DDoS Botnet C2 Detections

Example DDoS botnet command-and-control (C2) servers detected by Bad Packets® Cyber Threat Intelligence

Active DDoS malware command-and-control (C2) server detected.

IP address: 194.37.82.252 (🇬🇧)
Hosting provider: Clouvider (AS62240)

C2 ports:
281/tcp
1010/tcp

Payload:
http://194.37.82.252/bins.sh
http://194.37.82.252/ #opendir #threatintel pic.twitter.com/nRtCFNGmWR

— Bad Packets (@bad_packets) January 21, 2021

Active DDoS malware command-and-control (C2) server detected.

IP address: 46.249.33.97 (🇳🇱)
Hosting provider: Serverius (AS50673)

C2 ports:
999/tcp
55312/tcp

Payload:
http://46.249.33.97/cache
ftp://46.249.33.97/ #opendir

Exploit target:
CVE-2018-10561#threatintel pic.twitter.com/8MMSY0DKh8

— Bad Packets (@bad_packets) January 21, 2021

Active DDoS malware command-and-control (C2) server detected.

IP address: 75.127.6.23 (🇺🇸)
Hosting provider: VirMach (AS36352)

C2 ports:
666/tcp
775/tcp

Payload:https://t.co/zMshQQrRbX
http://75.127.6.23/SBIDIOT/ #opendir

Exploit target:
CVE-2017-17215#threatintel pic.twitter.com/yVyLacCYMx

— Bad Packets (@bad_packets) November 20, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 5.253.84.197 (🇳🇱)
Hosting provider: HostSlick (AS208046)

C2 ports:
666/tcp
6660/tcp
9999/tcp

Target:
AVTECH IP camera / DVR RCE (multiple)

Payload:
http://5.253.84.197/bins/mirai.arm7 #threatintel pic.twitter.com/CCC0d18tg9

— Bad Packets (@bad_packets) October 24, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 5.252.194.137 (🇷🇺)
Hosting provider: IpServer[.]su (AS44812)

C2 ports:
51847/tcp
56412/tcp

Payload:
http://5.252.194.137/usb.sh

Target: Tenda router RCE (CVE-2020–10987)#threatintel pic.twitter.com/YMuxZ0HVjY

— Bad Packets (@bad_packets) October 16, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 5.252.194.29 (🇷🇺)

C2 ports:
4321/tcp
31847/tcp
56412/tcp

Payloads:
/netis
/usb.sh

Vulnerabilities targeted:
Netis router RCE (CVE-2019-19356)
Tenda router RCE (CVE-2020–10987)#threatintel pic.twitter.com/tQGsDkox0j

— Bad Packets (@bad_packets) October 5, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 192.210.214.51 (🇺🇸)
Hosting provider: VirMach (AS36352)

C2 ports:
36457/tcp
55665/tcp

Payload: "Astra.mpsl" https://t.co/GGCFRaN4wJ

Target: Linksys router RCE vulnerability#threatintel

— Bad Packets (@bad_packets) October 2, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 78.142.18.20 (🇳🇱)
Hosting provider: HostSlick (AS208046)

C2 ports:
1312/tcp
3912/tcp

Payload:
http://78.142.18.20/fetch.sh

Target:
vBulletin RCE vulnerability CVE-2020-17496 #threatintel pic.twitter.com/FGEZmc8K0c

— Bad Packets (@bad_packets) September 1, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 5.206.227.136 (🇵🇹)
Hosting provider: BlazingFast (AS49349)

C2 ports:
45/tcp
34712/tcp

Payload:
http://5.206.227.136/zzz/wowe.*
http://5.206.227.136/zzz/ #opendir #threatintel pic.twitter.com/9PfCmwx9UC

— Bad Packets (@bad_packets) August 22, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 185.172.110.185 (🇳🇱)
Hosting provider: BladeServers (AS206898)

Vulnerabilities exploited:
D-Link router RCE
MVPower DVR (JAWS) RCE
Netlink GPON router RCE
ZyXEL router RCE CVE-2017-18368#threatintel pic.twitter.com/9fnhKyZyes

— Bad Packets (@bad_packets) August 17, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 185.172.111.181 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
45/tcp
34712/tcp

Payload:
http://190.115.18.144/g
http://185.172.111.181/bins #opendir

Target: HiSilicon DVR RCE#threatintel pic.twitter.com/mfpWgce6Kr

— Bad Packets (@bad_packets) July 20, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 198.211.110.4 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
733/tcp
961/tcp

Target:
Realtek RCE CVE-2014-8361
DrayTek RCE CVE-2020-8515

Payload:
"mips"https://t.co/fIiXWHtm3M #threatintel pic.twitter.com/fM7Jqqw2kP

— Bad Packets (@bad_packets) July 19, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 185.172.110.243 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
4554/tcp
56084/tcp

Payload:https://t.co/1WsjJS6Hzf

Target:
Huawei RCE vulnerability CVE-2017-17215#threatintel pic.twitter.com/CqsbzwcU2c

— Bad Packets (@bad_packets) July 13, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 194.15.36.47 (🇩🇪)
Hosting provider: private-hosting[.]eu (AS24961)

C2 ports:
5034/tcp
59314/tcp

Vulnerabilities targeted:
Huawei RCE (CVE-2017-17215)
Realtek RCE (CVE-2014-8361)
ZTE RCE #threatintel pic.twitter.com/gOAkTllq3u

— Bad Packets (@bad_packets) June 27, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 80.82.70.140 (🇳🇱)
Hosting provider: IP Volume (AS202425)

C2 ports:
49152/tcp
65535/tcp

Payload:
(see attached tweet)

Target:
MVPower DVR (JAWS web server) RCE#threatintel https://t.co/NqSn5V5QdQ

— Bad Packets (@bad_packets) June 24, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 192.236.146.153 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
12942/tcp
17244/tcp

Payload: https://t.co/SeFLOPZKhQ

Target:
MVPower DVR (JAWS Web Server) RCE vulnerability#threatintel pic.twitter.com/8ZBF8WhBOG

— Bad Packets Report (@bad_packets) June 14, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 37.49.224.183 (🇳🇱)
Hosting provider: AS199264

C2 ports:
50821/tcp
58666/tcp

Payload:https://t.co/vNJmrdazIX

Target:
ZyXEL router RCE vulnerability CVE-2017-1836#threatintel pic.twitter.com/2lXYhNBtC6

— Bad Packets Report (@bad_packets) June 11, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 85.204.116.87 (🇷🇴)
Hosting provider: Hostmaze (AS48874)

C2 ports:
131/tcp
16850/tcp

Payload: https://t.co/GMAtorDuhL

Target:
Routers vulnerable to CVE-2014-8361 (Realtek RCE)#threatintel https://t.co/TrPTvYu89X

— Bad Packets Report (@bad_packets) June 10, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 37.49.224.159 (🇳🇱)
Hosting provider: AS199264 https://t.co/M6eJ69nQyc

C2 ports:
420/tcp
666/tcp

Payload:
arm4https://t.co/ppotHh6xre
arm6https://t.co/GxNzuGsl1F

Target:
MVPower DVR RCE#threatintel pic.twitter.com/8KLFFVG5te

— Bad Packets Report (@bad_packets) June 4, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 23.254.164.76 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
89/tcp
1337/tcp

Payload:
"mmmmh.mips"https://t.co/HvL48Sv9c0

Target:
Netgear router RCE vulnerability#threatintel pic.twitter.com/NDQvD0Npmp

— Bad Packets Report (@bad_packets) May 30, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 37.49.226.220 (🇳🇱)
Hosting provider: AS208666 (https://t.co/ZusFyn1YfH)

C2 ports:
666/tcp
1111/tcp

Payload: https://t.co/eohzQhqxY3

Target:
ZyXEL router RCE CVE-2017-18368
MVPower DVR RCE#threatintel pic.twitter.com/lN6kQqqzkg

— Bad Packets Report (@bad_packets) May 30, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 172.245.52.231 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352

C2 ports:
5555/tcp
17012/tcp

Payload: "mpsl" https://t.co/0dh22U77OS

Target: Linksys router RCE vulnerability#threatintel pic.twitter.com/Ohz5DHSBt1

— Bad Packets Report (@bad_packets) May 29, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 94.102.63.52 (🇳🇱)
Hosting provider: IP Volume (AS202425)

C2 ports:
9102/tcp

Target:
Linksys router RCE
Eir D1000 router RCE
MVPower DVR (JAWS web server) RCE

ftp://94.102.63.52/ #opendir #threatintel pic.twitter.com/t69KTt7lu5

— Bad Packets Report (@bad_packets) May 28, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 134.209.86.250 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
420/tcp
999/tcp

Target:
AVTECH IP camera / NVR / DVR RCE (multiple)

Payload:
*.SNOOPYhttps://t.co/vc0LrVRMp0 #threatintel pic.twitter.com/wxHrxasTJt

— Bad Packets Report (@bad_packets) May 20, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 45.14.151.249 (🇷🇴)
Hosting provider: hostsolutions[.]ro (AS44220)

C2 ports:
1920/tcp
3099/tcp

Target: Linksys router remote code execution vulnerability

ftp://45.14.151.249/ #opendir #threatintel pic.twitter.com/tlnif0ZBls

— Bad Packets Report (@bad_packets) May 16, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 139.99.237.109 (🇦🇺)
Hosting provider: OVH (AS16276)

C2 ports:
114/tcp
60010/tcp

Target:
CVE-2018-10561 (GPON router RCE)

Payload: https://t.co/vePp7NKj10
ftp://139.99.237.109/ #opendir #threatintel pic.twitter.com/mRIAAvCkir

— Bad Packets Report (@bad_packets) May 12, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 193.228.91.105 (🇺🇸)
Hosting provider: RebeccaHost (AS44685)

C2 ports:
1024/tcp
1982/tcp

Target:
DrayTek RCE (CVE-2020-8515)
Grandstream RCE (CVE-2020-5722)

Payload: https://t.co/vQL15HbNXi #threatintel pic.twitter.com/YdI5oe0PtB

— Bad Packets Report (@bad_packets) May 10, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 45.95.169.249 (🇭🇷)
Hosting provider: MAXKO (AS42864)

C2 ports:
3074/tcp
65535/tcp

Target:
Routers vulnerable to CVE-2014-8361 (Realtek RCE)
ZTE router RCE

Payload: https://t.co/0dRGnIcUPZ #threatintel pic.twitter.com/hQ2Owjlutk

— Bad Packets Report (@bad_packets) May 5, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 159.203.2.6 (🇨🇦)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
34241/tcp
39284/tcp

Target:
AVTECH IP camera / NVR / DVR RCE
MVPower DVR (JAWS) RCE
Netgear router RCE#threatintel pic.twitter.com/A6jVCH3ZT8

— Bad Packets Report (@bad_packets) May 3, 2020

Active #DDoS malware command-and-control (C2) server detected.

IP address: 37.49.226.230 (🇳🇱)
Hosting provider: Estroweb/Vitox/Cloudstar/Xemu/other fake names AS208666 (🇳🇱)

C2 ports:
9993/tcp
55451/tcp

Target: Netgear router remote code execution vulnerability #threatintel pic.twitter.com/Xq4o4iRhor

— Bad Packets Report (@bad_packets) May 3, 2020

Active #DDoS malware command-and-control (C2) server detected. https://t.co/JK5C5ZBLEX

IP address: 194.36.188.170 (🇳🇱)
Hosting provider: HostSailor (AS60117) 🇦🇪

C2 ports:
3002/tcp
60552/tcp

Target: MVPower DVR (JAWS Web Server) RCE

ftp://194.36.188.170/ #opendir #threatintel pic.twitter.com/j9laVdYRlf

— Bad Packets Report (@bad_packets) May 1, 2020

Active DDoS malware command-and-control (C2) server detected.

IP address: 45.14.151.249 (🇷🇴)
Hosting provider: https://t.co/8DO0DSXr82 (AS44220)

C2 ports:
1920/tcp
9090/tcp

Vulnerability exploited: MVPower DVR (JAWS Web Server) RCE

ftp://45.14.151.249/ #opendir #threatintel pic.twitter.com/4geX0wni6E

— Bad Packets Report (@bad_packets) April 28, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 185.244.217.126 (🇳🇱)
Hosting provider: Zomro B.V. (AS204601)

C2 ports:
449/tcp
1253/tcp

Vulnerability exploited: AVTECH RCE (multiple)

Payload: arm7.samourahttps://t.co/oTIdJjkHPz #malware #threatintel pic.twitter.com/7KH1r2836z

— Bad Packets Report (@bad_packets) March 31, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 159.203.45.44 (🇨🇦)
Hosting provider: DigitalOcean (AS14061)

C2 ports: 23 & 1111/tcp

Exploit attempt source IP: 62.171.161.248 (🇩🇪)

Vulnerability exploited: MVPower DVR (JAWS Web Server) RCE#threatintel pic.twitter.com/qJvMVQdpoa

— Bad Packets Report (@bad_packets) March 19, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 144.91.79.5 (🇩🇪)
Hosting provider: Contabo (AS51167)

C2 ports:
733/tcp
1337/tcp

Vulnerability exploited: ZyXEL NAS Remote Command Injection (CVE-2020-9054) https://t.co/nitzqZ9YkR #threatintel https://t.co/GVn4zBJBaz

— Bad Packets Report (@bad_packets) March 15, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 172.245.6.129 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352

C2 ports:
52/tcp
8122/tcp

Payload: "nvitpj" https://t.co/3hh2YEtGpM

Target: MVPower DVR (JAWS web server) RCE#threatintel pic.twitter.com/ucrOvhSBXp

— Bad Packets Report (@bad_packets) March 13, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 45.84.196.178 (🇩🇪)
Hosting provider: private-hosting[.]eu (AS24961)

C2 ports:
666/tcp
747/tcp

Payload: "armv6l"https://t.co/lz8GpOel2N

Target: MVPower DVR (JAWS web server) RCE#threatintel #malware pic.twitter.com/d3w7YbPGZE

— Bad Packets Report (@bad_packets) March 12, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 104.248.231.220 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
282/tcp
922/tcp

Vulnerability exploited: AVTECH RCE

Payload: roots.arm7 (https://t.co/1vrvZ3gnYs) #malware #threatintel pic.twitter.com/mpNESF3PCh

— Bad Packets Report (@bad_packets) March 6, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 5.39.217.219 (🇳🇱)
Hosting provider: HOSTKEY (AS57043)

C2 ports:
7/tcp
936/tcp

Payload: "mips"(https://t.co/zFcN867cxf)

http://5.39.217.219/SBIDIOT/ #opendir

Target: ZTE router RCE#threatintel https://t.co/NcluvuJWgc

— Bad Packets Report (@bad_packets) March 4, 2020

Active DDoS botnet command-and-control (C2) server detected.

IP address: 45.148.10.194 (🇳🇱)
Hosting provider: dmzhost[.]co (AS48090)

C2 ports:
24136/tcp
38565/tcp

Payload: "mips"(https://t.co/uBvS42kGBG)

Target: D-Link router RCE vulnerability#threatintel pic.twitter.com/5EwRdQnDIX

— Bad Packets Report (@bad_packets) February 28, 2020

🚨 ALERT 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 172.245.6.129 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352

C2 ports:
42/tcp
45637/tcp

Payload: orbitclien.armv7l (https://t.co/9y7737LS9P)

Target: JAWS webserver RCE#threatintel pic.twitter.com/Ruv6SylHiJ

— Bad Packets Report (@bad_packets) February 27, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 167.172.251.116 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
9506/tcp
9621/tcp

Target: AVTECH devices RCE

Payload: xd.arm7 (https://t.co/95hBVF3mvF) #malware #threatintel pic.twitter.com/SfqoznKQfa

— Bad Packets Report (@bad_packets) February 24, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 104.155.220.235 (🇺🇸)
Hosting provider: Google Cloud (AS15169)

C2 ports:
18819/tcp
40666/tcp

Target: Netgear and Huawei router RCE

Payload: https://t.co/APhvKnZgUe #malware #threatintel https://t.co/zWa8XCNtR4

— Bad Packets Report (@bad_packets) February 24, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 51.79.70.163 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
3455/tcp
64537/tcp

Payload: Bread.*(https://t.co/1baGdxg2Em) #malware

http://breadsecurity[.]xyz/bins/ #opendir #threatintel https://t.co/buasN4VCsm pic.twitter.com/9p61j0ZR57

— Bad Packets Report (@bad_packets) February 15, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 37.49.226.137 (🇳🇱)
Hosting provider: Cloud Star Hosting Services (AS208666)

C2 ports:
9375/tcp
39284/tcp

Payload: z3hir.mips (https://t.co/n2zSxxz4aX) #malware #threatintel pic.twitter.com/4vSAUWAfS5

— Bad Packets Report (@bad_packets) February 12, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 164.132.92.139 (🇫🇷)
Hosting provider: DefineQuality
Network provider: OVH (AS16276)

C2 ports:
187/tcp
2525/tcp

Payload: vbrxmr.arm7 (https://t.co/SFfZ0lbfxe) #malware #threatintel pic.twitter.com/GXly2Rkl8S

— Bad Packets Report (@bad_packets) February 11, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 190.115.18.86 (🇧🇿)
Hosting provider: DDoS-GUARD (AS262254)

C2 ports:
6323/tcp
8744/tcp

Payload: arm7 (https://t.co/LFdCS73rj6) #malware
http://190.115.18.86/b/ #opendir #threatintel pic.twitter.com/rkVIE5Zm4t

— Bad Packets Report (@bad_packets) February 11, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 178.128.183.31 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
24136/tcp
38565/tcp

Payload: http://178.128.183.31/arm7 (https://t.co/Re6WxZZj0O)
Target: MVPower DVR (JAWS web server) RCE#threatintel pic.twitter.com/Vjl6LHp8Hz

— Bad Packets Report (@bad_packets) February 11, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 131.153.30.60 (🇺🇸)
Hosting provider: Host4Fun
Network provider: AS11572

C2 ports:
420/tcp
6969/tcp

Payload:
Depression.armv7l #malware https://t.co/6BE62q1mNe
ftp://131.153.30.60/ #opendir #threatintel pic.twitter.com/FvrreUUgjM

— Bad Packets Report (@bad_packets) February 10, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 192.210.239.102 (🇺🇸)
Hosting provider: VirMach
Network provider: AS36352

C2 ports:
3/tcp
1111/tcp

Payloads:
m-i.p-s.GHOULhttps://t.co/ntOiaH8vPo
a-r.m-7.GHOULhttps://t.co/N9DpG41V39 #malware #threatintel pic.twitter.com/ZtQ62Ov6ov

— Bad Packets Report (@bad_packets) February 10, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 205.134.182.116 (🇺🇸)
Hosting provider: AiNET (AS6405)

C2 ports:
120/tcp
1028/tcp

ftp://205.134.182.116/ #opendir
Payload: Heartless~Security.*(https://t.co/XfDVUJ5Pq6) #malware #threatintel pic.twitter.com/C28hXkrhZ2

— Bad Packets Report (@bad_packets) February 4, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 207.154.212.220 (🇩🇪)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
5301/tcp
9545/tcp

http://207.154.212.220/bins/ #opendir
Payload: Stanleyy.* (https://t.co/MuqjJLhdTg) #malware #threatintel pic.twitter.com/IwQhouLJ0H

— Bad Packets Report (@bad_packets) February 2, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 206.81.1.189 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
9375/tcp
39284/tcp

http://206.81.1.189/beastmode/ #opendir
Payload: b3astmode.* (https://t.co/v0KK1op7D8) #malware #threatintel https://t.co/6yADjxygDk pic.twitter.com/4kH9P1QBky

— Bad Packets Report (@bad_packets) January 27, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 89.34.27.57 (🇷🇴)
Hosting provider: ZetServers (AS25198)

C2 ports:
8348/tcp
34529/tcp

Payload:
http://89.34.27.57/sh
*.okuma (https://t.co/l0VdTfbQK2)
http://89.34.27.57/bins/ #opendir #threatintel

— Bad Packets Report (@bad_packets) January 23, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 68.183.219.115 (🇩🇪)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
28194/tcp
52921/tcp

http://68.183.219.115/QpasYU/ #opendir
Payload: IpvLye.* (https://t.co/l029qmvuRq)
Target: CVE-2017-18368#threatintel https://t.co/wYXtuh1E8S pic.twitter.com/7c9AB4DXhj

— Bad Packets Report (@bad_packets) January 10, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 45.148.10.160 (🇳🇱)
Hosting provider: DMZHOST (AS48090)

C2 ports:
45/tcp
34712/tcp

ftp://45.148.10.160/ #opendir
Payload: zyxel (https://t.co/amEQkkAGqR)
Target: CVE-2017-18368 (ZyXEL router RCE)#threatintel pic.twitter.com/CQYAYM6Riy

— Bad Packets Report (@bad_packets) January 8, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 199.217.116.22 (🇺🇸)
Hosting provider: GoDaddy (AS30083)

C2 ports:
420/tcp (panel)
65134/tcp (logs)

Payload: PQKill.arm7 (https://t.co/LPHUe6sv1U)
Target: JAWS web server (MVPower DVR) RCE#threatintel https://t.co/SuvEstLqo1

— Bad Packets Report (@bad_packets) January 3, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 158.69.236.40 (🇨🇦)
DNS: projectqishu[.]com
Hosting provider: OVH (AS16276)

C2 ports:
420/tcp
65134/tcp

http://projectqishu[.]com/bins/ #malware #opendir
Payload: PQv1.* (https://t.co/nxMYlOmtYQ)#threatintel https://t.co/2LfuuU8DgH pic.twitter.com/3CSDfsW4ZP

— Bad Packets Report (@bad_packets) January 2, 2020

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 176.123.4.234 (🇲🇩)
DNS: udptcp.packetsv4[.]tk
Hosting provider: AlexHost (AS200019)

C2 port: 56473/tcp (panel)

Payload: Packets.* (https://t.co/bFUfWNqeG2)
http://176.123.4.234/bins/ #opendir #threatintel https://t.co/w7O6oa3l7D pic.twitter.com/KQ9Mhwmm6a

— Bad Packets Report (@bad_packets) December 29, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.242.104.13 (🇷🇺)
Hosting provider: Veesp
Network provider: AS43317

C2 ports:
666/tcp
64064/tcp

Payload: yama.* (https://t.co/3vmQ0faHzW)
ftp://185.242.104.13/pub/ #opendir #threatintel https://t.co/hJGdrbVAA8

— Bad Packets Report (@bad_packets) December 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.172.110.204 (🇳🇱)
C2 port: 7498/tcp
Hosting provider: BladeServers (AS206898)

Payload: daddyscum.arm7 (https://t.co/WhKZ8wBmGV)
Target: JAWS web server RCE
http://185.172.110.204/nope/ #opendir #threatintel pic.twitter.com/85R0uzUPLh

— Bad Packets Report (@bad_packets) December 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 104.168.149.5 (🇺🇸)
C2 port: 2001/tcp
Hosting provider: Hostwinds (AS54290)

Payload: Packets.mips
(https://t.co/cM4CBjdVcN)
http://104.168.149.5/bins/ #opendir #threatintel pic.twitter.com/8eMEjN7Vti

— Bad Packets Report (@bad_packets) December 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 165.22.193.111 (🇳🇱)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
9375/tcp
39284/tcp

Target: CVE-2017-17215
Payload: z3hir.mips
(https://t.co/5Lz78CyNwT)
ftp://165.22.193.111/ #opendir #threatintel pic.twitter.com/UMJUv2LHAN

— Bad Packets Report (@bad_packets) December 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 198.211.59.149 (🇺🇸)
Hosting provider: Multacom (AS35916)

C2 port: 2001/tcp

Malware payload: mybotnettrash.mips (https://t.co/0UFiaLeTJy)
Exploit target: Routers vulnerable to CVE-2014-8361#threatintel pic.twitter.com/R3Yg0trf3P

— Bad Packets Report (@bad_packets) December 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 173.82.105.129 (🇺🇸)
Hosting provider: Multacom (AS35916)

C2 ports:
1052/tcp
7474/tcp

Malware payload: armv6l (https://t.co/WAGDW23zZP)
Target: JAWS web server RCE
ftp://173.82.105.129/ #opendir #threatintel pic.twitter.com/loboT5FjSk

— Bad Packets Report (@bad_packets) December 23, 2019

DDoS botnet C2 active again.
IP address: 185.172.110.243 (🇳🇱)
C2 port: 4554/tcp
Payload: http://185.172.110.243/mips (https://t.co/giRXALU2Gy)
ftp://185.172.110.243/ #opendir
Hosting provider: BladeServers (AS206898)

Exploit target: Huawei RCE (CVE-2017-17215)#threatintel https://t.co/j9YQv498Q3 pic.twitter.com/qlBi7kssQx

— Bad Packets Report (@bad_packets) December 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 50.115.166.137 (🇺🇸)
Hosting provider: Virpus (AS32875)

C2 ports:
2416/tcp
3456/tcp

Exploit source IP: 104.248.230.48 (🇺🇸)
Target: Netgear RCE
Payload: Legacy.mips
(https://t.co/zitpsgsXoM)#threatintel pic.twitter.com/2G1dyqV6DY

— Bad Packets Report (@bad_packets) December 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 46.166.151.200 (🇳🇱)
Hosting provider: NFOrce Internet Services (AS43350)

C2 ports:
122/tcp
1212/tcp

Payload:
http://46.166.151.200/arm7 (https://t.co/qFjT6o5rKR)

Target:
JAWS web server RCE#threatintel pic.twitter.com/u2mEwctSpF

— Bad Packets Report (@bad_packets) December 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 5.79.70.165 (🇳🇱)
Hosting provider: Leaseweb (AS60781)

C2 ports:
158/tcp
9999/tcp

Payload:
http://5.79.70.165/snype.mips (https://t.co/D3aTQ6jQKP)

Target:
Huawei routers (CVE-2017-17215)#threatintel pic.twitter.com/mNK0HoBy1S

— Bad Packets Report (@bad_packets) December 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 194.50.171.185 (🇷🇺)
Hosting provider: JustHost[.]ru (AS49392)

C2 ports:
87/tcp
444/tcp

Payload:
http://194.50.171.185/Venom.sh
Ouija_M.ips (https://t.co/0ew0KrPAh1)

Target:
D-Link routers#threatintel pic.twitter.com/DjVezSC1Ne

— Bad Packets Report (@bad_packets) December 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 23.254.224.153 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
45/tcp
34712/tcp

Target: CVE-2014-8361
Payload: Oblivion.mips
(https://t.co/TJCWvj5esf)
http://23.254.224.153/bins/ #opendir #threatintel pic.twitter.com/sye7r01QPH

— Bad Packets Report (@bad_packets) November 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.112.249.39 (🇬🇧)
Hosting provider: SharkServers (AS202939)

C2 ports:
1024/tcp
1982/tcp

Target: CVE-2014-8361
Payload: UnHAnaAW.mips (https://t.co/ced5WdJ5kJ)
ftp://185.112.249.39/ #opendir #threatintel pic.twitter.com/3DXJebEz66

— Bad Packets Report (@bad_packets) November 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 165.227.35.105 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 port: 55312/tcp

Target: Netgear routers
Payload: http://165.227.35.105/mips (https://t.co/PezcqTXqat)
ftp://165.227.35.105/ #opendir #threatintel pic.twitter.com/KHlDvLUU6P

— Bad Packets Report (@bad_packets) November 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 51.79.66.236 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
87/tcp (logs)
444/tcp (panel)

Targets:
D-Link RCE
ThinkPHP RCE

Payload:
Venom[.]sh
Ouija_M.ips
Ouija_x.86https://t.co/wIx60659VK #threatintel pic.twitter.com/TUZx3LWC9g

— Bad Packets Report (@bad_packets) November 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 194.15.36.41 (🇩🇪)
Hosting provider: private-hosting[.]eu
Network provider: AS24961

C2 ports:
20/tcp (panel)
88/tcp (logs)

Target: CVE-2017-17215
Payload: orphic.mips (https://t.co/Qk8FiZCwec)#threatintel pic.twitter.com/2T2WS4HE1X

— Bad Packets Report (@bad_packets) November 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 2.56.8.188 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369

C2 ports:
9874/tcp
55312/tcp

Payload: http://2.56.8.188/axisbins.sh
ftp://2.56.8.188/ #opendir https://t.co/F47BnPQboH #threatintel pic.twitter.com/MD83yan6bX

— Bad Packets Report (@bad_packets) November 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 167.71.175.87 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
420/tcp
666/tcp

Payload:
http://167.71.175.87/axisbins.sh

Vulnerability exploited:
Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/7JJ2zia52n

— Bad Packets Report (@bad_packets) November 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 168.235.90.130 (🇺🇸)
Hosting provider: RamNode (AS3842)

C2 ports:
1738/tcp
6060/tcp

Target: JAWS web server RCE
Payload: http://168.235.90.130/love/trixbins.sh https://t.co/GYGT7tTmyy #threatintel pic.twitter.com/rceBH1rsok

— Bad Packets Report (@bad_packets) November 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 2.56.8.157 (🇬🇧)
Hosting provider: SonicFast
Network provider: AS25369

C2 ports:
748/tcp
1742/tcp

Target: JAWS web server RCE (60001/tcp)
Payload: http://2.56.8.157/UwUsh https://t.co/ROqx7MBgIu #threatintel pic.twitter.com/RcTUm5ZdpP

— Bad Packets Report (@bad_packets) November 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 89.35.39.74 (🇷🇴)
Hosting provider: https://t.co/8DO0DSXr82 (AS206898)

C2 ports:
1092/tcp
1920/tcp

Vulnerabilities exploited:
CVE-2017-18368 (ZyXEL RCE)
Payload: https://t.co/WKvGAwFTuk #threatintel pic.twitter.com/n9bwiY5Ov9

— Bad Packets Report (@bad_packets) November 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 185.172.110.243 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
4554/tcp
56084/tcp

Vulnerabilities exploited:
CVE-2017-18368https://t.co/X236JYX65i
ftp://185.172.110.243/ #opendir #threatintel pic.twitter.com/097EjLemKb

— Bad Packets Report (@bad_packets) October 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.205.42 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
2848/tcp
46216/tcp

Payload: http://142.11.205.42/mips https://t.co/CBXuGq02L6
Target: CVE-2014-8361 (Realtek RCE)#threatintel pic.twitter.com/PFpibSnKLK

— Bad Packets Report (@bad_packets) October 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 35.236.44.15 (🇺🇸)
Hosting provider: Google Cloud (AS15169)

C2 ports:
1338/tcp
31337/tcp

Payload: http://35.236.44.15/zzz/mips.idopoc https://t.co/W5Ai2Owhjz
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/mkgOxTl7eI

— Bad Packets Report (@bad_packets) October 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet (fbot) C2 server detected!

IP address: 5.206.227.65 (🇵🇹)
Hosting provider: BlazingFast (AS49349)

C2 ports:
6592/tcp
6593/tcp

Payload: http://5.206.227.65/w.sh https://t.co/6YwBq22BTL
Target: JAWS web server RCE (60001/tcp)#threatintel pic.twitter.com/S8SaHVlNMW

— Bad Packets Report (@bad_packets) October 29, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 34.94.100.213 (🇺🇸)
Hosting provider: Google Cloud (AS15169)

C2 ports:
1338/tcp
31337/tcp

Payload: http://jarry[.]online/zzz/mips.idopoc https://t.co/1q4iMaF86w
Target: Huawei RCE (CVE-2017-17215)#threatintel pic.twitter.com/2zOSE9G3DK

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 190.2.156.118 (🇳🇱)
Hosting provider: WorldStream (AS49981)

C2 ports:
19992/tcp
26663/tcp#threatintel https://t.co/OIlTenu7Vf pic.twitter.com/mQwK9RP2fQ

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.227.208 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
81/tcp
21769/tcp

Payload: http://142.11.227.208/Realtek.sh https://t.co/532YSMO70w
http://142.11.227.208/bins/ #opendir #threatintel pic.twitter.com/8GrOLhSZTi

— Bad Packets Report (@bad_packets) October 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 5.252.193.53 (🇷🇺)
Hosting provider: IpServer (AS44812)

C2 port:
4201/tcp

Vulnerabilities exploited:
CVE-2014-8361
JAWS web server RCEhttps://t.co/kiZjqGSmBc
http://5.252.193.53/bins/ #opendir #threatintel pic.twitter.com/1uAZDpjVyy

— Bad Packets Report (@bad_packets) October 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 193.19.119.165 (🇺🇦)
Hosting provider: IpServer (AS44812)

C2 port:
4201/tcp (panel)

Vulnerability exploited: CVE-2017-17215
Payload: https://t.co/OyNwTYIPQm
http://193.19.119.165/bins/ #opendir #threatintel pic.twitter.com/JWj10gOSdp

— Bad Packets Report (@bad_packets) October 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 145.239.212.59 (🇫🇷)
Hosting provider: BungeeCloud
ASN: AS16276 (OVH)

C2 ports:
8080/tcp (user panel)
43210/tcp

Payload: http://145.239.212.59/bwget.sh
http://185.236.229.23/kkkk/linux.* #opendir #threatintel pic.twitter.com/YNcZHNZV3Y

— Bad Packets Report (@bad_packets) October 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 85.204.116.49 (🇷🇴)
Domain: http://prismware[.]ml/ #opendir
Hosting provider: Hostmaze (AS48874)

C2 ports:
131/tcp
3143/tcp

Vulnerability exploited:
CVE-2014-8361

Payload:https://t.co/7MXFI8WQTi #threatintel pic.twitter.com/9msoHk06IH

— Bad Packets Report (@bad_packets) October 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 64.44.40.242 (🇺🇸)
Hosting provider: Nexeon Technologies (AS20278)

C2 ports:
1024/tcp
1982/tcp

Vulnerability exploited:
Netgear RCEhttps://t.co/jACB1BEEuE
http://64.44.40.242/bins/ #opendir #threatintel pic.twitter.com/gk3FOL8teM

— Bad Packets Report (@bad_packets) September 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
55667/tcp
62333/tcp

Vulnerability exploited:
CVE-2014-9727

Payload:
fuze[.]sh
203Xmi39S.*
ftp://185.244.25.122/ #opendir #threatintel pic.twitter.com/m5TcRo9jf8

— Bad Packets Report (@bad_packets) September 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 45.95.168.161 (🇭🇷)
Hosting provider: MAXKO Hosting
ASN: AS42864 (🇭🇺)

C2 ports:
26662/tcp
46664/tcp
56378/tcp

"fatrat/test" #malware https://t.co/EJGc6ZYnBr

http://45.95.168.161/fatrat/ #opendir #threatintel pic.twitter.com/VwzagZdpac

— Bad Packets Report (@bad_packets) September 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.210.231 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
1791/tcp
21769/tcp

Vulnerabilities exploited:
D-Link RCE
CVE-2017-17215 (Huawei)

http://142.11.210.231/bins/ #malware #opendir #threatintel pic.twitter.com/xM4j5NmYiT

— Bad Packets Report (@bad_packets) September 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 165.227.93.168 (🇺🇸)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
23/tcp
666/tcp (user panel)

Exploit target:
Netgear routers

ftp://165.227.93.168/ #malware #opendir https://t.co/lFXc6q9OjZ #threatintel pic.twitter.com/btKwE5iCrw

— Bad Packets Report (@bad_packets) September 15, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 104.168.199.188 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
42069/tcp (user panel)
46216/tcp (command logs)

Vulnerability exploited:
ZyXEL router RCE (CVE-2017-18368)#threatintel

— Bad Packets Report (@bad_packets) September 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 164.132.4.31 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)

C2 ports:
36335/tcp
42689/tcp (user panel)

Payload: http://164.132.4.31/armv7l

Exploit source IP: 37.59.163.230 (🇫🇷)#threatintel

— Bad Packets Report (@bad_packets) September 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 50.115.162.6 (🇺🇸)
Hosting provider: @virpus
ASN: AS32875 (Wowrack)

C2 ports:
23/tcp (logs)
4352/tcp (panel)

Vulnerability exploited:
CVE-2017-17215 (Huawei RCE)

Payload: mips.light #malware #threatintel pic.twitter.com/13vdu9EFLU

— Bad Packets Report (@bad_packets) September 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 137.74.237.193 (🇫🇷)
Hosting provider: @infinityhostcom
ASN: AS16276 (OVH)

C2 ports:
151/tcp (logs)
666/tcp (panel)

Payload: TacoBellGodYo.*https://t.co/uINwaNMM4W

ftp://137.74.237.193/ #opendir #threatintel https://t.co/w5d70vS7lb pic.twitter.com/hrbLkFQQmm

— Bad Packets Report (@bad_packets) September 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 31.13.195.65 (🇧🇬)
DNS: switchnets[.]net
Hosting provider: @VPSBG_EU
ASN: AS34224

C2 port:
79/tcp (panel)

Vulnerability exploited:
JAWS web server RCE

http://31.13.195.65/b/ #malware #opendir #threatintel pic.twitter.com/ABzppENJv7

— Bad Packets Report (@bad_packets) September 5, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 31.13.195.116 (🇧🇬)
DNS: anunna[.]club
Hosting provider: @VPSBG_EU
ASN: AS34224

C2 ports:
34567/tcp
64756/tcp

Vulnerabilities exploited:
JAWS web server RCE

http://anunna[.]club/x #malware payload#threatintel pic.twitter.com/58nhynOd5w

— Bad Packets Report (@bad_packets) September 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 206.72.206.82 (🇺🇸)
Hosting provider: InterServer (AS19318)

C2 ports:
8372/tcp
36496/tcp

Vulnerabilities exploited:
D-Link RCE
Huawei RCE CVE-2017-17215
http://206.72.206.82/bins/ #malware #opendir #threatintel pic.twitter.com/9NOkV85t2x

— Bad Packets Report (@bad_packets) September 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet command-and-control (C2) server detected!

IP address: 185.244.25.122 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
6667/tcp
32957/tcp

Vulnerability exploited:
FRITZ!Box RCE (CVE-2014-9727)#threatintel pic.twitter.com/vwRhg0YI6A

— Bad Packets Report (@bad_packets) August 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 80.82.65.213 (🇳🇱)
DNS: cc.stresser[.]cc
Hosting provider: IP Volume (AS202425)

C2 ports:
123/tcp
9060/tcp
37420/tcp

VirusTotal detections: 3/53https://t.co/foOKJLNxb7
http://80.82.65.213/moo #malware #opendir pic.twitter.com/SDXmpivcjj

— Bad Packets Report (@bad_packets) August 30, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 199.19.225.2 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
1024/tcp
1982/tcp

Vulnerability exploited:
Netgear router RCEhttps://t.co/6PisHwc30Q #malware
http://199.19.225.2/bins/ #opendir #threatintel pic.twitter.com/URGl4G7GkK

— Bad Packets Report (@bad_packets) August 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 142.11.217.116 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 port:
5301/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215
CVE-2017-18368

http://142.11.217.116/bins/ #malware #opendir #threatintel pic.twitter.com/uzKNe4nsnQ

— Bad Packets Report (@bad_packets) August 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 147.135.124.113 (🇺🇸)
Hosting provider: OVH (AS16276)

C2 ports:
396/tcp
455/tcp
3465/tcp

Vulnerability exploited:
CVE-2019-15107 (Webmin RCE)

http://147.135.124.113/bins/ #opendir #threatintel pic.twitter.com/bDXxiXUbCO

— Bad Packets Report (@bad_packets) August 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.73 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
81/tcp
6996/tcp

Payload:
m-i.p-s.SNOOPYhttps://t.co/tOxqmfFlsS
ftp://185.244.25.73/ #opendir #threatintel pic.twitter.com/zvK4UVCPkO

— Bad Packets Report (@bad_packets) August 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active DDoS botnet C2 server detected!

IP address: 185.244.39.124 (🇳🇱)
Hosting provider: SKB Enterprise (AS64425)

C2 ports:
5555/tcp
10019/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-17215

http://185.244.39.124/gaybub/ #malware #opendir #threatintel pic.twitter.com/HVOsP49kT7

— Bad Packets Report (@bad_packets) August 23, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 199.195.253.85 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
2323/tcp
10444/tcp
64334/tcp

Vulnerability exploited:
HiSilicon DVR RCE https://t.co/qaFAEk7lkF #threatintel

— Bad Packets Report (@bad_packets) August 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 198.98.62.146 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
23/tcp
91/tcp

Vulnerability exploited: CVE-2014-9727

Malware payload script: https://t.co/Um0xNXbBuz #threatintel pic.twitter.com/N1n47hQh1z

— Bad Packets Report (@bad_packets) August 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
Hosting provider: Infinity Hosting

C2 ports:
8811/tcp
12345/tcp

Payload:
arm6https://t.co/wg7Y65kbm5
ftp://51.91.202.137/ #malware #opendir #threatintel https://t.co/dI5w8SLDb6 pic.twitter.com/oc9h62GQWn

— Bad Packets Report (@bad_packets) August 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 185.172.110.224 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
993/tcp
11751/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-18368

ftp://185.172.110.224/ #malware #opendir #threatintel pic.twitter.com/WN2RnLQ3S5

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 45.95.147.26 (🇳🇱)
DNS: switchnets[.]net
Hosting provider: Alsycon
ASN: AS51942

C2 ports:
79/tcp
6968/tcp

Payload:
"unstable" https://t.co/pccK4P2Qra
http://45.95.147.26/b/ #opendir #malware #threatintel pic.twitter.com/6JiL8XNITr

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 164.68.116.122 (🇩🇪)
Hosting provider: Contabo (AS51167)

C2 ports:
1337/tcp
65535/tcp

Exploit target:
Linksys routers

Malware payload:
"mipsel"https://t.co/69FzpKONBF #threatintel pic.twitter.com/IHbj1NJrOD

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 213.139.205.242 (🇳🇱)
Hosting provider: @ShockHosting
ASN: AS136175 (Serverhosh)

C2 ports:
35668/tcp
455/tcp

Multiple "cloudbot" malware binaries:https://t.co/bPxvVRnDYa #threatintel https://t.co/Xm1lKNqdWi pic.twitter.com/Vd1bv1MhVA

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 142.44.251.105 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
11751/tcp
65535/tcp

Vulnerabilities exploited:
CVE-2017-18368
CVE-2014-8361
Linksys RCE

ftp://142.44.251.105/ #malware #opendir #threatintel pic.twitter.com/mgeZuxnmCW

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) C2 server detected!

IP address: 31.13.195.49 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS34224 (Neterra)

C2 ports:
79/tcp
6968/tcp

Vulnerabilities exploited:
JAWS web server RCE

Payload:
http://31.13.195.49/x #malware #threatintel pic.twitter.com/4XV9dyLjl2

— Bad Packets Report (@bad_packets) August 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 141.105.69.49 (🇷🇺)
Hosting provider: @Hostkey_Rus (AS49335)
C2 port: 8915/tcp

Exploit target: ZyXEL routers (CVE-2017-18368)
ftp://141.105.69.49/ #malware #opendir #threatintel pic.twitter.com/2pxycZoXiS

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.82.202.24 (🇳🇱)
Hosting provider: HostSailor (🇦🇪)
ASN: AS60117

C2 ports:
11751/tcp
65535/tcp

Malware payload:
arm7https://t.co/INtpCkIRTg

ftp://185.82.202.24/ #opendir #threatintel pic.twitter.com/PXSVRuoCBB

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 23.254.204.46 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
5301/tcp
9545/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2018-10561

Payload scripts:
/cool
/poo#threatintel https://t.co/Mfptg6GGXf pic.twitter.com/M99SC2ZAhN

— Bad Packets Report (@bad_packets) August 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 167.71.128.164 (🇬🇧)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
1337/tcp
3663/tcp

Payload: /rep/zyxel.sh

Exploit target: ZyXEL routers (CVE-2017-18368)

ftp://167.71.128.164/ #opendir #threatintel pic.twitter.com/qtcQACqEnp

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 40.89.175.73 (🇫🇷)
Hosting provider: Microsoft Azure (AS8075)

C2 ports:
1280/tcp
44460/tcp

Payload: http://40.89.175.73/distortion.mips
Exploit target: Linksys routers#threatintel pic.twitter.com/DAQ9jTGf9X

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.134.120.7 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

C2 ports:
666/tcp
850/tcp

Payload: https://t.co/kDIqJHkUS5
ftp://164.132.213.119 #malware #opendir #threatintel pic.twitter.com/43uiyQcxV1

— Bad Packets Report (@bad_packets) August 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.92.66.192 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS60355 (Neterra)

C2 port:
63236/tcp

Vulnerabilities exploited:
JAWS RCE
Realtek RCE (CVE-2014-8361)

http://91.92.66.192/ #malware #opendir #threatintel pic.twitter.com/ODC4mv2IXw

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.185 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
1312/tcp (panel)
3912/tcp
43195/tcp

Payload:
Jaws[.]sh
http://185.244.25.185/loot/ #malware #opendir #threatintel pic.twitter.com/FDxxFiHoRN

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.35.138.156 (🇳🇱)
C2 port: 655/tcp
Hosting provider: Zyztm Research Division (AS62454)

Payload:
http://185.35.138.156/c
ftp://185.35.138.156/ #malware #opendir #threatintel pic.twitter.com/okhMp8kkvO

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 164.132.213.119 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)
C2 ports:
54268/tcp
1098/tcp

Malware payload:https://t.co/QThjOvn4KR
ftp://164.132.213.119 #opendir #threatintel pic.twitter.com/8JQS4Whv6j

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.77 (🇳🇱)
Hosting provider: KV Solutions (AS60355)
C2 ports:
88/tcp (panel)
1/tcp (logs)

Payload:
m-i.p-s.SNOOPY Gafgyt-like #malware https://t.co/pKh9dvamuM #threatintel pic.twitter.com/DHTEMgxE8U

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.75 (🇳🇱)
C2 ports:
7318/tcp (panel)
43594/tcp (logs)
Hosting provider: KV Solutions (AS60355)

Payload:
SinixV4.armv6l Gafgyt-like #malware https://t.co/crpjCEGtIF #threatintel pic.twitter.com/qIK5BQkbg6

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 158.255.5.216 (🇷🇺)
C2 port: 8915/tcp
ftp://158.255.5.216/ #opendir
Hosting provider: @Hostkey_Rus (AS49335)

Exploit targets:
D-Link routers
ZyXEL routers (CVE-2017-18368)#threatintel pic.twitter.com/Pmn4dnIGnt

— Bad Packets Report (@bad_packets) August 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 45.129.3.130 (🇷🇺)
C2 port: 1994/tcp (h/t @0xrb)
Hosting provider: https://t.co/D690YPqKCi (AS51659)#threatintel https://t.co/D3b8J89ZH9 pic.twitter.com/pBybObfP7I

— Bad Packets Report (@bad_packets) August 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 9375/tcp
Hosting provider: KV Solutions (AS60355)#Malware payload:
z3hir.mips https://t.co/SSEbT7YV2d
http://185.244.25.77/zehir/ #opendir #threatintel pic.twitter.com/dlTKpfdI6W

— Bad Packets Report (@bad_packets) August 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 server still active!

IP address: 185.244.25.181 (🇳🇱)
Hosting provider: KV Solutions

New C2 ports:
Panel: 121/tcp
Logs: 8361/tcp

Malware payload: NENAVIST2https://t.co/jQ1h7wChIw

PDoS (bricker) functionality per @MasafumiNegishi.#threatintel https://t.co/svWPsvrqPR pic.twitter.com/Lq32WYt1Wg

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.150.111 (🇳🇱)
C2 port: 38344/tcp
Hosting provider: Host Sailor (🇦🇪)
ASN: AS60117

http://185.244.150.111/b/ #opendir

Malware payload:https://t.co/3GIwISL5X1 #threatintel pic.twitter.com/jMbQtNEvT2

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 147.135.116.64 (🇫🇷)
C2 port: 45/tcp

ftp://147.135.116.64/Hilix.* #opendir
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

Malware payload:https://t.co/8UnnQ2yIRu #threatintel pic.twitter.com/qpLxabCATS

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 131/tcp
Hosting provider: KV Solutions (AS60355)

Payload:
NENAVIST2https://t.co/jQ1h7wChIw
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/1reyZPomYm

— Bad Packets Report (@bad_packets) August 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 103.1.186.118 (🇦🇺)
C2 port: 44/tcp (logs via 6949/tcp)
Hosting provider: Mammoth Cloud (AS133159)

Payload:
a.arm5https://t.co/qYcm2vlPLa
http://103.1.186.118/bins/ #opendir

Type: Mirai-like #malware #threatintel pic.twitter.com/O231zjZDTL

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.216 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
/Jaws.shhttps://t.co/e8yX6eDY0J
http://185.172.110.216/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/DQzgH2RKiF

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
C2 port: 9999/tcp

Payload:
a-r.m-4.SNOOPY
a-r.m-6.SNOOPY
a-r.m-7.SNOOPY
ftp://51.91.202.137/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel https://t.co/UlJ4YEtsQo pic.twitter.com/q3nSbxHPz1

— Bad Packets Report (@bad_packets) July 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 165.22.209.154 (🇮🇳)
C2 port: 26663/tcp
Hosting provider: DigitalOcean (AS14061)

Payload:
r4z0r.mipshttps://t.co/nm5COeFb6C
Type: Mirai-like #malware
ftp://165.22.209.154/ #opendir #threatintel pic.twitter.com/zAxmo34R54

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 142.11.238.236 (🇺🇸)
C2 port: 34/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
arm7 (https://t.co/6zvHH2WZsC)
ftp://142.11.238.236/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/4DM9PebG6v

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.246.152.89 (🇳🇱)
C2 port: 37212/tcp
Hosting provider: Melbicom (🇱🇹)
ASN: AS56630

Payload:
http://185.246.152.89/bins/telnet.* #opendir https://t.co/Fd6dQCr7wz

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/nOOETagFpk

— Bad Packets Report (@bad_packets) July 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.203 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.203/Jaws.sh
http://185.172.110.203/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/rxDsuHJ5m4

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 159.89.41.188 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: DigitalOcean

Payload:
http://159.89.41.188/bin
http://159.89.41.188/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/5gapuwXiTM

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 67.205.169.73 (🇺🇸)
C2 port: 1791/tcp
Hosting provider: DigitalOcean

Payload:
arm7.akiraghttps://t.co/ByGukMWvCR
ftp://67.205.169.73/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/OxrjKGe28r

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 104.168.215.139 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
http://104.168.215.139/mips
http://104.168.215.139/arm7

Type:
Mirai-like (DDoS) #malware #threatintel pic.twitter.com/MKurB6rlax

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.172.110.224 (🇳🇱)
C2 port: 70/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.224/mips https://t.co/wLCAOB3OcZ
Type: Mirai-like (DDoS) #malware #threatintel https://t.co/WD2T3jtRJh pic.twitter.com/65mQIlAHFN

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 87.120.37.148 (🇧🇬)
C2 port: 38/tcp

Payload:
http://87.120.37.148/bins/autism.* #opendir https://t.co/Kb5G9eHkJ9

Type: Mirai-like (DDoS) #malware #threatintel https://t.co/ceO9rfM4rG pic.twitter.com/h4vE976Evo

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 80.211.90.245 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
C2 port: 6666/tcp

Payload:
http://80.211.90.245/k1337.*
ftp://80.211.90.245/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel pic.twitter.com/hBfPXJttCx

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.25.134 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: KV Solutions

Payload:
loligang.mipshttps://t.co/x2PnIj7GsQ

Target: Huawei routers
Vulnerability exploited: CVE-2017-17215#threatintel https://t.co/rTk8y1XOpG pic.twitter.com/tEmSjoOupT

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 80.211.9.40 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
DNS: ch.silynigr[.]xyz
C2 port: 495/tcp

Payload:
http://ch.silynigr[.]xyz/bins/u.*
http://ch.silynigr[.]xyz/bins/adb.*

Type: Mirai-like #malware #threatintel pic.twitter.com/2DUVZ9ZUf4

— Bad Packets Report (@bad_packets) July 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!
IP address: 195.231.6.216 (🇮🇹)
C2 port: 48/tcp
Hosting provider: Aruba Cloud
ASN: AS202242#threatintel https://t.co/rZ6Or7RVR6 pic.twitter.com/iXN5NQzQpS

— Bad Packets Report (@bad_packets) July 20, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 51.91.202.137 (🇫🇷)
C2 port: 5301/tcp
Hosting provider: OVH
ASN: AS16276#threatintel https://t.co/prnFtujy49 pic.twitter.com/HRpecl5OUC

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 46.246.38.178 (🇸🇪)
DNS: ardp.hldns[.]ru
C2 port: 1791/tcp

Payload:
loligang.mipshttps://t.co/9kHLgjBYs8
loligang.mpsl https://t.co/l3q9IMg0qk

Type: Mirai-like #malware

Target: Linksys and D-Link routers#threatintel https://t.co/Oj5jvo9IWu pic.twitter.com/ltWFIyncii

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 89.248.174.198 (🇳🇱)
C2 port: 9999/tcp
Hosting provider: IP Volume Inc
ASN: AS202425

Ports mass scanned with ZMap:
34567/tcp
50000/tcp
60001/tcp (see below)#threatintel https://t.co/tHj0H3eaaY

— Bad Packets Report (@bad_packets) July 18, 2019

Active Mirai-like botnet C2 detected:
89.248.174.198 (IP Volume Inc 🇳🇱)

C2 port:
9999/tcp

Exploit attempts targeting:
60001/tcp (JAWS Web Server – MVPower DVR RCE)

Payload:
http://89.248.174.198/jaws.sh
arm (https://t.co/ww1yQQ8geg)
arm7 (https://t.co/CZAWpe7z3r)#threatintel pic.twitter.com/SekQpD6CnU

— Bad Packets Report (@bad_packets) July 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 192.236.162.197 (🇺🇸)
New C2 port: 1791/tcp
Hosting provider: Hostwinds
ASN: AS54290#threatintel https://t.co/MJToNHi8Sm pic.twitter.com/2kD0YncQ7s

— Bad Packets Report (@bad_packets) July 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
209.141.55.8 (🇺🇸)

C2 port:
6666/tcp

Payload:
puss.arm7 #malware https://t.co/FNrPn7DhlO
ftp://209.141.55.8/ #opendir

Exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)

Exploit source IPs:
37.49.230.21 (🇮🇸)#threatintel pic.twitter.com/CT54gbxi0V

— Bad Packets Report (@bad_packets) July 16, 2019

Exploit attempt (https://t.co/Jawhp0SAZg) source IPs:
101.108.14.144 🇹🇭
49.117.81.101 🇨🇳
109.116.203.139 🇮🇹
151.70.138.75 🇮🇹
2.45.252.16 🇮🇹
114.235.35.12 🇨🇳#threatintel

— Bad Packets Report (@bad_packets) July 16, 2019

Active Mirai-like botnet C2 detected:
192.236.162.197 (Hostwinds 🇺🇸)

C2 port:
4426/tcp

Exploit attempts targeting:
Linksys routers (https://t.co/Jawhp0SAZg)

Payload:
Amakano.mpslhttps://t.co/KXFXHInsy8 #malware
http://192.236.162.197/vb/ #opendir #threatintel pic.twitter.com/skgxeJ7YQj

— Bad Packets Report (@bad_packets) July 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
169.239.128.18 (🇿🇦)

C2 port: 5301/tcp
Payload:
http://169.239.128.18/mips
http://169.239.128.18/arm7

Type: Mirai-like #malware https://t.co/qejUbpYWmA https://t.co/mD25CFLHrM #threatintel pic.twitter.com/a3TEemvzSA

— Bad Packets Report (@bad_packets) July 14, 2019

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)
JAWS Web Server (MVPower DVR RCE)

Exploit attempt source IPs:
165.22.107.99 (DigitalOcean 🇸🇬)
165.22.206.167 (DigitalOcean 🇳🇱)
188.166.60.205 (DigitalOcean 🇳🇱)#threatintel pic.twitter.com/SNvE5CdoqS

— Bad Packets Report (@bad_packets) July 14, 2019

Active botnet C2 detected:
91.209.70.174 (🇷🇺)

C2 port: 40/tcp
Payload: http://91.209.70.174/Corona.mips
Type: Gafgyt #malware variant

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)

Exploit source IPs:
165.22.244.168 (DigitalOcean 🇸🇬)#threatintel pic.twitter.com/BddyZ59TTA

— Bad Packets Report (@bad_packets) July 14, 2019

Active Mirai-like botnet C2:
194.99.22.138 (🇩🇪)

Ongoing exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)
Realtek UPnP SOAP RCE (CVE-2014-8361)
GPON routers (CVE-2018-10561)

Exploit source IPs:
209.97.168.152 (🇸🇬)
165.22.107.99 (🇸🇬)
188.166.60.205 (🇳🇱)#threatintel https://t.co/NancSne6GJ pic.twitter.com/41FQaBCTjr

— Bad Packets Report (@bad_packets) July 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/19fDRoC2eo

— Bad Packets Report (@bad_packets) July 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 194.99.22.138 (🇩🇪)
C2 port: 5301/tcp
Hosting provider: MVPS LTD
ASN: AS202448#threatintel https://t.co/B8xmWdP450 pic.twitter.com/84QuaVXCH9

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/S132qANef2 pic.twitter.com/hrWbOjnU7h

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 209.141.56.142 (🇺🇸)
C2 port: 37215/tcp
Hosting provider: Frantech
ASN: AS53667#threatintel https://t.co/ts1NKiPkgD pic.twitter.com/SbLN6nPbB3

— Bad Packets Report (@bad_packets) July 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 89.190.159.178 (🇳🇱)
C2 port: 85/tcp
Hosting provider: Alsycon B.V.
Network provider: SpectraIP B.V. (AS62068)#threatintel https://t.co/HOm7FuDdU0 pic.twitter.com/8a6vM6PjPi

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected
IP address: 176.31.78.54 (🇫🇷)
http://176.31.78.54/bins/5743.* #opendir
Hosting provider: Infinity Hosting
C2 port: 45587/tcp

Type: Mirai-like #malware https://t.co/3tWlbyM5Rh

Exploit source IP: 125.227.22.243 (🇹🇼)#threatintel pic.twitter.com/ZuHx43svoa

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65532/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/Eq7GtzzsbH pic.twitter.com/tsZogpCLuJ

— Bad Packets Report (@bad_packets) July 10, 2019

Botnet C2 IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel pic.twitter.com/ffmf31uIZz

— Bad Packets Report (@bad_packets) July 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/lTYo8EcZRE

— Bad Packets Report (@bad_packets) July 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 is still active.
Exploit attempts targeting Huawei routers are ongoing.#threatintel https://t.co/ex4Rv6xSfj pic.twitter.com/GzvSIhcxoQ

— Bad Packets Report (@bad_packets) July 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 198.98.59.176 (🇺🇸)
C2 port: 90/tcp
Hosting provider: Frantech#threatintel https://t.co/Wxm1v0qm47 pic.twitter.com/XgGWvzo2Sq

— Bad Packets Report (@bad_packets) July 6, 2019

Looks like someone logged out of the C2 after our tweet. pic.twitter.com/Axi7WiPGGl

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/axADWUZU8T

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 188.166.87.227 (🇳🇱)
C2 port: 5301/tcp
Hosting provider: DigitalOcean (AS14061)#threatintel https://t.co/QOen6TGFae

— Bad Packets Report (@bad_packets) July 6, 2019

New payload targeting #GPON routers detected:
http://188.166.87.227/bin (DigitalOcean 🇳🇱)
http://188.166.87.227/bins/ #opendir https://t.co/wIIYSZ5JQS
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 68.183.167.121 (DigitalOcean 🇺🇸)#threatintel pic.twitter.com/yHdidmVhFO

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 128.199.235.119 (🇸🇬)
C2 port: 81/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/OSxregNnrJ pic.twitter.com/fA2WyNbz7G

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 159.89.143.217 (🇺🇸)
C2 port: 2269/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/FgjKPxhrfi pic.twitter.com/yKktKmbDj8

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: @centerhopcom
ASN: AS17831#threatintel https://t.co/LgojxLVqdy

— Bad Packets Report (@bad_packets) July 4, 2019

New payload targeting #GPON routers detected:
http://103.83.157.46/gai (🇸🇬)
http://103.83.157.46/bins/ #opendir https://t.co/rYnZBBEwBY
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 165.22.206.167 (Digital Ocean 🇳🇱)#threatintel pic.twitter.com/LnN5sHo4UE

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.226 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: @BladeServers_eu (AS206898)#threatintel https://t.co/HswW0KDsdp

— Bad Packets Report (@bad_packets) July 3, 2019

Active payload targeting 60001/tcp (IP camera interface/JAWS) detected:
http://185.172.110.226/lmaoWTF/Jaws.sh (🇳🇱)
http://185.172.110.226/lmaoWTF/ #opendir https://t.co/LkS7JKqYLe
Type: Mirai-like #malware
C2 port: 1791/tcp
Exploit source IP: 185.244.25.84 (🇳🇱)#threatintel pic.twitter.com/NdBPdqglXY

— Bad Packets Report (@bad_packets) July 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 198.98.59.176 (🇺🇸)
C2 port: 3301/tcp#threatintel https://t.co/UqPTvSioFa pic.twitter.com/igVioXdTQ3

— Bad Packets Report (@bad_packets) July 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.244.25.241 (🇳🇱 KV Solutions AS60355)
C2 port: 38344/tcp#threatintel https://t.co/Y7cS169YYM pic.twitter.com/F7P5kwMuYq

— Bad Packets Report (@bad_packets) June 30, 2019

Active botnet C2: 103.83.157.41 (🇸🇬)#threatintel pic.twitter.com/wiblOelpCm

— Bad Packets Report (@bad_packets) June 30, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected. #threatintel https://t.co/ugaYD6M5BE

— Bad Packets Report (@bad_packets) June 27, 2019

New payload targeting #Huawei routers detected:
http://103.83.157.41/bins/mips (🇸🇬)
http://103.83.157.41/bins/#opendir
C2 port: 5301/tcp
Type: Mirai-like #malware https://t.co/CfJOoDZTBB
Vulnerability exploited: CVE-2017-17215
Source IP: 167.71.64.218 (🇺🇸)#threatintel pic.twitter.com/vVhiYmvwgA

— Bad Packets Report (@bad_packets) June 27, 2019

Active botnet C2 and payload:
http://185.244.25.241/b/mips (🇳🇱 KV Solutions AS60355)https://t.co/olalKAGfD9 #threatintel https://t.co/ClcDuCdAix

— Bad Packets Report (@bad_packets) June 26, 2019

Active payload targeting #Huawei routers detected:
http://104.248.93.159/bins/frosty.mips (🇳🇱)
http://104.248.93.159/bins/ #opendir
C2 port: 8372/tcp
Type: Mirai-like #malware https://t.co/ghvpHMmhF4
Exploit source IP: 68.183.151.62 (🇺🇸)
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/YIZumv5k9B

— Bad Packets Report (@bad_packets) June 23, 2019

⚠️ WARNING ⚠️
Mirai-like botnet C2 server detected: 91.134.120.5 (🇫🇷)
Hosting provider: Infinity Hosting Services (🇩🇪)
Network provider: OVH (AS16276 🇫🇷)#threatintel pic.twitter.com/sDwnBFhtPR

— Bad Packets Report (@bad_packets) June 20, 2019

🚨 ALERT 🚨
Active command-and-control (C2) server detected. https://t.co/unTTHRfMp8

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting #Huawei routers detected:
http://178.62.27.133/bins/frosty.mips (🇬🇧)
http://178.62.27.133/bins/ #opendir
Type: Mirai-like #malware https://t.co/mr8u5HFPdL
C2 IP: 68.183.151.62 (DigitalOcean 🇺🇸)
C2 port: 8372/tcp
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/SYZYqZBjuf

— Bad Packets Report (@bad_packets) June 18, 2019

C2 server: 185.244.25.157
C2 port: 5034/tcp https://t.co/ViNKvvCPb2 pic.twitter.com/XOJBbAbsnI

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting @SchneiderElec "U.motion LifeSpace Management Systems" detected:
http://31.13.195.251/EC (🇧🇬 @VPSBG_EU)
Vulnerability exploited: CVE-2018-7841
Exploit (C2) IP: 188.165.179.9 (🇫🇷 @infinityhostcom)
C2 ports: 666, 358/tcp
Recon scan: Mirai-like#threatintel

— Bad Packets Report (@bad_packets) June 17, 2019

C2 server: 68.183.55.5
C2 port: 9375/tcp (Telnet) pic.twitter.com/ppTmHCfQbw

— Bad Packets Report (@bad_packets) June 17, 2019

⚠️ WARNING ⚠️
Ongoing exploit attempts
Active C2 server#threatintel https://t.co/G8soHUAa8w pic.twitter.com/ssIdF9Ejmm

— Bad Packets Report (@bad_packets) June 16, 2019

New payload targeting #Linksys routers detected:
http://79.137.123.208/bins/mpsl (🇫🇷)https://t.co/vTYSzWkrhM
ftp://79.137.123.208/ #opendir
C2 port: 555/tcp (Telnet)
Type: Mirai-like #malware
Exploit source IP: 74.210.238.108 (🇨🇦)
Target Port: 8080/tcp pic.twitter.com/eVCifhPw9U

— Bad Packets Report (@bad_packets) June 15, 2019

ANDYPANDY botnet C2 detections last 7 days:
104.244.76.15 (🇱🇺)
209.141.55.73 (🇺🇸)
193.70.26.48 (🇫🇷)
181.197.5.215 (🇵🇦)

Mainly targets #Android Debug Bridge (ADB) endpoints (5555/tcp). Recon scan uses ZMap.

— Bad Packets Report (@bad_packets) June 13, 2019

⚠️ WARNING ⚠️
New payload targeting D-Link devices detected:
http://62.210.207.229/t (🇫🇷)
http://62.210.207.229/bins/owari.* #opendir
C2 port: 89/tcp (Telnet)

Type: Mirai-like #malware https://t.co/H80SNjpLuF

Exploit source IPs:
209.141.37.17 (🇺🇸)
27.121.223.185 (🇯🇵) pic.twitter.com/mvO7WSwMb6

— Bad Packets Report (@bad_packets) June 1, 2019

New payload targeting Linksys routers detected:
http://205.185.126.154/AB4g5/Extendo.mpsl (🇺🇸)https://t.co/t6qyUxKKnl
C2 port: 1024/tcp (Telnet)
Exploit source IP: 209.141.37.173 (🇺🇸)
Recon scan: ZMap
Target Ports: 8088, 8080/tcp
Mirai-like #malware #opendir pic.twitter.com/UtP1qKoA4F

— Bad Packets Report (@bad_packets) May 25, 2019

A week later, this C2 is still active. The service provider @Scaleway acknowledged our report, yet took no action.

Meanwhile, a new payload called "z3hir" was detected: https://t.co/SL9INIWvDx pic.twitter.com/govU3heKaS

— Bad Packets Report (@bad_packets) May 20, 2019

New #malware payload and C2 detected
Exploit target: Realtek devices (CVE-2014-8361)
Target port: 52869/tcp
Payload: http://62.210.207.229/ntpd (https://t.co/vmMWAs3EmU)#OpenDir: ftp://62.210.207.229/
C2 port: 89/tcp (telnet) pic.twitter.com/PiRA8lRnrq

— Bad Packets Report (@bad_packets) May 13, 2019

Mirai-like botnet C2: 88.218.94.20 (🇺🇸)
Status: Active
Realtek exploit CVE-2014-8361 payload: http://88.218.94.20/ntpd (https://t.co/dsp82tTR1V)
✅ Added to monitoring pic.twitter.com/rIlYd1IAro

— Bad Packets Report (@bad_packets) May 11, 2019