bigstock-illustration-idea-for-cyber-at-309482599-990x556

In the past week we saw a massive surge in hits on customer logs coming from the IP 45.146.165[.]11. Our security research team checked it out, and found that it has been the launch pad for abnormally large amounts of traffic trying to reach customer machines. On one customer network alone they got over 2 million hits.

IP Firewall Hits for IOC: 45.146.165[.]11 in last 7 days
======================================
| Customer      | Hits
.....................................
| Customer 1   | 2047378 
| Customer 2   | 899092 
| Customer 3   | 327551 
| Customer 4   | 216128 
| Customer 5   | 180210 
| Customer 6   | 159771 
| Customer 7   | 109563 
| Customer 8   | 59206 
| Customer 9   | 50229 
| Customer 10 | 29400 
.....................................

 

The IP address in question is hosted by the Russian hosting provider Selectel[.ru] (ASN: 49505). ThreatSTOP has been protecting customers from this IP, which was added to our systems thanks to the aggregation of the DShield blocklist, one of our 800+ threat intelligence sources. Selectel is no stranger to this kind of attention, getting flagged already as part of a "bulletproof" hosting system by Spamhaus back in 2019. 

Looking into the IP's address space of 45.146.165[.]0/24, our team discovered that many of the IPs in this space are also deemed malicious by DShield, while some even show up on multiple threat intelligence blocklists. For example, the IP 45.146.165[.]157 shows up in our HoneyDB Bad Hosts, Botnets, AlienVault, Telecommunications Attacks, Anonymous Network, and DShield targets.

The following IPs are active in 3 or more of our targets: 45.146.165[.]24, 45.146.165[.]148, 45.146.165[.]149, 45.146.165[.]152, 45.146.165[.]153, 45.146.165[.]157.

We highly recommend blocking these IPs, and consider blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free checkIP tool.

ThreatSTOP's subscribers are automatically protected from attacks launched from these IPs and others as they appear. Contact us to know more, or see the links at the end of our post to get a demo or trial. 

For your convenience, here is a list of all IP addresses in the 45.146.165[.]0/24 range that we have seen as malicious, including the specific targets each IP is in:

 

IP ThreatSTOP Target IP ThreatSTOP Target IP ThreatSTOP Target
45.146.165.0 DSBLEXP  45.146.165.85 DSBLEXP  45.146.165.159 DSBLEXP 
45.146.165.1 DSBLEXP  45.146.165.87 DSBLEXP  45.146.165.163 DSBLEXP 
45.146.165.2 DSBLEXP  45.146.165.88 DSBLEXP  45.146.165.164 DSBLEXP 
45.146.165.4 DSBLEXP  45.146.165.89 DSBLEXP  45.146.165.166 DSBLEXP 
45.146.165.6 DSBLEXP  45.146.165.90 DSBLEXP  45.146.165.168 DSBLEXP 
45.146.165.7 DSBLEXP  45.146.165.91 DSBLEXP  45.146.165.169 DSBLEXP 
45.146.165.9 DSBLEXP  45.146.165.92 DSBLEXP  45.146.165.170 DSBLEXP 
45.146.165.10 CINSARMY
DSBLEXP
45.146.165.93 DSBLEXP  45.146.165.174 DSBLEXP 
45.146.165.11 DSBLEXP  45.146.165.95 DSBLEXP  45.146.165.178 DSBLEXP 
45.146.165.12 DSBLEXP  45.146.165.96 DSBLEXP  45.146.165.179 DSBLEXP 
45.146.165.15 DSBLEXP  45.146.165.97 DSBLEXP  45.146.165.180 DSBLEXP 
45.146.165.19 DSBLEXP  45.146.165.99 DSBLEXP  45.146.165.181 DSBLEXP 
45.146.165.20 DSBLEXP  45.146.165.100 DSBLEXP  45.146.165.182 DSBLEXP 
45.146.165.21 DSBLEXP  45.146.165.101 DSBLEXP  45.146.165.184 DSBLEXP 
45.146.165.23 DSBLEXP  45.146.165.103 DSBLEXP  45.146.165.187 DSBLEXP 
45.146.165.24 CINSARMY
TSTOPIPS
DSBLEXP
45.146.165.104 DSBLEXP  45.146.165.188 DSBLEXP 
45.146.165.26 DSBLEXP  45.146.165.105 DSBLEXP  45.146.165.190 DSBLEXP 
45.146.165.28 DSBLEXP  45.146.165.106 DSBLEXP  45.146.165.191 DSBLEXP 
45.146.165.29 DSBLEXP  45.146.165.107 CINSARMY
DSBLEXP
45.146.165.194 DSBLEXP 
45.146.165.31 DSBLEXP  45.146.165.108 DSBLEXP  45.146.165.197 DSBLEXP 
45.146.165.32 DST4KEXP
DSBLEXP
45.146.165.109 DSBLEXP  45.146.165.198 DSBLEXP 
45.146.165.34 DSBLEXP  45.146.165.111 DSBLEXP  45.146.165.199 DSBLEXP 
45.146.165.37 DSBLEXP  45.146.165.113 DSBLEXP  45.146.165.200 DSBLEXP 
45.146.165.38 DSBLEXP  45.146.165.116 DSBLEXP  45.146.165.201 DSBLEXP 
45.146.165.39 DSBLEXP  45.146.165.118 DSBLEXP  45.146.165.203 DSBLEXP 
45.146.165.40 DSBLEXP  45.146.165.119 DSBLEXP  45.146.165.205 GRSNOWIP
DSBLEXP
45.146.165.41 DSBLEXP  45.146.165.120 DSBLEXP  45.146.165.206 DSBLEXP 
45.146.165.42 DSBLEXP  45.146.165.122 DSBLEXP  45.146.165.207 DSBLEXP 
45.146.165.43 DSBLEXP  45.146.165.123 DSBLEXP  45.146.165.209 DSBLEXP 
45.146.165.44 DSBLEXP  45.146.165.125 DSBLEXP  45.146.165.212 DSBLEXP 
45.146.165.49 DSBLEXP  45.146.165.126 DSBLEXP  45.146.165.214 DSBLEXP 
45.146.165.50 DSBLEXP  45.146.165.128 DSBLEXP  45.146.165.215 DSBLEXP 
45.146.165.52 DSBLEXP  45.146.165.130 DSBLEXP  45.146.165.216 CINSARMY
DSBLEXP
45.146.165.54 DSBLEXP  45.146.165.131 DSBLEXP  45.146.165.217 DSBLEXP 
45.146.165.56 DSBLEXP  45.146.165.133 DSBLEXP  45.146.165.219 DSBLEXP 
45.146.165.58 DSBLEXP  45.146.165.134 DSBLEXP  45.146.165.220 DSBLEXP 
45.146.165.59 DSBLEXP  45.146.165.136 DSBLEXP  45.146.165.223 DSBLEXP 
45.146.165.60 DSBLEXP  45.146.165.137 DSBLEXP  45.146.165.225 DSBLEXP 
45.146.165.63 DSBLEXP  45.146.165.138 DSBLEXP  45.146.165.226 DSBLEXP 
45.146.165.64 DSBLEXP  45.146.165.139 DSBLEXP  45.146.165.228 DSBLEXP 
45.146.165.65 DSBLEXP  45.146.165.143 DSBLEXP  45.146.165.229 DSBLEXP 
45.146.165.66 DSBLEXP  45.146.165.144 DSBLEXP  45.146.165.231 DSBLEXP 
45.146.165.67 DSBLEXP  45.146.165.146 DSBLEXP  45.146.165.236 DSBLEXP 
45.146.165.69 DSBLEXP  45.146.165.147 DSBLEXP  45.146.165.238 DSBLEXP 
45.146.165.70 DSBLEXP  45.146.165.148 CINSARMY
TSTOPIPS
DSBLEXP
45.146.165.241 DSBLEXP 
45.146.165.71 DSBLEXP  45.146.165.149 CINSARMY
TSTOPIPS
DSBLEXP
45.146.165.244 DSBLEXP 
45.146.165.75 CINSARMY
DSBLEXP
45.146.165.152 CINSARMY
TSTOPIPS
DSBLEXP
45.146.165.245 DSBLEXP 
45.146.165.77 DSBLEXP  45.146.165.153 CINSARMY
TSTOPIPS
DSBLEXP
45.146.165.250 DSBLEXP 
45.146.165.78 DSBLEXP  45.146.165.154 UDGERHA
DSBLEXP
45.146.165.252 DSBLEXP 
45.146.165.80 DSBLEXP  45.146.165.156 DSBLEXP  45.146.165.253 DSBLEXP 
45.146.165.81 DSBLEXP  45.146.165.157 HONEYDB
BOTNET2E
AVEXP
TELATACK
AP-THREA
DSBLEXP
45.146.165.254 DSBLEXP 
45.146.165.83 DSBLEXP  45.146.165.158 DSBLEXP  45.146.165.255 DSBLEXP 

 

Target descriptions:

  • DSBLEXP - DShield Block List, based on millions of intrusion detection log entries, collected every day from sensors covering over 500,000 IP addresses in over 50 countries by the Internet Storm Center.
  • GRSNOWIP - Green Snow Block List, these IP addresses were detected as involved in Scan Port of FTP, POP3, mod_security, IMAP, SMTP, SSH, and also in cPanel attacks and brute force attempts. This data is provided thanks to Green Snow.
  • CINSARMY - The CINS Army list contains IP addresses characterized as malicious across a broad customer-base who use Sentinel's intrusion prevention systems. Sentinel's CINS system gathers attack data from deployed IPS's and the larger security community to identify threat actors and the IP infrastructure they use.
  • TSTOPIPS - A ThreatSTOP originated target, these are the most blocked IPs by ThreatSTOP customers. This list can contain all types of inbound threats. The list generated daily.
  • UDGERHA - IPs observed engaging in various HTTP attacks.
  • DST4KEXP - IP addresses from the DShield Top 4000 list.
  • HONEYDB - IPs that have connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat.
  • BOTNET2E - A ThreatSTOP curated target, these are IP addresses of known active C2 infrastructure for major botnets. Attempts to connect to these addresses may show an infected system in need of cleaning.
  • AVEXP - AlienVault Malware Droppers and Botnet C2 infrastructure.
  • TELATACK - IP addresses currently attacking Telecommunications infrastructure.
  • AP-THREA - IP addresses of attackers seen on large anonymous networks.

 

Reference: https://www.spamhaus.org/news/article/793/spamhaus-botnet-threat-report-2019 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo      Start a Trial