IP to be blocked?

There are an awful lot of queries being sent to urlquery dot net for 142.0.129.33 → http://urlquery.net/report.php?id=9588529
Not delivering much flags or much being alerted at the moment.
There has been a constant detection on that IP for HTML/ScrInject.B.Gen virus launched from that IP,
as we can establish from scumware dot org:
http://www.scumware.org/report/142.0.129.33.html
Here we find no block: http://greensnow.co/view/142.0.129.33
ThreatSTOP gives historical detections from 9 moths ago for threats classified as Chine, Modified ITAR, being on DShield block list, etc.
Danger level 1 and 1 and 3.
Spamming from the site was also not seen very recently, re: http://www.stopforumspam.com/ipcheck/142.0.129.33
Who would like to scan all these 140.0.129.33 uri’s on urlquery dot com and for what reason.
Intriguing question, just my thought :wink:

polonus

Hello my IP-scanning friends here on the forums,

The following is also a bad IP, banned it seems for 5 attempts against SSH.
See here: http://us.hive.sshhoneypot.com/iplog.php?ip=222.186.62.24
Interesting IDS alerts at urlquery dot net scan: http://urlquery.net/report.php?id=9593092
ET DROP Dshield Block Listed Source group 1 - meaning blocked here: http://feeds.dshield.org/block.txt
& ET COMPROMISED Known Compromised or Hostile Host Traffic group 31
Here these sort of attacker-IPs are also logged and reported,
see: http://bannedhackersips.blogspot.nl/

Here it comes listed in a Russian detection base: http://www.badips.com/info/222.186.62.24?key=ea49a83bab4875db136bfb2c399a52ec5a6cf0f8
and was reported there 88 times.
For ThreatSTOP detection see my attached image.

This is also an extensive report: http://www.blocklist.de/en/view.html?ip=222.186.62.24
Also flagged twice here: http://www.ipvoid.com/scan/222.186.62.24/

In how far this IP also a tor-IP that was being compromised, is not known to me,
according to these resources it is/was: htxp://blockreport.net/iplist.php *

Doing a little IP scanning before venturing out somewhere has not hurt anyone yet ;D
Know where you are going and know what destinations to avoid and block! 8)

polonus

This is an attacker IP that was reported at IPillion → http://www.abuseipdb.com/report-history/93.115.82.113
ThreatSTOP saw it 9 days ago as anonymous proxy. It was flagged in the past as spreading spam as Spamhaus and Alienvault-spam threat.
No IDS alerts here: http://urlquery.net/report.php?id=9612656 - because of unrecognized services.
Internet hub with bad webrep: http://www.webutations.net/go/review/voxility.com?req=chrome
https://www.mywot.com/en/scorecard/voxility.com?utm_source=addon&utm_content=popup-donuts
https://forums.malwarebytes.org/index.php?showtopic=114959 posted by GEOTOR

polonus

An interesting Chinese IP scanner that delivers attributes and hashes: http://ip.haomad.com/ip/222.244.163.112.html
Result is coded - Chinese coded will produce same results.
Read on this please: http://www.script-home.com/completely-solve-the-results-do-not-match-the-asp-asp-net-md5-encryption-chinese-problem.html
Nothing here: http://urlquery.net/report.php?id=9613659
IP 222.244.163.112 last seen by ThreatSTOP 9 days ago threats: China, Modified ITAT, ITAR, China - danger level 1
host appears down but I get a disconnected there [Errno 111] Connection refused> - notified by Google
Nothing here: http://www.ipvoid.com/scan/222.244.163.112/ - and here: http://us.hive.sshhoneypot.com/iplog.php?ip=222.244.163.112

polonus

Attack IP and IDS alert. Blacklisted for spamming: http://www.magic-net.info/black-list-checker.dnslookup?black=94.102.52.76
IP seen 4 days ago at ThreatSTOP for threats like Russian Business Network, Alien Vault, AlienVaultScanSpam
See: http://urlquery.net/report.php?id=9630070
IDS alert: ET RBN Known Russian Business Network IP group 435
See: http://sitevet.com/db/asn/AS29073

polonus

See this Citadel Cybercrime site: https://www.virustotal.com/nl/url/8856a381be8c772f050c16b1b01ca2c2adf77762c7b85f785b7664946d0d47b0/analysis/1393541226/
and
https://www.virustotal.com/nl/file/af47ec90f9b69ce21c23de705be61f809bdfb30c5d9b6675466fd21f4b07b48d/analysis/1379944202/
See: https://malwr.com/analysis/NDAxMDZmMDc4YjYxNDI2NjlkYjEwM2Q3OThlNDQ1YzI/
also listed here: http://vxvault.siri-urz.net/ViriList.php

polonus

A port scanning threat-IP see: http://www.abuseipdb.com/report-history/94.102.52.76
IDS alert for ET RBN Known Russian Business Network IP group 435 severity 3
It was still active just over 79 min ago flagged as Russian Business Network, danger level 2 19 hours ago at AlienVault 9danger level 4) & AlienVaultSpam 9danger level 2) → http://urlquery.net/report.php?id=9630070 is not being flagged here: http://www.ipvoid.com/scan/94.102.52.76/ & here: https://secure.dshield.org/ipinfo.html?ip=094.102.052.076 Listed at http://spamcannibal.org/cannibal.cgi

polonus

This IP should be blocked as with Zeus: getboating dot .com dot au/libraries/zauan/shortcodes/mandan/zt/wp/bt/js/url/upload/cp.php?m=login
IP= http://sameid.net/ip/114.141.196.165/ see: http://www.abuseipdb.com/whois/114.141.196.165 Not found :o
and again never heard of it: https://www.mywot.com/en/scorecard/114.141.196.165
Cybercrime that goes on largely undetected then? Never been tested: http://safeweb.norton.com/report/show?url=114.141.196.165
another, not even an IDS alert: http://urlquery.net/report.php?id=9714482
Bingo detected: https://zeustracker.abuse.ch/monitor.php?ipaddress=114.141.196.16
ThreatSTOP: Threat PhishTank danger level 1 last seen 5 months ago
At Cybertracker last seen 28-02-2014 → https://www.virustotal.com/nl/url/49051877dee432c7aee5f158a334c2bd0cbc5574641ab8da28c381fcacbf3b59/analysis/
https://www.virustotal.com/nl/file/92f22817daca6e7ed293fc8120508d71d0d8528d648ea94e641772c305d6cab3/analysis/1367506132/ phish but probably non-malicious?

pol

This one is listed here: http://www.projecthoneypot.org/ip_95.56.51.95
blacklisted at several occasions: http://whatismyipaddress.com/blacklist-check

pol

See IP 5.9.148.201 → ttps://www.virustotal.com/nl/url/569cef6e1d0f7fc5c72a9dad84f7cb10c0e46ab88025b01d61456fc24314e9f7/analysis/1393690395/
Nothing here: http://urlquery.net/report.php?id=9728679
Threats that came from IP in the past - AlienvaultScanSpam threat danger level 2; DShield Block List - threat danger level 3; Community & Advanced - threat danger level 3 - years ago - bogons - threat danger level 1. → artforms dot ro,5.9.148.201,ns1.oxiahosting dot com,Parked/expired,
See: http://jsunpack.jeek.org/?report=1c9c54742a25728e46a9d2c75eb4e139e1e331d7
See: wXw.artforms.ro/js/fileuploader.js benign
[nothing detected] (script) wXw.artforms.ro/js/fileuploader.js
status: (referer=wXw.artforms.ro/)saved 39998 bytes 24d17f7e5ab79b5316af302eb083177095580888
info: [iframe] wXw.artforms.ro/js/javascript:false;
info: [decodingLevel=0] found JavaScript
suspicious:

polonus

What about this one? http://urlquery.net/report.php?id=9744755
see: https://www.virustotal.com/nl/ip-address/66.147.242.153/information/
no historical threats,

pol

Citadel type malware: http://urlquery.net/report.php?id=9766012 not detected
Twice flagged here: https://www.virustotal.com/nl/url/ac083e28a7e91f6b2b8ac67e14c1e144083fc05e742f8a2a44255bde0007a502/analysis/
spam IP: http://www.stopforumspam.com/ipcheck/81.17.28.137
I get: 11004 [11004] Valid name, no data record (check DNS setup)
ThreatSTOP had alerts from 3 years ago for Russia, Eastern Europe, Modified ITAR, Spamhaus DROP, all danger level 1, advanced, danger level 3.

polonus

ThreatIP not being blocked by avast! → https://www.virustotal.com/nl/ip-address/61.183.207.199/information/
Seen last 19 hrs ago as threat as China, Modified ITAR, ITAR, danger level 10,
Spamhaus negatives: https://www.robtex.com/ip/61.183.207.199.html
Nothing here: http://urlquery.net/report.php?id=9766642
malware from that network: http://support.clean-mx.de/clean-mx/viruses.php?descr=Chinanet%20network%20in%20Wuhan%20city%20Hubei%20province&sort=first%20desc&response=alive
low detection rate, e.g.: https://www.virustotal.com/nl/file/ce0b9d849610f35109b03024db5be95a83984082ae8f5f3999a507958e102656/analysis/

pol

For attacks from this evil IP see: http://greensnow.co/view/222.186.62.73 (direct link to results could not be given)
Blacklisted and flagged by many: https://www.google.nl/search?q=222.186.62.73&oq=222.186.62.73&aqs=chrome..69i58j69i57j69i60j69i61j69i60.1207j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8

For instance here: http://bannedhackersips.blogspot.nl/2014/02/fail2ban-ssh-banned-2221866273.html
and http://www.badips.com/info/222.186.62.73
and http://www.blocklist.de/en/view.html?ip=222.186.62.73
and here: http://www.ipvoid.com/scan/222.186.62.73/
found in database thrice: http://www.abuseipdb.com/check/222.186.62.73
No scan was available here, so I gave a hyperlink to the cache results: http://webcache.googleusercontent.com/search?q=cache:xs7dv1aXSPkJ:us.hive.sshhoneypot.com/iplog.php%3Fip%3D222.186.62.73+&cd=4&hl=nl&ct=clnk&gl=nl
For threats see attached,

pol