From Russia with Love: Selectel hosting some busy, bad IP addresses

In the past week we saw a massive surge in hits on customer logs coming from the IP 45.146.165[.]11. Our security research team checked it out, and found that it has been the launch pad for abnormally large amounts of traffic trying to reach customer machines. On one customer network alone they got over 2 million hits.

IP Firewall Hits for IOC: 45.146.165[.]11 in last 7 days ====================================== | Customer | Hits ..................................... | Customer 1 | 2047378 | Customer 2 | 899092 | Customer 3 | 327551 | Customer 4 | 216128 | Customer 5 | 180210 | Customer 6 | 159771 | Customer 7 | 109563 | Customer 8 | 59206 | Customer 9 | 50229 | Customer 10 | 29400 .....................................

The IP address in question is hosted by the Russian hosting provider Selectel[.ru] (ASN: 49505). ThreatSTOP has been protecting customers from this IP, which was added to our systems thanks to the aggregation of the DShield blocklist, one of our 800+ threat intelligence sources. Selectel is no stranger to this kind of attention, getting flagged already as part of a "bulletproof" hosting system by Spamhaus back in 2019.

Looking into the IP's address space of 45.146.165[.]0/24, our team discovered that many of the IPs in this space are also deemed malicious by DShield, while some even show up on multiple threat intelligence blocklists. For example, the IP 45.146.165[.]157 shows up in our HoneyDB Bad Hosts, Botnets, AlienVault, Telecommunications Attacks, Anonymous Network, and DShield targets.

The following IPs are active in 3 or more of our targets: 45.146.165[.]24, 45.146.165[.]148, 45.146.165[.]149, 45.146.165[.]152, 45.146.165[.]153, 45.146.165[.]157.

We highly recommend blocking these IPs, and consider blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free checkIP tool .

ThreatSTOP's subscribers are automatically protected from attacks launched from these IPs and others as they appear. Contact us to know more, or see the links at the end of our post to get a demo or trial.

For your convenience, here is a list of all IP addresses in the 45.146.165[.]0/24 range that we have seen as malicious, including the specific targets each IP is in:

IP ThreatSTOP Target IP ThreatSTOP Target IP ThreatSTOP Target 45.146.165.0 DSBLEXP 45.146.165.85 DSBLEXP 45.146.165.159 DSBLEXP 45.146.165.1 DSBLEXP 45.146.165.87 DSBLEXP 45.146.165.163 DSBLEXP 45.146.165.2 DSBLEXP 45.146.165.88 DSBLEXP 45.146.165.164 DSBLEXP 45.146.165.4 DSBLEXP 45.146.165.89 DSBLEXP 45.146.165.166 DSBLEXP 45.146.165.6 DSBLEXP 45.146.165.90 DSBLEXP 45.146.165.168 DSBLEXP 45.146.165.7 DSBLEXP 45.146.165.91 DSBLEXP 45.146.165.169 DSBLEXP 45.146.165.9 DSBLEXP 45.146.165.92 DSBLEXP 45.146.165.170 DSBLEXP 45.146.165.10 CINSARMY DSBLEXP 45.146.165.93 DSBLEXP 45.146.165.174 DSBLEXP 45.146.165.11 DSBLEXP 45.146.165.95 DSBLEXP 45.146.165.178 DSBLEXP 45.146.165.12 DSBLEXP 45.146.165.96 DSBLEXP 45.146.165.179 DSBLEXP 45.146.165.15 DSBLEXP 45.146.165.97 DSBLEXP 45.146.165.180 DSBLEXP 45.146.165.19 DSBLEXP 45.146.165.99 DSBLEXP 45.146.165.181 DSBLEXP 45.146.165.20 DSBLEXP 45.146.165.100 DSBLEXP 45.146.165.182 DSBLEXP 45.146.165.21 DSBLEXP 45.146.165.101 DSBLEXP 45.146.165.184 DSBLEXP 45.146.165.23 DSBLEXP 45.146.165.103 DSBLEXP 45.146.165.187 DSBLEXP 45.146.165.24 CINSARMY TSTOPIPS DSBLEXP 45.146.165.104 DSBLEXP 45.146.165.188 DSBLEXP 45.146.165.26 DSBLEXP 45.146.165.105 DSBLEXP 45.146.165.190 DSBLEXP 45.146.165.28 DSBLEXP 45.146.165.106 DSBLEXP 45.146.165.191 DSBLEXP 45.146.165.29 DSBLEXP 45.146.165.107 CINSARMY DSBLEXP 45.146.165.194 DSBLEXP 45.146.165.31 DSBLEXP 45.146.165.108 DSBLEXP 45.146.165.197 DSBLEXP 45.146.165.32 DST4KEXP DSBLEXP 45.146.165.109 DSBLEXP 45.146.165.198 DSBLEXP 45.146.165.34 DSBLEXP 45.146.165.111 DSBLEXP 45.146.165.199 DSBLEXP 45.146.165.37 DSBLEXP 45.146.165.113 DSBLEXP 45.146.165.200 DSBLEXP 45.146.165.38 DSBLEXP 45.146.165.116 DSBLEXP 45.146.165.201 DSBLEXP 45.146.165.39 DSBLEXP 45.146.165.118 DSBLEXP 45.146.165.203 DSBLEXP 45.146.165.40 DSBLEXP 45.146.165.119 DSBLEXP 45.146.165.205 GRSNOWIP DSBLEXP 45.146.165.41 DSBLEXP 45.146.165.120 DSBLEXP 45.146.165.206 DSBLEXP 45.146.165.42 DSBLEXP 45.146.165.122 DSBLEXP 45.146.165.207 DSBLEXP 45.146.165.43 DSBLEXP 45.146.165.123 DSBLEXP 45.146.165.209 DSBLEXP 45.146.165.44 DSBLEXP 45.146.165.125 DSBLEXP 45.146.165.212 DSBLEXP 45.146.165.49 DSBLEXP 45.146.165.126 DSBLEXP 45.146.165.214 DSBLEXP 45.146.165.50 DSBLEXP 45.146.165.128 DSBLEXP 45.146.165.215 DSBLEXP 45.146.165.52 DSBLEXP 45.146.165.130 DSBLEXP 45.146.165.216 CINSARMY DSBLEXP 45.146.165.54 DSBLEXP 45.146.165.131 DSBLEXP 45.146.165.217 DSBLEXP 45.146.165.56 DSBLEXP 45.146.165.133 DSBLEXP 45.146.165.219 DSBLEXP 45.146.165.58 DSBLEXP 45.146.165.134 DSBLEXP 45.146.165.220 DSBLEXP 45.146.165.59 DSBLEXP 45.146.165.136 DSBLEXP 45.146.165.223 DSBLEXP 45.146.165.60 DSBLEXP 45.146.165.137 DSBLEXP 45.146.165.225 DSBLEXP 45.146.165.63 DSBLEXP 45.146.165.138 DSBLEXP 45.146.165.226 DSBLEXP 45.146.165.64 DSBLEXP 45.146.165.139 DSBLEXP 45.146.165.228 DSBLEXP 45.146.165.65 DSBLEXP 45.146.165.143 DSBLEXP 45.146.165.229 DSBLEXP 45.146.165.66 DSBLEXP 45.146.165.144 DSBLEXP 45.146.165.231 DSBLEXP 45.146.165.67 DSBLEXP 45.146.165.146 DSBLEXP 45.146.165.236 DSBLEXP 45.146.165.69 DSBLEXP 45.146.165.147 DSBLEXP 45.146.165.238 DSBLEXP 45.146.165.70 DSBLEXP 45.146.165.148 CINSARMY TSTOPIPS DSBLEXP 45.146.165.241 DSBLEXP 45.146.165.71 DSBLEXP 45.146.165.149 CINSARMY TSTOPIPS DSBLEXP 45.146.165.244 DSBLEXP 45.146.165.75 CINSARMY DSBLEXP 45.146.165.152 CINSARMY TSTOPIPS DSBLEXP 45.146.165.245 DSBLEXP 45.146.165.77 DSBLEXP 45.146.165.153 CINSARMY TSTOPIPS DSBLEXP 45.146.165.250 DSBLEXP 45.146.165.78 DSBLEXP 45.146.165.154 UDGERHA DSBLEXP 45.146.165.252 DSBLEXP 45.146.165.80 DSBLEXP 45.146.165.156 DSBLEXP 45.146.165.253 DSBLEXP 45.146.165.81 DSBLEXP 45.146.165.157 HONEYDB BOTNET2E AVEXP TELATACK AP-THREA DSBLEXP 45.146.165.254 DSBLEXP 45.146.165.83 DSBLEXP 45.146.165.158 DSBLEXP 45.146.165.255 DSBLEXP

Target descriptions:

DSBLEXP - DShield Block List, based on millions of intrusion detection log entries, collected every day from sensors covering over 500,000 IP addresses in over 50 countries by the Internet Storm Center. GRSNOWIP - Green Snow Block List, these IP addresses were detected as involved in Scan Port of FTP, POP3, mod_security, IMAP, SMTP, SSH, and also in cPanel attacks and brute force attempts. This data is provided thanks to Green Snow. CINSARMY - The CINS Army list contains IP addresses characterized as malicious across a broad customer-base who use Sentinel's intrusion prevention systems. Sentinel's CINS system gathers attack data from deployed IPS's and the larger security community to identify threat actors and the IP infrastructure they use. TSTOPIPS - A ThreatSTOP originated target, these are the most blocked IPs by ThreatSTOP customers. This list can contain all types of inbound threats. The list generated daily. UDGERHA - IPs observed engaging in various HTTP attacks. DST4KEXP - IP addresses from the DShield Top 4000 list. HONEYDB - IPs that have connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat. BOTNET2E - A ThreatSTOP curated target, these are IP addresses of known active C2 infrastructure for major botnets. Attempts to connect to these addresses may show an infected system in need of cleaning. AVEXP - AlienVault Malware Droppers and Botnet C2 infrastructure. TELATACK - IP addresses currently attacking Telecommunications infrastructure. AP-THREA - IP addresses of attackers seen on large anonymous networks.

Reference: https://www.spamhaus.org/news/article/793/spamhaus-botnet-threat-report-2019

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Related Articles

Subscribe to the ThreatSTOP blog