55.5
C2 port: 9375/tcp (Telnet) pic.twitter.com/ppTmHCfQbw— Bad Packets Report (@bad_packets) June 17, 2019
⚠️ WARNING ⚠️
Ongoing exploit attempts
Active C2 server#threatintel https://t.co/G8soHUAa8w pic.twitter.com/ssIdF9Ejmm— Bad Packets Report (@bad_packets) June 16, 2019
New payload targeting #Linksys routers detected:
http://79.137.123.208/bins/mpsl (🇫🇷)https://t.co/vTYSzWkrhM
ftp://79.137.123.208/ #opendir
C2 port: 555/tcp (Telnet)
Type: Mirai-like #malware
Exploit source IP: 74.210.238.108 (🇨🇦)
Target Port: 8080/tcp pic.twitter.com/eVCifhPw9U— Bad Packets Report (@bad_packets) June 15, 2019
ANDYPANDY botnet C2 detections last 7 days:
104.244.76.15 (🇱🇺)
209.141.55.73 (🇺🇸)
193.70.26.48 (🇫🇷)
181.197.5.215 (🇵🇦)Mainly targets #Android Debug Bridge (ADB) endpoints (5555/tcp). Recon scan uses ZMap.
— Bad Packets Report (@bad_packets) June 13, 2019
⚠️ WARNING ⚠️
New payload targeting D-Link devices detected:
http://62.210.207.229/t (🇫🇷)
http://62.210.207.229/bins/owari.* #opendir
C2 port: 89/tcp (Telnet)Type: Mirai-like #malwarehttps://t.co/H80SNjpLuF
Exploit source IPs:
209.141.37.17 (🇺🇸)
27.121.223.185 (🇯🇵) pic.twitter.com/mvO7WSwMb6— Bad Packets Report (@bad_packets) June 1, 2019
New payload targeting Linksys routers detected:
http://205.185.126.154/AB4g5/Extendo.mpsl (🇺🇸)https://t.co/t6qyUxKKnl
C2 port: 1024/tcp (Telnet)
Exploit source IP: 209.141.37.173 (🇺🇸)
Recon scan: ZMap
Target Ports: 8088, 8080/tcp
Mirai-like #malware #opendir pic.twitter.com/UtP1qKoA4F— Bad Packets Report (@bad_packets) May 25, 2019
A week later, this C2 is still active. The service provider @Scaleway acknowledged our report, yet took no action.
Meanwhile, a new payload called "z3hir" was detected: https://t.co/SL9INIWvDx pic.twitter.com/govU3heKaS
— Bad Packets Report (@bad_packets) May 20, 2019
New #malware payload and C2 detected
Exploit target: Realtek devices (CVE-2014-8361)
Target port: 52869/tcp
Payload: http://62.210.207.229/ntpd (https://t.co/vmMWAs3EmU)#OpenDir: ftp://62.210.207.229/
C2 port: 89/tcp (telnet) pic.twitter.com/PiRA8lRnrq— Bad Packets Report (@bad_packets) May 13, 2019
Mirai-like botnet C2: 88.218.94.20 (🇺🇸)
Status: Active
Realtek exploit CVE-2014-8361 payload: http://88.218.94.20/ntpd (https://t.co/dsp82tTR1V)
✅ Added to monitoring pic.twitter.com/rIlYd1IAro— Bad Packets Report (@bad_packets) May 11, 2019