CKA Forums
Login 
canadian forums
bottom
 
 
Canadian Forums

Author Topic Options
Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33918
PostPosted: Wed May 17, 2017 6:12 am
 


Jack_Styner wrote:
How did you find out about these ips? Whats your source?


There are many sources. I think Bart's is an email list.

There is also the Internet Storm Center list of bad actors:

https://isc.sans.edu/suspicious_domains.html

or websites like Krebs:

https://krebsonsecurity.com/

I get a list through email from an app we run here in our shop that security scans all our assets. I'd give it to you, but you can only get on the list if you pay $300k per year for the scanning tool.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23763
PostPosted: Wed May 17, 2017 7:37 am
 


Krebs is so good.


Offline
Active Member
Active Member
User avatar
Profile
Posts: 226
PostPosted: Thu May 18, 2017 1:23 am
 


i cant pay that much.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Thu May 18, 2017 8:15 am
 


Jack_Styner wrote:
How did you find out about these ips? Whats your source?


FBI & Department of Homeland Security.


Offline
Active Member
Active Member
User avatar
Profile
Posts: 226
PostPosted: Thu May 18, 2017 8:55 am
 


Where do they give out such a list? I looked but didnt find it


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Thu May 18, 2017 9:39 am
 


Jack_Styner wrote:
Where do they give out such a list? I looked but didnt find it


https://www.cisecurity.org/ms-isac/

Join up and they'll send you the alerts. Just be sure to respect the classification levels and don't share anything that isn't labeled as TLP White.

[B-o]


Offline
Active Member
Active Member
User avatar
Profile
Posts: 226
PostPosted: Fri May 19, 2017 12:37 am
 


Thank you!


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Mon May 22, 2017 2:54 pm
 


Moar crap to block:

and9.themainnotmainstreet4.com
shortoid.com
oneharhaprow.com
wasshepbetet.com
ormolesit.com
sofsedhabo.ru
witjowronme.ru
wascitothes.ru
inclvoluntaryallcondi.ru
letit.bit
licenseprrights.ru
pinkmemes.club
ppublcontricopyright.ru
romforsohep.com
andninformationfrom.ru
justanotherforcedomain.xyz
infernomag.com
ofebenwpgbadyb.com
www.onesystemupdate.com
ketceetar.com
severalcamp.com
ecomgxh.kuwo.cn
mst.my03.com
apple-california-verify.cf
capitalinformer.com
fireallstate.link
foreveryp.info
h2htradings.com
halicistanbulemlak.net
interestingchapter.net
metromanias.com
s2.cknd.net
ssmk-526.ru
up.systemhealer.com
watchingsquare.com
wowtarknail.ru
zhenskieukrasheniya.ru

81.177.27.113
185.36.102.217
207.66.55.169
112.127.112.202
85.10.198.228
91.203.5.179
91.214.119.20
210.61.199.144
193.29.187.72
119.253.38.106
84.96.69.67
44.140.78.141
74.41.180.19
129.212.161.29
203.99.147.131
66.96.133.9
188.85.125.88
195.98.63.210
64.39.232.179
153.130.131.90
62.94.19.221
98.226.1.212
122.9.24.35
87.106.75.19
59.125.123.184
222.186.59.128
168.235.251.223
133.242.215.109
122.178.187.168
60.28.242.217
2.228.165.210
192.185.25.109
74.124.221.235
114.215.109.69
123.200.186.67
107.6.152.61


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Mon Jun 19, 2017 8:18 am
 


Here's today's list of malware IP's and domains:

103.226.223.34
103.195.103.91
193.29.187.71
104.19.195.107
23.92.30.189
202.212.211.217
185.161.209.242
188.214.30.53
104.239.157.210
95.169.184.25
118.193.244.215
87.106.18.141
61.27.164.189
153.98.80.19
154.121.221.176
189.223.17.150
50.83.50.213
137.97.197.61
109.60.224.186
138.19.51.178
213.39.27.99
66.7.198.115
81.162.127.225
188.190.7.128
209.239.122.212
137.74.163.43
31.3.181.188
178.150.237.241
213.159.253.8
23.33.148.198
43.229.113.15

abovepleasetthsoftware.ru
zambezimotor.com
gaparugret.com
peroptepa.ru
evengtounty.com
www.albergomiravalle.org
romaningrinre.com
sll.goog.jakioo.com
ledrihimning.ru
coveredcontinuecalphp.ru
ardshinbank.at
werpor.pw
www.car99.it
kroshkanenaew.net
nmanyouphppublished.ru
aircon.co.com
8e199364a6.dataurls.com
docteuur13.no-ip.org
differentia.ru
disorderstatus.ru
masigreen.it
www.arden-engineering.com
phpphpsoftware.ru
hertertrighheg.com
monenanshca.com
s2.cknd.net
sreechaitanyacollege.org
office790.com
amzhewang.000webhostapp.com
download-msjlukqyrkni5ss5o.stackpathdns.com
mst.my03.com
specialvision.link
aggregatorcroc.link
barboxin.link
boa-n.org
books-open.link
ff9080.com
hattihisce.com
quoteallow.link
salopengi.com
umas.com.tr
veteranbox.link
www.actionresearchedu.com
zid.pistalesirene.com


And this is new: A list of IP's and domains that are now clean and can be allowed again.

205.144.100.200
65.87.64.0 - 65.87.127.255
65.254.250.119
165.219.245.71
130.47.252.73
208.90.191.65
192.104.182.109
12.1.48.108
12.1.49.39
198.252.206.16
72.21.81.253
64.235.144.0 - 64.235.159.255
74.95.147.121
69.167.158.109
208.87.232.0 - 208.87.239.255
4.2.2.2
38.112.162.55
67.215.64.0 - 67.215.95.255
146.112.0.0 - 146.112.255.255
204.194.232.0 - 204.194.239.255
208.67.216.0 - 208.67.223.255
208.69.32.0 - 208.69.39.255
185.60.84.0 - 185.60.87.255
205.211.178.46
209.235.110.81
209.235.110.82
199.7.83.42
192.5.5.241
192.228.79.201
193.0.14.129
199.7.91.13
202.12.27.33
192.36.148.17
192.33.4.12
192.112.36.4
69.191.211.202
69.191.211.206
69.191.211.213
104.71.78.236
178.255.83.1
8.8.8.8
8.8.4.4
192.5.6.30
192.42.93.30
192.31.80.30
192.41.162.30
192.35.51.30
192.55.83.30
192.26.92.30
192.12.94.30
192.48.79.30
192.43.172.30
66.151.158.177
dpm.demdex.net
applian.com
breitling.com
iwc.com
yoox.com
sixt.com
nylon.com
carvezine.com
iconeye.com
zepter.com
Qpmap2.qpublic.net


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Wed Jul 26, 2017 2:40 pm
 


This IP ran an all-day-long attempt at SQL injection on one of our web sites.

165.227.139.103

Posts on another site show multiple and varied attacks against government health care agencies in Canada, USA, UK, Australia, and New Zealand from this same IP.

Recommend to block this one at the firewall.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23763
PostPosted: Mon Jul 31, 2017 11:05 am
 


Unrelated to thread topic, but don't want to make a new thread for it. BTCware variants are spreading around. If your company uses RDP, lock it down with automatic lockouts after certain password attempts/have good passwords, it seems to be brute forcing through that. Aleta is a new one that can not be unencrypted like some of the earlier variants can be.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Mon Jul 31, 2017 12:23 pm
 


Today's Shit List:

195.158.255.102
164.132.214.34
91.230.61.40
188.214.30.52
185.153.198.22
172.93.105.163
103.195.103.90
158.69.199.223
173.230.145.224
178.79.132.214
69.43.168.206
185.154.52.227
5.45.116.217
81.171.7.212
207.210.245.164
97.107.142.250
151.139.245.15
61.147.79.30
141.8.226.58
74.208.17.10
178.62.175.211
193.29.187.57
192.241.222.53
94.46.164.190
193.29.187.93
98.126.19.218
80.86.91.232
223.27.16.7
144.217.252.207

hersittheke.com
ruorlerow.com
johenlittor.com
atwronutme.ru
cilittdise.com
merithertret.com
pawroncolitt.ru
filmcoffee.win
cefortlittmo.com
blaztech.us
download-msjlukqyrkni5ss5o.stackpathdns.com
parhesrofted.ru
fezatvaham.com
rgonotherob.ru
zunpthedoanin.com
4682b4.com
didntymathe.com
mitchellbrooksmd.com
tocalrenhen.com
sequestrandok1.asia
sofaningmior.ru
hashitachi-sg.com
kloop.nns.net.au
cabeiriscout.faith
agaenerji.com
waysecurdeforyou.pw
adeldocs.net
www.ecosdelcombeima.com
platinumtravel.com.mt
aassmcncnnc.com
funprime.win
rammichael.com
araxisstart.at
dactylstower.faith
www.onesystemupdate.com
betatestsite.info
differentia.ru
eastmarine.com.sg
fpesa.net
newborn.cm
pub2.mvds1.org
unmorefallsoftware.ru


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 33918
PostPosted: Wed Aug 23, 2017 7:12 am
 


We've been getting a huge number of phishing attempts, with a zero day payload. Do NOT open emails with subject lines:

“Pat due invoice notification”

“My O2 Business - Your O2 Bill is ready”

“#09932 Invoice secondary notice”

Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 63895
PostPosted: Mon Sep 18, 2017 9:35 am
 


Today's shit list:

195.154.41.182
213.231.63.1
31.41.45.17
47.88.51.250
46.164.165.28
91.196.93.112
81.95.181.121
94.45.75.200
172.93.105.162
109.121.227.191
45.40.138.138
176.37.179.143
185.70.129.245
46.185.49.156
109.251.187.226
31.133.63.40
46.164.182.83
193.29.187.74
93.126.116.2
138.19.51.178
212.3.119.174
73.25.4.70
195.38.137.100
176.106.198.118
77.75.130.76
176.109.75.175
5.248.155.34
151.139.245.15
103.195.103.90
46.63.81.86
5.34.180.135
5.143.179.111
176.37.122.224
107.180.2.185
176.125.69.147
176.120.33.198
5.105.59.241
88.135.237.194
176.114.42.120
178.95.105.108
46.172.195.4
77.122.20.38
193.29.187.85
185.67.2.156
37.229.57.52
93.170.152.201
93.77.116.68
77.121.178.98
31.202.198.37
217.174.56.63

vnbnghtyudvnvmvnbg.net
mnmnzxczxcasd.com
ffff99fff.no-ip.biz
rgonotherob.ru
hnetehdndbbwdbwdbbb.net
zegonhapeto.ru
tonslysedding.ru
kedmuchutre.com
detalundred.ru
hegredthetin.ru
ughherveter.com
dookmediola.top
depfile.com
kohinoorhotelserode.com
zunpthedoanin.com
fezatvaham.com
shkis.publicvm.com
polhjrebncxds.com
lostgonefl.top
www.hairad.co.kr
download-msjlukqyrkni5ss5o.stackpathdns.com
cloud77.eu
cloud78.eu
prembox.com
yz2.51kus.com
cyfievengtont.com
formulazoner.top
kongdonmaster.top
xm.51kus.com
cloud76.eu
rootboldk.top
uploads.shanatan.moe
barmaleeey.xyz
didntymathe.com
dlbit.net
funmomdeabx.top
otherwiselist.at
westerasiao.top
duacare.org
mdpp.51kus.com
stpaulsdillsburg.com
www.onesystemupdate.com
zvooogle.info
accountingmass.com
advancedinput90.com
aluminiosunoa.com
ddl3.data.hu
meetson.at


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 23763
PostPosted: Mon Sep 18, 2017 1:55 pm
 


DrCaleb wrote:
We've been getting a huge number of phishing attempts, with a zero day payload. Do NOT open emails with subject lines:

“Pat due invoice notification”

“My O2 Business - Your O2 Bill is ready”

“#09932 Invoice secondary notice”

Our firewall blocked addresses associated with those payloads, but you probably don't have a sophisticated firewall like ours. As well, no AV products caught this.

I had a fun assignment last week about tracing emails back to people.

Found the guy's phone number in Africa who tried to get my information claiming to be from the IRS.


Post new topic  Reply to topic  [ 74 posts ]  Previous  1  2  3  4  5  Next



Who is online

Users browsing this forum: No registered users and 2 guests




 
     
All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © Canadaka.net. Powered by © phpBB.