Botnet domains/IP

[Sa-Ja-Di]

Have spot a report of a botnet - with listing nodes and IP's. Perhaps that is worthy an addition. I post the content i found - with brackets [] !

Case 1=

This are nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic start-bootstrap design (with a Laptop) - Example screenshot for node design done with Urlscan tracing tool=

https://urlscan.io/screenshots/93ada930-f663-4574-874f-f929047ba6cc.png

Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (r.php + parameters). Nodes are also using Namecheap domains!

Example parameter - valid for single access so we add them just for explanatory reasons=
r.php?t=c&d=20107&l=264&c=39072
r.php?t=o&d=20102&l=264&c=65216

Example spam link forwarding screencapture on Urlscan with one of the nodes=
https://urlscan.io/result/1bfe3598-e26f-4101-a0ff-45a8639ef045/

Final redirect goal= https://specialoffer[.]cannablisslabs[.]com/unsubscribe/?s1=20&s2=31027&s3=748&s4=62043

Active nodes - Digital Ocean=

167[.]71[.]94[.]158
kinda[.]press

67[.]205[.]130[.]76
classscience[.]club

104[.]248[.]11[.]231
healtbeautymale[.]xyz

159[.]89[.]86[.]21

165[.]22[.]221[.]148
fungoods[.]xyz

104[.]131[.]223[.]171
lamanovix[.]website

68[.]183[.]95[.]125
piamonfree[.]club

165[.]22[.]65[.]34
houfabia[.]club

188[.]166[.]104[.]151
askorali[.]club

159[.]65[.]218[.]178
matrixlucky[.]sytes[.]net

67[.]205[.]165[.]189
gactay[.]club

206[.]81[.]24[.]120
constitueqzs[.]loan

Active nodes - Random hosts=

93[.]118[.]34[.]205
brandingnews[.]us

185[.]173[.]178[.]4
tech98-c2[.]newtimebearth[.]press

212[.]114[.]109[.]117
starsplay[.]club

Active nodes - Aruba-IT=

94[.]177[.]246[.]26
ibismo[.]us

Active nodes - Hetzner Germany=

95[.]216[.]176[.]255
http://goldtechonline[.]xyz

116[.]203[.]198[.]230
cruiset[.]space

116[.]203[.]194[.]166
bluntt[.]fun

Active nodes - Online/Scaleway=

51[.]15[.]172[.]219
cbsnews[.]press

212[.]83[.]173[.]74
poney[.]cbsnews[.]press

212[.]83[.]184[.]240
telecom[.]cbsnews[.]press

Active nodes - Selectel-RU=

79[.]143[.]30[.]36
sarrion[.]xyz

79[.]143[.]31[.]116
sauronn[.]host

IP= 31[.]184[.]254[.]112
maxvalue[.]icu

37[.]228[.]117[.]29
rainit[.]xyz

37[.]228[.]117[.]128
mrtcom[.]space

37[.]228[.]117[.]242
sidom[.]online

37[.]228[.]117[.]75
malikom[.]xyz

Active nodes - OVH=

Active nodes - Amazon=

3[.]16[.]55[.]7
hobad[.]xyz

3[.]87[.]40[.]41
champion[.]viewdns[.]net

Case2=

Report for nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic clone design - Example screenshot for node design

https://urlscan.io/thumbs/727b47e9-245b-4878-b120-1f59d4849431.png

Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (s.php + parameters). Nodes are also using Namecheap domains!

Example parameter - added them for explanatory reasons=
s.php?935291_0_30169_a1b2c3d4e5
s.php?929989_0_30298_a1b2c3d4e5

Spot Active nodes=

109[.]238[.]14[.]205
resolving domain= http://groete[.]org

65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com
https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10

185[.]103[.]196[.]107 - resolving domain= http://wisby[.]org

185[.]98[.]63[.]84 - resolving domain= http://unflecked[.]com
https://www[.]spamhaus[.]org/query/ip/185[.]98[.]63[.]84

185[.]93[.]71[.]112 - resolving domain= http://ganoblast[.]com
https://www[.]spamhaus[.]org/query/ip/185[.]93[.]71[.]112

89[.]42[.]31[.]178 - resolving domain= http://unsooty[.]com
https://www[.]spamhaus[.]org/query/ip/89[.]42[.]31[.]178

65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com
https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10

[funilrys]

Hey @Sa-Ja-Di !

Sorry for taking so long. I thought that @mitchellkrogza handled this. Can you create a PR to the input_sources directory? I think that @mitchellkrogza would love to have your inputs right here.

On my side, if you want your contribution to be part of @Ultimate-Hosts-Blacklist (directly) let me know!

Stay safe and healthy.
Nissar

[Teemoplays]

Have spot a report of a botnet - with listing nodes and IP's. Perhaps that is worthy an addition. I post the content i found - with brackets [] !

Case 1=

This are nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic start-bootstrap design (with a Laptop) - Example screenshot for node design done with Urlscan tracing tool=

https://urlscan.io/screenshots/93ada930-f663-4574-874f-f929047ba6cc.png

Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (r.php + parameters). Nodes are also using Namecheap domains!

Example parameter - valid for single access so we add them just for explanatory reasons=
r.php?t=c&d=20107&l=264&c=39072
r.php?t=o&d=20102&l=264&c=65216

Example spam link forwarding screencapture on Urlscan with one of the nodes=
https://urlscan.io/result/1bfe3598-e26f-4101-a0ff-45a8639ef045/

Final redirect goal= https://specialoffer[.]cannablisslabs[.]com/unsubscribe/?s1=20&s2=31027&s3=748&s4=62043

Active nodes - Digital Ocean=

167[.]71[.]94[.]158
kinda[.]press

67[.]205[.]130[.]76
classscience[.]club

104[.]248[.]11[.]231
healtbeautymale[.]xyz

159[.]89[.]86[.]21

165[.]22[.]221[.]148
fungoods[.]xyz

104[.]131[.]223[.]171
lamanovix[.]website

68[.]183[.]95[.]125
piamonfree[.]club

165[.]22[.]65[.]34
houfabia[.]club

188[.]166[.]104[.]151
askorali[.]club

159[.]65[.]218[.]178
matrixlucky[.]sytes[.]net

67[.]205[.]165[.]189
gactay[.]club

206[.]81[.]24[.]120
constitueqzs[.]loan

Active nodes - Random hosts=

93[.]118[.]34[.]205
brandingnews[.]us

185[.]173[.]178[.]4
tech98-c2[.]newtimebearth[.]press

212[.]114[.]109[.]117
starsplay[.]club

Active nodes - Aruba-IT=

94[.]177[.]246[.]26
ibismo[.]us

Active nodes - Hetzner Germany=

95[.]216[.]176[.]255
http://goldtechonline[.]xyz

116[.]203[.]198[.]230
cruiset[.]space

116[.]203[.]194[.]166
bluntt[.]fun

Active nodes - Online/Scaleway=

51[.]15[.]172[.]219
cbsnews[.]press

212[.]83[.]173[.]74
poney[.]cbsnews[.]press

212[.]83[.]184[.]240
telecom[.]cbsnews[.]press

Active nodes - Selectel-RU=

79[.]143[.]30[.]36
sarrion[.]xyz

79[.]143[.]31[.]116
sauronn[.]host

IP= 31[.]184[.]254[.]112
maxvalue[.]icu

37[.]228[.]117[.]29
rainit[.]xyz

37[.]228[.]117[.]128
mrtcom[.]space

37[.]228[.]117[.]242
sidom[.]online

37[.]228[.]117[.]75
malikom[.]xyz

Active nodes - OVH=

Active nodes - Amazon=

3[.]16[.]55[.]7
hobad[.]xyz

3[.]87[.]40[.]41
champion[.]viewdns[.]net

Case2=

Report for nodes of a wide spread link relaying/spam/phishing sending botnet which makes use of a generic clone design - Example screenshot for node design

https://urlscan.io/thumbs/727b47e9-245b-4878-b120-1f59d4849431.png

Nodes are either used for spam link sharing or abuse sending. Link relaying function works over scripting (s.php + parameters). Nodes are also using Namecheap domains!

Example parameter - added them for explanatory reasons=
s.php?935291_0_30169_a1b2c3d4e5
s.php?929989_0_30298_a1b2c3d4e5

Spot Active nodes=

109[.]238[.]14[.]205
resolving domain= http://groete[.]org

65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com
https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10

185[.]103[.]196[.]107 - resolving domain= http://wisby[.]org

185[.]98[.]63[.]84 - resolving domain= http://unflecked[.]com
https://www[.]spamhaus[.]org/query/ip/185[.]98[.]63[.]84

185[.]93[.]71[.]112 - resolving domain= http://ganoblast[.]com
https://www[.]spamhaus[.]org/query/ip/185[.]93[.]71[.]112

89[.]42[.]31[.]178 - resolving domain= http://unsooty[.]com
https://www[.]spamhaus[.]org/query/ip/89[.]42[.]31[.]178

65[.]19[.]158[.]10 - resolving domain= http://abadiarith[.]com
https://www[.]spamhaus[.]org/query/ip/65[.]19[.]158[.]10

What does the final redirection link do? (i acidentaly almost opened it)

specialoffer.cannablisslabs.com - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs