Combining IP resources - elf SSH attacker

:o Recent Reports: We have received reports of abusive activity from this IP address within the last week. It is potentially still actively engaged in abusive activities.

See: https://maltiverse.com/search;query=23.254.129.243;page=1;sort=query_score
Detection created 5 days ago: Brute force passwords using SSH on server S9 - Blocklist.net.ua SSH Attacker - Blocklist.de

For the flaws at Hostwinds LLC., Seattle, actually a long list of exploits: https://www.shodan.io/host/23.254.129.243
Also see: https://www.abuseipdb.com/check/23.254.129.243
Consider Netcraft risk rate 7 red out of 10: https://toolbar.netcraft.com/site_report?url=hwsrv-653920.hostwindsdns.com

Where it was being reported from: https://urlhaus.abuse.ch/url/274700/

The original VT detection: https://www.virustotal.com/gui/url/d609ae274f0b2fdf2d9251e4786f05b65038b6121ad3bca4c2fe678451a021b7/detection
See on IP relations: https://www.virustotal.com/gui/ip-address/23.254.129.243/relations

Avast detects this linux.Mirai.gen as “ELF:DDoS-S [Trj]” (we have protection against it): https://www.virustotal.com/gui/file/e76a2d73dcd726ed9727a58d06ea0017bcf3d3b58af6d2a640672a0a7f63bd42/detection

Combining IP resources in this way, is known as “combing”, so-called “combing the Interwebz for malcode”,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

This could also mean something on a larger scale than a single IP address,

https://badpackets.net/ongoing-large-scale-sip-attack-campaign-coming-from-online-sas-as12876/

Stumbled upon such a report through AS12876’s network abuse.
But abuse could be only reported per one IP address.
Example: https://www.abuseipdb.com/check/195.154.243.131
and https://pastebin.com/w9U0LG30

polonus