AniNIX/RSS | OSINT Feed https://foundation.aninix.net/assets/img/AniNIX.png https://foundation.aninix.net/assets/img/AniNIX.png 2022-09-26T02:16:20Z AniNIX https://aninix.net/ 200.28.54.71 and 186.107.199.1 2024-06-27T17:25:00Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#200.28.54.71 DarkFeather Two Chilean IPs, 200.28.54.71 and 186.107.199.1, were observed using a wide spectrum of attacks, including network trojans, PHP file inclusion attempts, web shells, and Apache exploits, against our web front. Both showed a sophisticated and diverse exploit set, but neither were attempting to exploit toolchains used by our network. Both have been banned at edge. Total event count is 264. 84.239.54.49 2024-06-27T17:25:00Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#84.239.54.49 DarkFeather A Romanian IP, 84.239.54.49, was detected pushing a variety of web application attacks and network trojan attempts against our web front. These were primarily Suricata/Snort signature 1:2016982:5 auto_prepend_file PHP config option in uri. We have no evidence that these attacks were successful. Total malicious attempts captured was 54. 2024MAR11 ACEVILLE PTELTD, Singapore 2024-03-11T07:52:00Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#ACEVILLEPTELTD DarkFeather Provider "ACEVILLE PTELTD" from blocks 43.156.0.0/16, 43.134.0.0/15, 43.134.0.0/17 was detected trying to bruteforce our network with a distributed attack network. We are blocking these networks for malicious attempts in the hundreds. 24.144.93.118/32 2023-11-17T03:30:00Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#24.144.93.118 DarkFeather 24.144.93.118/32 was detected using a network scanner against our external address. Total volume was 55 -- this action repeated on 2023-11-18 at 08:40Z. 46.101.38.229/32 2023-01-16T21:44:08Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#46.101.38.229 46.101.38.229/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SSH attacks -- total volume was 48. 5.181.86.78/32 2023-01-16T21:44:07Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#5.181.86.78 5.181.86.78/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection methods and cross-site scripting. Total attack volume was 184. Attack Flood from CN, BR, KZ, and DigitalOcean 2022-12-23T18:19:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#attack-flood-2022-12-23

Starting 2022/12/18, the AniNIX saw a rapid increase of threat traffic from subnets attributed to CN, BR, and KZ country codes -- this coincided with a concerted campaign being run from hosting provider DigitalOcean. While APT-style campaigns from CN are more or less expected, the large amount of traffic from DigitalOcean suggests the advent of a new campaign from that vendor. Other AniNIX users have reported similar attacks originating from DigitalOcean, but blocking the entire provider cuts off access to some local resources.

We are blocking the following subnets in response to this threat data: 8.213.129.0/24, 36.92.107.0/24, 43.157.15.0/24, 45.162.216.0/22, 46.101.128.0/17, 46.101.80.0/20, 61.177.0.0/16, 62.87.132.0/22, 64.227.0.0/17, 82.180.132.0/23, 85.152.0.0/17, 92.46.64.0/18, 159.223.0.0/16, and 218.92.0.0/16. If you have legitimate resources living in these spaces, we recommend hardening those resources and contacting us via Discord or IRC to receive an exception.

78.128.113.166/32 2022-12-15T01:59:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#78.128.113.166 78.128.113.166/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection methods and cross-site scripting. Total attack volume was 363. 141.98.9.24/32 2022-09-30T21:59:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#141.98.9.24 141.98.9.24/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL queries by URI, including "Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI". Total attack volume was 184. 31.184.195.114/32 2022-09-30T21:59:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#31.184.195.114 31.184.195.114/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as attempted administrator gain, lwp-download, and CVE-2014-6271 exploits. Total attack volume was 254. 81.19.136.5/32 2022-09-30T21:59:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#81.19.136.5 81.19.136.5/32 was detected using web application attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection attacks. Total attack volume was 1079. 194.165.16.68/32 2022-09-30T21:59:59Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#194.165.16.68 194.165.16.68/32 was detected using web application attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection attacks. Total attack volume was 184. 91.191.209.54/32 2022-09-26T02:16:20Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#91.191.209.54 91.191.209.54/32 was detected using web application attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection attacks. Total attack volume was 1080. 194.165.17.9/32 2022-09-26T02:16:20Z https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#194.165.17.9 194.165.17.9/32 was detected using web application attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SQL injection attacks. Total attack volume was 184.