In the past week we saw a massive surge in hits on customer logs coming from the IP 45.146.165[.]11. Our security research team checked it out, and found that it has been the launch pad for abnormally large amounts of traffic trying to reach customer machines. On one customer network alone they got over 2 million hits.
IP Firewall Hits for IOC: 45.146.165[.]11 in last 7 days
======================================
| Customer | Hits
.....................................
| Customer 1 | 2047378
| Customer 2 | 899092
| Customer 3 | 327551
| Customer 4 | 216128
| Customer 5 | 180210
| Customer 6 | 159771
| Customer 7 | 109563
| Customer 8 | 59206
| Customer 9 | 50229
| Customer 10 | 29400
.....................................
The IP address in question is hosted by the Russian hosting provider Selectel[.ru] (ASN: 49505). ThreatSTOP has been protecting customers from this IP, which was added to our systems thanks to the aggregation of the DShield blocklist, one of our 800+ threat intelligence sources. Selectel is no stranger to this kind of attention, getting flagged already as part of a "bulletproof" hosting system by Spamhaus back in 2019.
Looking into the IP's address space of 45.146.165[.]0/24, our team discovered that many of the IPs in this space are also deemed malicious by DShield, while some even show up on multiple threat intelligence blocklists. For example, the IP 45.146.165[.]157 shows up in our HoneyDB Bad Hosts, Botnets, AlienVault, Telecommunications Attacks, Anonymous Network, and DShield targets.
The following IPs are active in 3 or more of our targets: 45.146.165[.]24, 45.146.165[.]148, 45.146.165[.]149, 45.146.165[.]152, 45.146.165[.]153, 45.146.165[.]157.
We highly recommend blocking these IPs, and consider blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free checkIP tool.
ThreatSTOP's subscribers are automatically protected from attacks launched from these IPs and others as they appear. Contact us to know more, or see the links at the end of our post to get a demo or trial.
For your convenience, here is a list of all IP addresses in the 45.146.165[.]0/24 range that we have seen as malicious, including the specific targets each IP is in:
| IP | ThreatSTOP Target | IP | ThreatSTOP Target | IP | ThreatSTOP Target |
| 45.146.165.0 | DSBLEXP | 45.146.165.85 | DSBLEXP | 45.146.165.159 | DSBLEXP |
| 45.146.165.1 | DSBLEXP | 45.146.165.87 | DSBLEXP | 45.146.165.163 | DSBLEXP |
| 45.146.165.2 | DSBLEXP | 45.146.165.88 | DSBLEXP | 45.146.165.164 | DSBLEXP |
| 45.146.165.4 | DSBLEXP | 45.146.165.89 | DSBLEXP | 45.146.165.166 | DSBLEXP |
| 45.146.165.6 | DSBLEXP | 45.146.165.90 | DSBLEXP | 45.146.165.168 | DSBLEXP |
| 45.146.165.7 | DSBLEXP | 45.146.165.91 | DSBLEXP | 45.146.165.169 | DSBLEXP |
| 45.146.165.9 | DSBLEXP | 45.146.165.92 | DSBLEXP | 45.146.165.170 | DSBLEXP |
| 45.146.165.10 | CINSARMY DSBLEXP |
45.146.165.93 | DSBLEXP | 45.146.165.174 | DSBLEXP |
| 45.146.165.11 | DSBLEXP | 45.146.165.95 | DSBLEXP | 45.146.165.178 | DSBLEXP |
| 45.146.165.12 | DSBLEXP | 45.146.165.96 | DSBLEXP | 45.146.165.179 | DSBLEXP |
| 45.146.165.15 | DSBLEXP | 45.146.165.97 | DSBLEXP | 45.146.165.180 | DSBLEXP |
| 45.146.165.19 | DSBLEXP | 45.146.165.99 | DSBLEXP | 45.146.165.181 | DSBLEXP |
| 45.146.165.20 | DSBLEXP | 45.146.165.100 | DSBLEXP | 45.146.165.182 | DSBLEXP |
| 45.146.165.21 | DSBLEXP | 45.146.165.101 | DSBLEXP | 45.146.165.184 | DSBLEXP |
| 45.146.165.23 | DSBLEXP | 45.146.165.103 | DSBLEXP | 45.146.165.187 | DSBLEXP |
| 45.146.165.24 | CINSARMY TSTOPIPS DSBLEXP |
45.146.165.104 | DSBLEXP | 45.146.165.188 | DSBLEXP |
| 45.146.165.26 | DSBLEXP | 45.146.165.105 | DSBLEXP | 45.146.165.190 | DSBLEXP |
| 45.146.165.28 | DSBLEXP | 45.146.165.106 | DSBLEXP | 45.146.165.191 | DSBLEXP |
| 45.146.165.29 | DSBLEXP | 45.146.165.107 | CINSARMY DSBLEXP |
45.146.165.194 | DSBLEXP |
| 45.146.165.31 | DSBLEXP | 45.146.165.108 | DSBLEXP | 45.146.165.197 | DSBLEXP |
| 45.146.165.32 | DST4KEXP DSBLEXP |
45.146.165.109 | DSBLEXP | 45.146.165.198 | DSBLEXP |
| 45.146.165.34 | DSBLEXP | 45.146.165.111 | DSBLEXP | 45.146.165.199 | DSBLEXP |
| 45.146.165.37 | DSBLEXP | 45.146.165.113 | DSBLEXP | 45.146.165.200 | DSBLEXP |
| 45.146.165.38 | DSBLEXP | 45.146.165.116 | DSBLEXP | 45.146.165.201 | DSBLEXP |
| 45.146.165.39 | DSBLEXP | 45.146.165.118 | DSBLEXP | 45.146.165.203 | DSBLEXP |
| 45.146.165.40 | DSBLEXP | 45.146.165.119 | DSBLEXP | 45.146.165.205 | GRSNOWIP DSBLEXP |
| 45.146.165.41 | DSBLEXP | 45.146.165.120 | DSBLEXP | 45.146.165.206 | DSBLEXP |
| 45.146.165.42 | DSBLEXP | 45.146.165.122 | DSBLEXP | 45.146.165.207 | DSBLEXP |
| 45.146.165.43 | DSBLEXP | 45.146.165.123 | DSBLEXP | 45.146.165.209 | DSBLEXP |
| 45.146.165.44 | DSBLEXP | 45.146.165.125 | DSBLEXP | 45.146.165.212 | DSBLEXP |
| 45.146.165.49 | DSBLEXP | 45.146.165.126 | DSBLEXP | 45.146.165.214 | DSBLEXP |
| 45.146.165.50 | DSBLEXP | 45.146.165.128 | DSBLEXP | 45.146.165.215 | DSBLEXP |
| 45.146.165.52 | DSBLEXP | 45.146.165.130 | DSBLEXP | 45.146.165.216 | CINSARMY DSBLEXP |
| 45.146.165.54 | DSBLEXP | 45.146.165.131 | DSBLEXP | 45.146.165.217 | DSBLEXP |
| 45.146.165.56 | DSBLEXP | 45.146.165.133 | DSBLEXP | 45.146.165.219 | DSBLEXP |
| 45.146.165.58 | DSBLEXP | 45.146.165.134 | DSBLEXP | 45.146.165.220 | DSBLEXP |
| 45.146.165.59 | DSBLEXP | 45.146.165.136 | DSBLEXP | 45.146.165.223 | DSBLEXP |
| 45.146.165.60 | DSBLEXP | 45.146.165.137 | DSBLEXP | 45.146.165.225 | DSBLEXP |
| 45.146.165.63 | DSBLEXP | 45.146.165.138 | DSBLEXP | 45.146.165.226 | DSBLEXP |
| 45.146.165.64 | DSBLEXP | 45.146.165.139 | DSBLEXP | 45.146.165.228 | DSBLEXP |
| 45.146.165.65 | DSBLEXP | 45.146.165.143 | DSBLEXP | 45.146.165.229 | DSBLEXP |
| 45.146.165.66 | DSBLEXP | 45.146.165.144 | DSBLEXP | 45.146.165.231 | DSBLEXP |
| 45.146.165.67 | DSBLEXP | 45.146.165.146 | DSBLEXP | 45.146.165.236 | DSBLEXP |
| 45.146.165.69 | DSBLEXP | 45.146.165.147 | DSBLEXP | 45.146.165.238 | DSBLEXP |
| 45.146.165.70 | DSBLEXP | 45.146.165.148 | CINSARMY TSTOPIPS DSBLEXP |
45.146.165.241 | DSBLEXP |
| 45.146.165.71 | DSBLEXP | 45.146.165.149 | CINSARMY TSTOPIPS DSBLEXP |
45.146.165.244 | DSBLEXP |
| 45.146.165.75 | CINSARMY DSBLEXP |
45.146.165.152 | CINSARMY TSTOPIPS DSBLEXP |
45.146.165.245 | DSBLEXP |
| 45.146.165.77 | DSBLEXP | 45.146.165.153 | CINSARMY TSTOPIPS DSBLEXP |
45.146.165.250 | DSBLEXP |
| 45.146.165.78 | DSBLEXP | 45.146.165.154 | UDGERHA DSBLEXP |
45.146.165.252 | DSBLEXP |
| 45.146.165.80 | DSBLEXP | 45.146.165.156 | DSBLEXP | 45.146.165.253 | DSBLEXP |
| 45.146.165.81 | DSBLEXP | 45.146.165.157 | HONEYDB BOTNET2E AVEXP TELATACK AP-THREA DSBLEXP |
45.146.165.254 | DSBLEXP |
| 45.146.165.83 | DSBLEXP | 45.146.165.158 | DSBLEXP | 45.146.165.255 | DSBLEXP |
Target descriptions:
- DSBLEXP - DShield Block List, based on millions of intrusion detection log entries, collected every day from sensors covering over 500,000 IP addresses in over 50 countries by the Internet Storm Center.
- GRSNOWIP - Green Snow Block List, these IP addresses were detected as involved in Scan Port of FTP, POP3, mod_security, IMAP, SMTP, SSH, and also in cPanel attacks and brute force attempts. This data is provided thanks to Green Snow.
- CINSARMY - The CINS Army list contains IP addresses characterized as malicious across a broad customer-base who use Sentinel's intrusion prevention systems. Sentinel's CINS system gathers attack data from deployed IPS's and the larger security community to identify threat actors and the IP infrastructure they use.
- TSTOPIPS - A ThreatSTOP originated target, these are the most blocked IPs by ThreatSTOP customers. This list can contain all types of inbound threats. The list generated daily.
- UDGERHA - IPs observed engaging in various HTTP attacks.
- DST4KEXP - IP addresses from the DShield Top 4000 list.
- HONEYDB - IPs that have connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat.
- BOTNET2E - A ThreatSTOP curated target, these are IP addresses of known active C2 infrastructure for major botnets. Attempts to connect to these addresses may show an infected system in need of cleaning.
- AVEXP - AlienVault Malware Droppers and Botnet C2 infrastructure.
- TELATACK - IP addresses currently attacking Telecommunications infrastructure.
- AP-THREA - IP addresses of attackers seen on large anonymous networks.
Reference: https://www.spamhaus.org/news/article/793/spamhaus-botnet-threat-report-2019
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?
