Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Wed, Feb 12 2014
- #DhiaLite - NuclearPack EK subdomains popped today on 31.41.221.140 and 31.41.221.142
- For the past days Nuclear has been riding on the range 31.41.221.131 to 31.41.221.139
- Below are the IPs, and First Seen, Last Seen dates of subdomains on them
- 31.41.221.139 2014-02-12 2014-02-12
- 31.41.221.138 2014-02-11 2014-02-12
- 31.41.221.137 2014-02-10 2014-02-11
- 31.41.221.136 2014-02-10 2014-02-11
- 31.41.221.135 2014-02-10 2014-02-10
- 31.41.221.134 2014-02-09 2014-02-10
- 31.41.221.132 2014-02-08 2014-02-09
- 31.41.221.131 2014-02-07 2014-02-08
- Expect Nuclear to use the range of contiguous IPs 31.41.221.141, 31.41.221.142, 31.41.221.143
- Yesterday, these 3 IPs were not live, they were all brought up together today and show the same system fingerprint, Notice the nginx web server 0.7.67.
- 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
- 80/tcp open http nginx web server 0.7.67
- 111/tcp open rpcbind
- There is a high probability the bad actors have the next IPs also reserved, and they would shift to 31.41.221.144, etc by bringing them live in the next few days.
- #Full nmap run
- $nmap -sV -O 31.41.221.140
- Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:15 UTC
- Interesting ports on 31.41.221.140:
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
- 80/tcp open http nginx web server 0.7.67
- 111/tcp open rpcbind
- Device type: WAP|general purpose|broadband router|storage-misc|switch
- Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
- Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
- No exact OS matches for host (test conditions non-ideal).
- Network Distance: 17 hops
- Service Info: OS: Linux
- $nmap -sV -O 31.41.221.141
- Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:17 UTC
- Interesting ports on 31.41.221.141:
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
- 80/tcp open http nginx web server 0.7.67
- 111/tcp open rpcbind
- Device type: WAP|general purpose|broadband router|storage-misc|switch
- Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
- Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%), Linksys WAP54G WAP (86%)
- No exact OS matches for host (test conditions non-ideal).
- Network Distance: 17 hops
- Service Info: OS: Linux
- $nmap -sV -O 31.41.221.142
- Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:19 UTC
- Interesting ports on 31.41.221.142:
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
- 80/tcp open http nginx web server 0.7.67
- 111/tcp open rpcbind
- Device type: WAP|general purpose|broadband router|storage-misc|switch
- Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
- Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
- No exact OS matches for host (test conditions non-ideal).
- Network Distance: 17 hops
- Service Info: OS: Linux
- $nmap -sV -O 31.41.221.143
- Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:20 UTC
- Interesting ports on 31.41.221.143:
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
- 80/tcp open http nginx web server 0.7.67
- 111/tcp open rpcbind
- Device type: WAP|general purpose|broadband router|storage-misc|switch
- Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
- Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
- No exact OS matches for host (test conditions non-ideal).
- Network Distance: 17 hops
- Service Info: OS: Linux
- #Current subdomains on 31.41.221.140 and 31.41.221.142 are under the following 2LDs
- blanketfield.pw
- flurriescrew.pw
- hypothermiahuddle.pw
- polarquarterback.pw
- winterbatter.pw
- #Current 2LDs on 31.41.221.140 and 31.41.221.142
- a1zabu.flurriescrew.pw 31.41.221.140 3600
- a2y3po.winterbatter.pw 31.41.221.142 3600
- a3po1i.blanketfield.pw 31.41.221.142 3600
- a8guike.flurriescrew.pw 31.41.221.142 3600
- aqjmcxd.polarquarterback.pw 31.41.221.142 3600
- bnn51j.polarquarterback.pw 31.41.221.142 3600
- bqeku.blanketfield.pw 31.41.221.142 3600
- bx0e0.polarquarterback.pw 31.41.221.142 3600
- bzw42vf.polarquarterback.pw 31.41.221.142 3600
- c31728.blanketfield.pw 31.41.221.142 3600
- c3i29oa.blanketfield.pw 31.41.221.142 3600
- c70lr6bk.polarquarterback.pw 31.41.221.142 3600
- ciex92eu.polarquarterback.pw 31.41.221.142 3600
- cjm7me.polarquarterback.pw 31.41.221.142 3600
- cm6w9sm.blanketfield.pw 31.41.221.142 3600
- cynaslx.winterbatter.pw 31.41.221.142 3600
- dfxj1f9d.polarquarterback.pw 31.41.221.142 3600
- dlut4ov8.polarquarterback.pw 31.41.221.142 3600
- e3ej1i.winterbatter.pw 31.41.221.142 3600
- e3icm.polarquarterback.pw 31.41.221.142 3600
- e8szp9k7.polarquarterback.pw 31.41.221.142 3600
- eerm1kb.polarquarterback.pw 31.41.221.142 3600
- f0qaq24.polarquarterback.pw 31.41.221.142 3600
- fsk219bn.blanketfield.pw 31.41.221.142 3600
- ftw4fy5.polarquarterback.pw 31.41.221.142 3600
- g0blm.polarquarterback.pw 31.41.221.142 3600
- g3iuhc.flurriescrew.pw 31.41.221.140 3600
- gcrkqjy.polarquarterback.pw 31.41.221.142 3600
- gdqoj4u0.polarquarterback.pw 31.41.221.142 3600
- gi2sg3gw.polarquarterback.pw 31.41.221.142 3600
- h0blp1.polarquarterback.pw 31.41.221.142 3600
- he6et0mz.winterbatter.pw 31.41.221.142 3600
- hgfk6g.polarquarterback.pw 31.41.221.142 3600
- hke4y7.polarquarterback.pw 31.41.221.142 3600
- hvj1d48z.winterbatter.pw 31.41.221.142 3600
- ic9sd.polarquarterback.pw 31.41.221.142 3600
- icqi0yq.polarquarterback.pw 31.41.221.142 3600
- idzsfd.winterbatter.pw 31.41.221.142 3600
- ii16fr8.blanketfield.pw 31.41.221.142 3600
- ijmnxjq.flurriescrew.pw 31.41.221.140 3600
- iqh0dgum.polarquarterback.pw 31.41.221.142 3600
- iryef.polarquarterback.pw 31.41.221.142 3600
- izdr7t.polarquarterback.pw 31.41.221.142 3600
- j2mph1.polarquarterback.pw 31.41.221.142 3600
- j5ajcwx.polarquarterback.pw 31.41.221.142 3600
- j5uhkv.blanketfield.pw 31.41.221.142 3600
- jc18o.polarquarterback.pw 31.41.221.142 3600
- jmsp6.polarquarterback.pw 31.41.221.142 3600
- jsp3vu.polarquarterback.pw 31.41.221.142 3600
- k356e3j.polarquarterback.pw 31.41.221.142 3600
- k44609qv.blanketfield.pw 31.41.221.142 3600
- k5y3ty.polarquarterback.pw 31.41.221.142 3600
- k6gsw.polarquarterback.pw 31.41.221.142 3600
- k8udauzz.polarquarterback.pw 31.41.221.142 3600
- kc9jj2.blanketfield.pw 31.41.221.142 3600
- klupi.blanketfield.pw 31.41.221.142 3600
- l1opzxa.hypothermiahuddle.pw 31.41.221.142 3600
- l4j2ye5d.winterbatter.pw 31.41.221.142 3600
- l6vax.polarquarterback.pw 31.41.221.142 3600
- lbt5h2j.polarquarterback.pw 31.41.221.142 3600
- ltyai.winterbatter.pw 31.41.221.142 3600
- lzfrl6dy.winterbatter.pw 31.41.221.142 3600
- mas51o.polarquarterback.pw 31.41.221.142 3600
- mctfh.winterbatter.pw 31.41.221.142 3600
- mdd4l7p.polarquarterback.pw 31.41.221.142 3600
- mhe1wyf.polarquarterback.pw 31.41.221.142 3600
- mluoj68.winterbatter.pw 31.41.221.142 3600
- mn16i.polarquarterback.pw 31.41.221.142 3600
- mq5yi6r.polarquarterback.pw 31.41.221.142 3600
- mv374b.polarquarterback.pw 31.41.221.142 3600
- n29qss.polarquarterback.pw 31.41.221.142 3600
- n584u.polarquarterback.pw 31.41.221.142 3600
- nd2i5.polarquarterback.pw 31.41.221.142 3600
- nfvpz6j.polarquarterback.pw 31.41.221.142 3600
- nkibr.flurriescrew.pw 31.41.221.142 3600
- npl00ll.polarquarterback.pw 31.41.221.142 3600
- nrm46e.winterbatter.pw 31.41.221.142 3600
- ntcz0cx.polarquarterback.pw 31.41.221.142 3600
- nufohtg.polarquarterback.pw 31.41.221.142 3600
- nvygt827.polarquarterback.pw 31.41.221.142 3600
- nwmk883c.winterbatter.pw 31.41.221.142 3600
- o8ekx15i.polarquarterback.pw 31.41.221.142 3600
- oig2u.blanketfield.pw 31.41.221.142 3600
- oiyr5m.blanketfield.pw 31.41.221.142 3600
- om7sy7.polarquarterback.pw 31.41.221.142 3600
- otnq855s.polarquarterback.pw 31.41.221.142 3600
- pa655kdo.polarquarterback.pw 31.41.221.142 3600
- ph1z73j.polarquarterback.pw 31.41.221.142 3600
- ppnjzma.winterbatter.pw 31.41.221.142 3600
- px716.polarquarterback.pw 31.41.221.142 3600
- q97nwhrv.polarquarterback.pw 31.41.221.142 3600
- qga277r2.polarquarterback.pw 31.41.221.142 3600
- r69ipy3.polarquarterback.pw 31.41.221.142 3600
- rhoc8.polarquarterback.pw 31.41.221.142 3600
- rii2258.polarquarterback.pw 31.41.221.142 3600
- rkgnw.polarquarterback.pw 31.41.221.142 3600
- rrfjf8.winterbatter.pw 31.41.221.142 3600
- rxwdsdl.blanketfield.pw 31.41.221.142 3600
- s1ts5.winterbatter.pw 31.41.221.142 3600
- s2vs5a.blanketfield.pw 31.41.221.142 3600
- sjd273a.flurriescrew.pw 31.41.221.140 3600
- sm4b4.blanketfield.pw 31.41.221.142 3600
- tlxdm.winterbatter.pw 31.41.221.142 3600
- tp97x44y.winterbatter.pw 31.41.221.142 3600
- u14zr7.blanketfield.pw 31.41.221.142 3600
- u2lds9.polarquarterback.pw 31.41.221.142 3600
- uhhvb.flurriescrew.pw 31.41.221.140 3600
- ume5971f.winterbatter.pw 31.41.221.142 3600
- uo371wd.winterbatter.pw 31.41.221.142 3600
- up730zj.polarquarterback.pw 31.41.221.142 3600
- ut95y2.winterbatter.pw 31.41.221.142 3600
- v2m4c.polarquarterback.pw 31.41.221.142 3600
- vcl09fqz.blanketfield.pw 31.41.221.142 3600
- vk4zlydt.winterbatter.pw 31.41.221.142 3600
- vve63.polarquarterback.pw 31.41.221.142 3600
- w262459.winterbatter.pw 31.41.221.142 3600
- w4yxhfhe.polarquarterback.pw 31.41.221.142 3600
- wskr5.polarquarterback.pw 31.41.221.142 3600
- wyhbc3it.winterbatter.pw 31.41.221.142 3600
- x0cfw0j.polarquarterback.pw 31.41.221.142 3600
- x2bm4.polarquarterback.pw 31.41.221.142 3600
- xf1sm2y8.polarquarterback.pw 31.41.221.142 3600
- xidofb4.polarquarterback.pw 31.41.221.142 3600
- xiegxb.winterbatter.pw 31.41.221.142 3600
- xil90ds.blanketfield.pw 31.41.221.142 3600
- xqfem.blanketfield.pw 31.41.221.142 3600
- xs0xtga8.winterbatter.pw 31.41.221.142 3600
- xt7csm.polarquarterback.pw 31.41.221.142 3600
- y69rqqi.blanketfield.pw 31.41.221.142 3600
- ycpatvz8.blanketfield.pw 31.41.221.142 3600
- ydlqk6.polarquarterback.pw 31.41.221.142 3600
- ye1ohgk.polarquarterback.pw 31.41.221.142 3600
- yfmkvqs.polarquarterback.pw 31.41.221.142 3600
- yitw2gf.blanketfield.pw 31.41.221.142 3600
- yme4iz0.polarquarterback.pw 31.41.221.142 3600
- z17a8.winterbatter.pw 31.41.221.142 3600
- z27j7d7.winterbatter.pw 31.41.221.142 3600
- z6v56.blanketfield.pw 31.41.221.142 3600
- zlr7zup.polarquarterback.pw 31.41.221.142 3600
- #end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement