polonus
February 22, 2014, 7:15pm
1
There are an awful lot of queries being sent to urlquery dot net for 142.0.129.33 → http://urlquery.net/report.php?id=9588529
Not delivering much flags or much being alerted at the moment.
There has been a constant detection on that IP for HTML/ScrInject.B.Gen virus launched from that IP,
as we can establish from scumware dot org:
http://www.scumware.org/report/142.0.129.33.html
Here we find no block: http://greensnow.co/view/142.0.129.33
ThreatSTOP gives historical detections from 9 moths ago for threats classified as Chine, Modified ITAR, being on DShield block list, etc.
Danger level 1 and 1 and 3.
Spamming from the site was also not seen very recently, re: http://www.stopforumspam.com/ipcheck/142.0.129.33
Who would like to scan all these 140.0.129.33 uri’s on urlquery dot com and for what reason.
Intriguing question, just my thought
polonus
polonus
February 22, 2014, 9:03pm
2
Hello my IP-scanning friends here on the forums,
The following is also a bad IP, banned it seems for 5 attempts against SSH.
See here: http://us.hive.sshhoneypot.com/iplog.php?ip=222.186.62.24
Interesting IDS alerts at urlquery dot net scan: http://urlquery.net/report.php?id=9593092
ET DROP Dshield Block Listed Source group 1 - meaning blocked here: http://feeds.dshield.org/block.txt
& ET COMPROMISED Known Compromised or Hostile Host Traffic group 31
Here these sort of attacker-IPs are also logged and reported,
see: http://bannedhackersips.blogspot.nl/
Here it comes listed in a Russian detection base: http://www.badips.com/info/222.186.62.24?key=ea49a83bab4875db136bfb2c399a52ec5a6cf0f8
and was reported there 88 times.
For ThreatSTOP detection see my attached image.
This is also an extensive report: http://www.blocklist.de/en/view.html?ip=222.186.62.24
Also flagged twice here: http://www.ipvoid.com/scan/222.186.62.24/
In how far this IP also a tor-IP that was being compromised, is not known to me,
according to these resources it is/was: htxp://blockreport.net/iplist.php *
Doing a little IP scanning before venturing out somewhere has not hurt anyone yet ;D
Know where you are going and know what destinations to avoid and block! 8)
polonus
polonus
February 23, 2014, 3:15pm
3
This is an attacker IP that was reported at IPillion → http://www.abuseipdb.com/report-history/93.115.82.113
ThreatSTOP saw it 9 days ago as anonymous proxy. It was flagged in the past as spreading spam as Spamhaus and Alienvault-spam threat.
No IDS alerts here: http://urlquery.net/report.php?id=9612656 - because of unrecognized services.
Internet hub with bad webrep: http://www.webutations.net/go/review/voxility.com?req=chrome
https://www.mywot.com/en/scorecard/voxility.com?utm_source=addon&utm_content=popup-donuts
https://forums.malwarebytes.org/index.php?showtopic=114959 posted by GEOTOR
polonus
polonus
February 23, 2014, 5:12pm
4
An interesting Chinese IP scanner that delivers attributes and hashes: http://ip.haomad.com/ip/222.244.163.112.html
Result is coded - Chinese coded will produce same results.
Read on this please: http://www.script-home.com/completely-solve-the-results-do-not-match-the-asp-asp-net-md5-encryption-chinese-problem.html
Nothing here: http://urlquery.net/report.php?id=9613659
IP 222.244.163.112 last seen by ThreatSTOP 9 days ago threats: China, Modified ITAT, ITAR, China - danger level 1
host appears down but I get a disconnected there [Errno 111] Connection refused> - notified by Google
Nothing here: http://www.ipvoid.com/scan/222.244.163.112/ - and here: http://us.hive.sshhoneypot.com/iplog.php?ip=222.244.163.112
polonus
polonus
February 24, 2014, 4:31pm
5
Attack IP and IDS alert. Blacklisted for spamming: http://www.magic-net.info/black-list-checker.dnslookup?black=94.102.52.76
IP seen 4 days ago at ThreatSTOP for threats like Russian Business Network, Alien Vault, AlienVaultScanSpam
See: http://urlquery.net/report.php?id=9630070
IDS alert: ET RBN Known Russian Business Network IP group 435
See: http://sitevet.com/db/asn/AS29073
polonus
polonus
February 27, 2014, 10:58pm
6
polonus
February 28, 2014, 7:39pm
7
A port scanning threat-IP see: http://www.abuseipdb.com/report-history/94.102.52.76
IDS alert for ET RBN Known Russian Business Network IP group 435 severity 3
It was still active just over 79 min ago flagged as Russian Business Network, danger level 2 19 hours ago at AlienVault 9danger level 4) & AlienVaultSpam 9danger level 2) → http://urlquery.net/report.php?id=9630070 is not being flagged here: http://www.ipvoid.com/scan/94.102.52.76/ & here: https://secure.dshield.org/ipinfo.html?ip=094.102.052.076 Listed at http://spamcannibal.org/cannibal.cgi
polonus
polonus
February 28, 2014, 10:15pm
8
polonus
February 28, 2014, 11:37pm
9
See IP 5.9.148.201 → ttps://www.virustotal.com/nl/url/569cef6e1d0f7fc5c72a9dad84f7cb10c0e46ab88025b01d61456fc24314e9f7/analysis/1393690395/
Nothing here: http://urlquery.net/report.php?id=9728679
Threats that came from IP in the past - AlienvaultScanSpam threat danger level 2; DShield Block List - threat danger level 3; Community & Advanced - threat danger level 3 - years ago - bogons - threat danger level 1. → artforms dot ro,5.9.148.201,ns1.oxiahosting dot com,Parked/expired,
See: http://jsunpack.jeek.org/?report=1c9c54742a25728e46a9d2c75eb4e139e1e331d7
See: wXw.artforms.ro/js/fileuploader.js benign
[nothing detected] (script) wXw.artforms.ro/js/fileuploader.js
status: (referer=wXw.artforms.ro/)saved 39998 bytes 24d17f7e5ab79b5316af302eb083177095580888
info: [iframe] wXw.artforms.ro/js/javascript:false;
info: [decodingLevel=0] found JavaScript
suspicious:
polonus
Citadel type malware: http://urlquery.net/report.php?id=9766012 not detected
Twice flagged here: https://www.virustotal.com/nl/url/ac083e28a7e91f6b2b8ac67e14c1e144083fc05e742f8a2a44255bde0007a502/analysis/
spam IP: http://www.stopforumspam.com/ipcheck/81.17.28.137
I get: 11004 [11004] Valid name, no data record (check DNS setup)
ThreatSTOP had alerts from 3 years ago for Russia, Eastern Europe, Modified ITAR, Spamhaus DROP, all danger level 1, advanced, danger level 3.
polonus