Re: [mailop] Usually don't post about these.. large aggressive Brute Force Bot fired up today..

Wed, 10 Apr 2019 12:38:31 -0700 

Update: Down to the remaining IP(s) involved in the pgHammer botnet..
If anyone has any clout at any of the providers, you might want to pass them along for take downs/mitigation. 

Sizeable amount on Digital Ocean droplets, but spread out everywhere.


1.238.11.86 x81 NXDOMAIN
1.250.62.223 x75 NXDOMAIN
101.96.116.82 x107 ci96.116-82.netnam.vn
103.1.238.229 x138 mx238229.superdata.vn
103.10.171.42 x146 vmw42.transtech.co.id
103.106.72.28 x132 NXDOMAIN
103.106.72.45 x131 NXDOMAIN
103.21.218.242 x132 ln-static-103-21-218-242.link.net.id
103.210.72.253 x146 NXDOMAIN
103.232.123.91 x142 NXDOMAIN
103.233.110.173 x137 NXDOMAIN
103.233.110.178 x138 NXDOMAIN
103.247.11.30 x129 iix65.rumahweb.com
103.252.163.249 x98
103.27.206.172 x69 NXDOMAIN
103.35.72.153 x145 NXDOMAIN
103.48.193.58 x137 NXDOMAIN
104.215.72.16 x153 NXDOMAIN
104.223.49.191 x154 104.223.49.191.static.quadranet.com
104.236.158.58 x151 NXDOMAIN
104.236.248.209 x153 NXDOMAIN
104.248.135.234 x9 NXDOMAIN
104.248.147.163 x130 NXDOMAIN
104.248.151.192 x146 NXDOMAIN
104.248.178.255 x154 NXDOMAIN
104.248.180.179 x146 NXDOMAIN
104.248.187.99 x150 NXDOMAIN
104.248.33.189 x158 NXDOMAIN
104.248.45.254 x140 NXDOMAIN
104.248.52.21 x161 NXDOMAIN
104.248.61.201 x152 NXDOMAIN
104.248.61.215 x141 NXDOMAIN
104.248.64.208 x143 NXDOMAIN
104.248.80.250 x148 NXDOMAIN
106.13.10.118 x102
106.13.7.9 x98
106.254.246.82 x91 NXDOMAIN
106.39.107.26 x8 NXDOMAIN
106.51.72.240 x137 broadband.actcorp.in

110.164.130.244 x133 
mx-ll-110.164.130-244.static.3bb.co.th.130.164.110.in-addr.arpa

111.171.214.81 x78 NXDOMAIN
111.230.220.148 x72 NXDOMAIN
111.231.66.43 x68 NXDOMAIN
112.217.85.92 x85 NXDOMAIN
114.202.161.105 x80 NXDOMAIN
114.32.124.240 x151 114-32-124-240.hinet-ip.hinet.net
115.159.194.92 x75 NXDOMAIN
118.24.13.227 x139 NXDOMAIN
118.24.45.165 x134 NXDOMAIN
118.240.133.81 x98 fp76f08551.tkyc008.ap.nuro.jp
118.25.21.34 x135 NXDOMAIN
118.25.214.134 x139 NXDOMAIN
118.25.71.104 x130 NXDOMAIN
118.69.66.53 x121 NXDOMAIN
118.70.8.49 x125 NXDOMAIN
118.89.216.56 x69 NXDOMAIN
118.98.221.96 x131 221-96.cpt.kemdiknas.go.id
119.198.137.99 x66 NXDOMAIN
119.205.221.232 x68 NXDOMAIN
119.29.120.138 x74 NXDOMAIN
120.138.8.203 x135 static-103-231-211-203.ctrls.in
122.155.0.145 x135 NXDOMAIN
122.155.0.237 x142 cluster2.throughwave.co.th
122.155.0.239 x125 cluster1.throughwave.co.th
123.255.204.60 x135 ip-123-255-204-60.datautama.net.id
124.207.137.144 x64 NXDOMAIN
124.89.88.122 x131 NXDOMAIN
125.17.115.186 x123 aes-static-186.115.17.125.airtel.in
125.212.238.119 x78
128.1.134.25 x137 NXDOMAIN
129.150.112.231 x141 oc-129-150-112-231.compute.oraclecloud.com
129.150.98.168 x157 oc-129-150-98-168.compute.oraclecloud.com
131.255.4.177 x136 host177.131.255.4.h2dns.net
132.145.156.103 x152 NXDOMAIN
133.130.102.17 x88 v133-130-102-17.a02b.g.tyo1.static.cnode.io
133.18.30.236 x89 v9345.vir.kagoya.net
134.91.79.9 x147 cd079009.es.uni-due.de
136.233.8.100 x126 NXDOMAIN
138.197.35.188 x153 NXDOMAIN
138.68.8.165 x140 NXDOMAIN
139.217.198.80 x90 NXDOMAIN
139.219.191.125 x69 NXDOMAIN
139.219.234.171 x78 NXDOMAIN
139.59.243.28 x136 NXDOMAIN
139.59.255.187 x137 NXDOMAIN
139.59.78.49 x130 NXDOMAIN
14.141.205.154 x124 14.141.205.154.static-vsnl.net.in
14.225.2.93 x139 static.vnpt.vn
140.118.155.221 x141 mm10.csie.ntust.edu.tw
142.93.108.45 x148 NXDOMAIN
142.93.121.54 x143 NXDOMAIN
142.93.200.146 x147 NXDOMAIN
142.93.214.72 x140 NXDOMAIN
142.93.228.232 x150 NXDOMAIN
142.93.36.70 x146 NXDOMAIN
142.93.53.194 x154 NXDOMAIN
142.93.83.223 x156 NXDOMAIN
142.93.97.211 x152 NXDOMAIN
144.217.71.173 x147 ns538385.ip-144-217-71.net
144.22.101.25 x151 oc-144-22-101-25.compute.oraclecloud.com
144.22.97.159 x149 oc-144-22-97-159.compute.oraclecloud.com
145.239.7.148 x150 ns3083106.ip-145-239-7.eu
146.234.92.113 x10 NXDOMAIN
146.234.92.185 x144 NXDOMAIN
148.103.8.114 x145 adsl-8-114.tricom.net
148.72.210.154 x152 ip-148-72-210-154.ip.secureserver.net
149.129.214.140 x81 NXDOMAIN
150.95.27.23 x134 v150-95-27-23.a00e.g.bkk1.static.cnode.io
151.0.179.18 x137 151-0-179-18.ip282.fastwebnet.it
151.236.39.29 x135 bigmserver2n.bigm.es
153.150.32.64 x41
157.230.152.81 x149 NXDOMAIN
157.230.16.196 x142 blackboard.restdot.com
157.230.28.93 x150 NXDOMAIN
157.230.44.69 x147 NXDOMAIN
158.69.207.104 x150 104.ip-158-69-207.net
159.203.116.103 x151 NXDOMAIN
159.203.124.125 x146 NXDOMAIN
159.203.170.196 x149 NXDOMAIN
159.203.32.194 x154 NXDOMAIN
159.203.36.200 x145 NXDOMAIN
159.65.137.143 x139 NXDOMAIN
159.65.142.154 x140 NXDOMAIN
159.65.230.184 x148 NXDOMAIN
159.89.229.129 x145 NXDOMAIN
162.213.255.149 x148
162.243.7.211 x146 NXDOMAIN
163.44.158.66 x139 v163-44-158-66.a019.g.sin1.static.cnode.io
167.99.124.187 x142 NXDOMAIN
170.254.229.27 x145 17025422927.ip79.static.mediacommerce.com.co
173.212.202.56 x146 vmi228406.contaboserver.net
173.249.11.243 x144 glaxiom.eurldmma.com
174.138.63.237 x147 NXDOMAIN
175.207.12.142 x87 NXDOMAIN
176.107.130.72 x139 host72-130-107-176.static.arubacloud.pl
176.53.90.210 x145 server-176.53.90.210.as42926.net
177.107.47.218 x132 NXDOMAIN
177.190.137.110 x135 177-190-137-110.inovanet.net.br
177.193.177.80 x129 b1c1b150.virtua.com.br
177.69.248.104 x138 177-069-248-104.static.ctbctelecom.com.br
177.70.19.201 x144 e49mahqjay.underplatform.com
178.128.101.28 x142 erp-mm.bkpeneil.com-s-4vcpu-8gb-sgp1-01
178.128.102.19 x147 NXDOMAIN
178.128.68.103 x149 NXDOMAIN
178.128.75.233 x148 NXDOMAIN
178.128.78.9 x159 NXDOMAIN
178.128.85.19 x144 NXDOMAIN
178.128.97.155 x139 NXDOMAIN
178.128.98.128 x143 NXDOMAIN
178.159.249.195 x86 NXDOMAIN
178.62.66.223 x146 NXDOMAIN
179.104.132.84 x110 179-104-132-84.xd-dynamic.algarnetsuper.com.br
179.188.0.96 x151 cpro21889.publiccloud.com.br
180.151.73.194 x143 180.151.73.194.reverse.spectranet.in
180.167.216.198 x81 NXDOMAIN
180.168.181.102 x67 NXDOMAIN
180.250.18.136 x127 NXDOMAIN
182.18.208.46 x64 NXDOMAIN
182.208.211.117 x75 NXDOMAIN
182.23.210.15 x141 NXDOMAIN
182.23.27.152 x129 NXDOMAIN
182.253.112.2 x133 NXDOMAIN
182.90.244.15 x139 NXDOMAIN
183.82.63.212 x140 broadband.actcorp.in
185.190.152.122 x129 185-190-152-122.static.isp.telekom.rs
185.193.24.226 x95 NXDOMAIN
185.41.250.46 x141 185-41-250-46.net.gigatrans.ua
186.208.126.46 x146 186-208-126-46.gotelecom.com.br
186.208.19.154 x137 186.208.19.154.camaquanet.com.br
186.233.231.44 x132 empresarial-186-233-231-044.solucaonetwork.com
186.42.186.149 x28 149.186.42.186.static.anycast.cnt-grms.ec
186.42.226.218 x145 218.226.42.186.static.anycast.cnt-grms.ec
187.2.8.195 x144 bb0208c3.virtua.com.br
187.65.1.33 x2 bb410121.virtua.com.br
187.72.86.34 x143 187-072-086-034.static.ctbctelecom.com.br
188.122.22.130 x138 sunrise.ies.com.pl
188.131.162.27 x131 NXDOMAIN
188.166.39.232 x144 NXDOMAIN
188.166.72.93 x144 NXDOMAIN
188.214.210.96 x133 NXDOMAIN
189.108.44.122 x92 mx.buschinelli.com.br
190.149.177.56 x149 56.177.149.190.dynamic.intelnet.net.gt
190.15.114.83 x146 190.15.122.83.alootelecom.com.br
190.156.226.4 x143 static-ip-cr1901562264.cable.net.co
190.249.138.220 x121 cable190-249-138-220.epm.net.co
190.60.236.6 x146 cabifybogota.com
190.95.204.74 x126 NXDOMAIN
191.101.5.128 x140 NXDOMAIN
191.252.109.167 x143 vps12186.publiccloud.com.br
191.252.109.168 x146 vps5343.publiccloud.com.br
191.252.195.74 x137 vps8070.publiccloud.com.br
191.252.66.114 x135 cpro41743.publiccloud.com.br
192.162.248.5 x90 NXDOMAIN
192.95.56.86 x147 esperanza.host.managerapp.net
193.112.109.183 x136 NXDOMAIN
193.112.109.40 x133 NXDOMAIN
193.36.184.175 x137 NXDOMAIN
193.70.115.178 x142 178.ip-193-70-115.eu
194.87.144.81 x139 ptr.ruvds.com
195.226.195.11 x144 NXDOMAIN
198.199.82.217 x139 NXDOMAIN
200.108.135.98 x139 NXDOMAIN
200.133.39.41 x134 200-133-39.41.compute.rnp.br
200.150.82.138 x139 138.82.150.200.static.copel.net
200.178.251.248 x13
200.9.102.86 x133 NXDOMAIN
201.191.205.41 x139 NXDOMAIN
201.48.109.26 x130 201-048-109-026.static.ctbc.com.br
201.62.64.4 x137 201-62-64-4.turbolife.com.br
202.6.235.26 x137 citra-langgeng-235-26.padi.net.id
203.150.51.45 x133 203-150-51-45.inter.net.th
206.189.142.169 x136 NXDOMAIN
206.189.151.241 x141 NXDOMAIN
208.115.208.167 x154 167-208-115-208.static.reverse.lstn.net
209.97.142.78 x141 NXDOMAIN
209.97.172.209 x131 NXDOMAIN
210.140.228.145 x72 210x140x228x145.rev.barem.jp
210.205.92.24 x70 NXDOMAIN
210.4.125.252 x139 NXDOMAIN
211.140.116.108 x73
211.149.201.215 x73 NXDOMAIN
211.171.200.232 x127 NXDOMAIN
211.178.134.168 x81 NXDOMAIN
211.67.112.41 x79 NXDOMAIN
212.129.139.37 x131 NXDOMAIN
212.237.32.158 x143 host158-32-237-212.serverdedicati.aruba.it
212.237.6.57 x149 host57-6-237-212.serverdedicati.aruba.it
212.42.113.140 x132 212-42-113-140.elcat.kg
212.64.44.208 x137 NXDOMAIN
217.79.179.118 x146 n118.navy.myloc.de
219.91.197.233 x141 233-197-91-219.static.youbroadband.in
220.123.184.123 x89 NXDOMAIN
220.130.190.13 x136 220-130-190-13.hinet-ip.hinet.net
222.107.127.253 x72 NXDOMAIN
34.73.183.37 x155 37.183.73.34.bc.googleusercontent.com
35.190.165.252 x157 252.165.190.35.bc.googleusercontent.com
35.221.157.112 x148 112.157.221.35.bc.googleusercontent.com
35.226.195.195 x139 195.195.226.35.bc.googleusercontent.com
35.231.48.87 x149 87.48.231.35.bc.googleusercontent.com
35.236.93.240 x138 240.93.236.35.bc.googleusercontent.com
35.241.251.180 x146 180.251.241.35.bc.googleusercontent.com
36.67.210.132 x123
36.89.232.100 x130
36.91.162.42 x121
38.140.192.165 x145 NXDOMAIN
38.89.140.11 x148 ip1.deliverybox4.mail4all.in
41.228.165.225 x144 NXDOMAIN
41.79.79.221 x136 NXDOMAIN
41.95.192.22 x138 NXDOMAIN
43.230.128.210 x136 NXDOMAIN
43.240.98.182 x143 vm-43-240-98-182.intersect.org.au
45.119.81.126 x137 NXDOMAIN
45.122.220.36 x145 mail.naturerepublicstore.vn
45.40.203.41 x133 NXDOMAIN
45.55.54.70 x146 NXDOMAIN
45.6.24.15 x141 NXDOMAIN
46.101.105.115 x141 NXDOMAIN
46.19.230.42 x144 NXDOMAIN
46.99.178.133 x1 NXDOMAIN
47.75.106.104 x73 NXDOMAIN
5.196.3.158 x141 158.ip-5-196-3.eu
50.224.110.50 x147 50-224-110-50-static.hfc.comcastbusiness.net
51.15.249.244 x87 244-249-15-51.rev.cloud.scaleway.com
51.15.249.253 x138 253-249-15-51.rev.cloud.scaleway.com
51.254.114.105 x155 105.ip-51-254-114.eu
54.36.0.37 x129 ip37.ip-54-36-0.eu
54.39.50.217 x152 ns559736.ip-54-39-50.net
54.39.84.216 x150 ip216.ip-54-39-84.net
58.119.6.147 x9
59.27.82.18 x33 NXDOMAIN
66.97.35.64 x138 vps-1552835-x.dattaweb.com
67.205.167.124 x147 NXDOMAIN
68.183.104.14 x148 NXDOMAIN
68.183.106.185 x117 NXDOMAIN
68.183.12.252 x150 NXDOMAIN
68.183.216.175 x149 NXDOMAIN
68.183.223.36 x156 NXDOMAIN
68.183.236.5 x146 NXDOMAIN
68.183.78.175 x150 NXDOMAIN
68.183.86.207 x139 NXDOMAIN
69.61.226.123 x151 envison-cinemas.static.fuse.net
72.52.132.127 x151 searchaitest.cloudmachines.io
73.162.63.242 x150 c-73-162-63-242.hsd1.ca.comcast.net
77.46.239.59 x92 77-46-239-59.static.isp.telekom.rs
77.81.237.43 x141 host43-237-81-77.serverdedicati.aruba.it
78.155.206.138 x114 hochu-skidku.ru
79.137.78.70 x137 70.ip-79-137-78.eu
79.175.151.208 x66 NXDOMAIN
80.211.184.9 x141 host9-184-211-80.serverdedicati.aruba.it
80.211.65.87 x144 host87-65-211-80.serverdedicati.aruba.it
81.169.142.116 x51 h2530146.stratoserver.net
82.223.37.95 x137 NXDOMAIN
83.137.50.106 x141 83.137.50.106.svnet.ru
84.52.93.227 x142 gate.podvorye.ru
85.14.154.66 x147 mail.clrhotels.fr
85.33.222.67 x115 host67-222-static.33-85-b.business.telecomitalia.it
88.198.202.77 x90 static.88-198-202-77.clients.your-server.de
91.134.240.114 x142 114.ip-91-134-240.eu
91.230.23.196 x147 NXDOMAIN
92.60.235.14 x137 milnik-14.exe-net.net
93.186.251.226 x153 host226-251-186-93.serverdedicati.aruba.it
93.188.164.219 x140 NXDOMAIN
94.23.20.25 x145 ns3329841.ip-94-23-20.eu
95.110.226.228 x141 host228-226-110-95.serverdedicati.aruba.it
95.85.59.22 x165 NXDOMAIN


On 2019-04-02 3:18 a.m., Frido Otten via mailop wrote:

We're seeing the same here. It's intensity is not that big however. They
try to authenticate with addresses of domains we host. Checking these
accounts on haveibeenpwned, they all seem to have leaked from the
Verifications.io breach. Also posgres together with ssh seems to be the
common opened ports on those IP's.

https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/

Regards,

Frido

Op 02-04-19 om 03:41 schreef Michael Peddemors:

Someone thinks it funny to do it on April Fools..

Attacks Port 587, uses an EHLO of server.com, looks to be router
compromises, but instead of the typical distributed low volume this
one is hitting hard.. But see some other types of Linux Servers as well..

Most rate limiter type tools are probably going to trigger on this one
a lot..

Sample Clipped Log Entry:

Apr  1 18:04:09 fe1 msd[14084]: Linux Magic SMTPD started: connection
from 176.53.90.210 REQUIREAUTH (192.168.0.204:587) Linux 3.11 and ne
Apr  1 18:04:09 fe1 msd[14084]: GeoIP country code[176.53.90.210] = "TR"
Apr  1 18:04:09 fe1 msd[14084]: EHLO command received, args: server.com
Apr  1 18:04:10 fe1 msd[14084]: auth failed:
Apr  1 18:04:15 fe1 msd[14084]: smtp_read_command() internal error
[-1]: Connection reset by peer
Apr  1 18:04:15 fe1 msd[14084]: Exiting (bytes in: 77 out: 212)

Nmap scan report for server-176.53.90.210.as42926.net (176.53.90.210)
Host is up (0.20s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5432/tcp open  postgresql
9000/tcp open  cslistener
9001/tcp open  tor-orport
9002/tcp open  dynamid
9003/tcp open  unknown
9099/tcp open  unknown

Nmap scan report for host72-130-107-176.static.arubacloud.pl
(176.107.130.72)
Host is up (0.17s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
179/tcp  filtered bgp
5432/tcp open     postgresql
8080/tcp open     http-proxy

What's in common? postgresql..


Page loads to 'My First OSM'

Haven't had a chance to see if this overlays other previous bots..



_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop






















					Reply via email to