API tools faq
paste
Advertisement
DhiaLite

NuclearPack EK domains - Feb 12, 2014

DhiaLite
Feb 12th, 2014
579
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.85 KB | None | 0 0
raw download clone embed print report
  1. Wed, Feb 12 2014
  2. #DhiaLite - NuclearPack EK subdomains popped today on 31.41.221.140 and 31.41.221.142
  3.  
  4. For the past days Nuclear has been riding on the range 31.41.221.131 to 31.41.221.139
  5. Below are the IPs, and First Seen, Last Seen dates of subdomains on them
  6. 31.41.221.139 2014-02-12 2014-02-12
  7. 31.41.221.138 2014-02-11 2014-02-12
  8. 31.41.221.137 2014-02-10 2014-02-11
  9. 31.41.221.136 2014-02-10 2014-02-11
  10. 31.41.221.135 2014-02-10 2014-02-10
  11. 31.41.221.134 2014-02-09 2014-02-10
  12. 31.41.221.132 2014-02-08 2014-02-09
  13. 31.41.221.131 2014-02-07 2014-02-08
  14.  
  15. Expect Nuclear to use the range of contiguous IPs 31.41.221.141, 31.41.221.142, 31.41.221.143
  16.  
  17. Yesterday, these 3 IPs were not live, they were all brought up together today and show the same system fingerprint, Notice the nginx web server 0.7.67.
  18.  
  19. 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
  20. 80/tcp open http nginx web server 0.7.67
  21. 111/tcp open rpcbind
  22.  
  23. There is a high probability the bad actors have the next IPs also reserved, and they would shift to 31.41.221.144, etc by bringing them live in the next few days.
  24.  
  25. #Full nmap run
  26. $nmap -sV -O 31.41.221.140
  27.  
  28. Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:15 UTC
  29. Interesting ports on 31.41.221.140:
  30. Not shown: 997 closed ports
  31. PORT STATE SERVICE VERSION
  32. 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
  33. 80/tcp open http nginx web server 0.7.67
  34. 111/tcp open rpcbind
  35. Device type: WAP|general purpose|broadband router|storage-misc|switch
  36. Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
  37. Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
  38. No exact OS matches for host (test conditions non-ideal).
  39. Network Distance: 17 hops
  40. Service Info: OS: Linux
  41.  
  42. $nmap -sV -O 31.41.221.141
  43.  
  44. Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:17 UTC
  45. Interesting ports on 31.41.221.141:
  46. Not shown: 997 closed ports
  47. PORT STATE SERVICE VERSION
  48. 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
  49. 80/tcp open http nginx web server 0.7.67
  50. 111/tcp open rpcbind
  51. Device type: WAP|general purpose|broadband router|storage-misc|switch
  52. Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
  53. Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%), Linksys WAP54G WAP (86%)
  54. No exact OS matches for host (test conditions non-ideal).
  55. Network Distance: 17 hops
  56. Service Info: OS: Linux
  57.  
  58. $nmap -sV -O 31.41.221.142
  59.  
  60. Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:19 UTC
  61. Interesting ports on 31.41.221.142:
  62. Not shown: 997 closed ports
  63. PORT STATE SERVICE VERSION
  64. 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
  65. 80/tcp open http nginx web server 0.7.67
  66. 111/tcp open rpcbind
  67. Device type: WAP|general purpose|broadband router|storage-misc|switch
  68. Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
  69. Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
  70. No exact OS matches for host (test conditions non-ideal).
  71. Network Distance: 17 hops
  72. Service Info: OS: Linux
  73.  
  74. $nmap -sV -O 31.41.221.143
  75.  
  76. Starting Nmap 5.00 ( http://nmap.org ) at 2014-02-12 22:20 UTC
  77. Interesting ports on 31.41.221.143:
  78. Not shown: 997 closed ports
  79. PORT STATE SERVICE VERSION
  80. 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
  81. 80/tcp open http nginx web server 0.7.67
  82. 111/tcp open rpcbind
  83. Device type: WAP|general purpose|broadband router|storage-misc|switch
  84. Running (JUST GUESSING) : Linux 2.4.X|2.6.X (89%), Actiontec embedded (88%), Netgear embedded (86%), Linksys embedded (86%), Buffalo embedded (86%), Actiontec Linux 2.4.X (86%), HP embedded (86%), AVM embedded (86%)
  85. Aggressive OS guesses: DD-WRT v23 (Linux 2.4.34) (89%), Linux 2.6.15 (Ubuntu) (89%), Linux 2.6.15 - 2.6.26 (89%), Linux 2.6.20 (Ubuntu 7.04 server, x86) (89%), Linux 2.6.23 (89%), Linux 2.6.18 (OSSIM) (89%), Actiontec GT701 DSL modem (88%), Linux 2.6.18 (CentOS 5.1, x86) (87%), Linux 2.6.18 - 2.6.26 (86%), Netgear DG834PN RangeMax wireless broadband router (86%)
  86. No exact OS matches for host (test conditions non-ideal).
  87. Network Distance: 17 hops
  88. Service Info: OS: Linux
  89.  
  90.  
  91. #Current subdomains on 31.41.221.140 and 31.41.221.142 are under the following 2LDs
  92.  
  93. blanketfield.pw
  94. flurriescrew.pw
  95. hypothermiahuddle.pw
  96. polarquarterback.pw
  97. winterbatter.pw
  98.  
  99. #Current 2LDs on 31.41.221.140 and 31.41.221.142
  100.  
  101. a1zabu.flurriescrew.pw 31.41.221.140 3600
  102. a2y3po.winterbatter.pw 31.41.221.142 3600
  103. a3po1i.blanketfield.pw 31.41.221.142 3600
  104. a8guike.flurriescrew.pw 31.41.221.142 3600
  105. aqjmcxd.polarquarterback.pw 31.41.221.142 3600
  106. bnn51j.polarquarterback.pw 31.41.221.142 3600
  107. bqeku.blanketfield.pw 31.41.221.142 3600
  108. bx0e0.polarquarterback.pw 31.41.221.142 3600
  109. bzw42vf.polarquarterback.pw 31.41.221.142 3600
  110. c31728.blanketfield.pw 31.41.221.142 3600
  111. c3i29oa.blanketfield.pw 31.41.221.142 3600
  112. c70lr6bk.polarquarterback.pw 31.41.221.142 3600
  113. ciex92eu.polarquarterback.pw 31.41.221.142 3600
  114. cjm7me.polarquarterback.pw 31.41.221.142 3600
  115. cm6w9sm.blanketfield.pw 31.41.221.142 3600
  116. cynaslx.winterbatter.pw 31.41.221.142 3600
  117. dfxj1f9d.polarquarterback.pw 31.41.221.142 3600
  118. dlut4ov8.polarquarterback.pw 31.41.221.142 3600
  119. e3ej1i.winterbatter.pw 31.41.221.142 3600
  120. e3icm.polarquarterback.pw 31.41.221.142 3600
  121. e8szp9k7.polarquarterback.pw 31.41.221.142 3600
  122. eerm1kb.polarquarterback.pw 31.41.221.142 3600
  123. f0qaq24.polarquarterback.pw 31.41.221.142 3600
  124. fsk219bn.blanketfield.pw 31.41.221.142 3600
  125. ftw4fy5.polarquarterback.pw 31.41.221.142 3600
  126. g0blm.polarquarterback.pw 31.41.221.142 3600
  127. g3iuhc.flurriescrew.pw 31.41.221.140 3600
  128. gcrkqjy.polarquarterback.pw 31.41.221.142 3600
  129. gdqoj4u0.polarquarterback.pw 31.41.221.142 3600
  130. gi2sg3gw.polarquarterback.pw 31.41.221.142 3600
  131. h0blp1.polarquarterback.pw 31.41.221.142 3600
  132. he6et0mz.winterbatter.pw 31.41.221.142 3600
  133. hgfk6g.polarquarterback.pw 31.41.221.142 3600
  134. hke4y7.polarquarterback.pw 31.41.221.142 3600
  135. hvj1d48z.winterbatter.pw 31.41.221.142 3600
  136. ic9sd.polarquarterback.pw 31.41.221.142 3600
  137. icqi0yq.polarquarterback.pw 31.41.221.142 3600
  138. idzsfd.winterbatter.pw 31.41.221.142 3600
  139. ii16fr8.blanketfield.pw 31.41.221.142 3600
  140. ijmnxjq.flurriescrew.pw 31.41.221.140 3600
  141. iqh0dgum.polarquarterback.pw 31.41.221.142 3600
  142. iryef.polarquarterback.pw 31.41.221.142 3600
  143. izdr7t.polarquarterback.pw 31.41.221.142 3600
  144. j2mph1.polarquarterback.pw 31.41.221.142 3600
  145. j5ajcwx.polarquarterback.pw 31.41.221.142 3600
  146. j5uhkv.blanketfield.pw 31.41.221.142 3600
  147. jc18o.polarquarterback.pw 31.41.221.142 3600
  148. jmsp6.polarquarterback.pw 31.41.221.142 3600
  149. jsp3vu.polarquarterback.pw 31.41.221.142 3600
  150. k356e3j.polarquarterback.pw 31.41.221.142 3600
  151. k44609qv.blanketfield.pw 31.41.221.142 3600
  152. k5y3ty.polarquarterback.pw 31.41.221.142 3600
  153. k6gsw.polarquarterback.pw 31.41.221.142 3600
  154. k8udauzz.polarquarterback.pw 31.41.221.142 3600
  155. kc9jj2.blanketfield.pw 31.41.221.142 3600
  156. klupi.blanketfield.pw 31.41.221.142 3600
  157. l1opzxa.hypothermiahuddle.pw 31.41.221.142 3600
  158. l4j2ye5d.winterbatter.pw 31.41.221.142 3600
  159. l6vax.polarquarterback.pw 31.41.221.142 3600
  160. lbt5h2j.polarquarterback.pw 31.41.221.142 3600
  161. ltyai.winterbatter.pw 31.41.221.142 3600
  162. lzfrl6dy.winterbatter.pw 31.41.221.142 3600
  163. mas51o.polarquarterback.pw 31.41.221.142 3600
  164. mctfh.winterbatter.pw 31.41.221.142 3600
  165. mdd4l7p.polarquarterback.pw 31.41.221.142 3600
  166. mhe1wyf.polarquarterback.pw 31.41.221.142 3600
  167. mluoj68.winterbatter.pw 31.41.221.142 3600
  168. mn16i.polarquarterback.pw 31.41.221.142 3600
  169. mq5yi6r.polarquarterback.pw 31.41.221.142 3600
  170. mv374b.polarquarterback.pw 31.41.221.142 3600
  171. n29qss.polarquarterback.pw 31.41.221.142 3600
  172. n584u.polarquarterback.pw 31.41.221.142 3600
  173. nd2i5.polarquarterback.pw 31.41.221.142 3600
  174. nfvpz6j.polarquarterback.pw 31.41.221.142 3600
  175. nkibr.flurriescrew.pw 31.41.221.142 3600
  176. npl00ll.polarquarterback.pw 31.41.221.142 3600
  177. nrm46e.winterbatter.pw 31.41.221.142 3600
  178. ntcz0cx.polarquarterback.pw 31.41.221.142 3600
  179. nufohtg.polarquarterback.pw 31.41.221.142 3600
  180. nvygt827.polarquarterback.pw 31.41.221.142 3600
  181. nwmk883c.winterbatter.pw 31.41.221.142 3600
  182. o8ekx15i.polarquarterback.pw 31.41.221.142 3600
  183. oig2u.blanketfield.pw 31.41.221.142 3600
  184. oiyr5m.blanketfield.pw 31.41.221.142 3600
  185. om7sy7.polarquarterback.pw 31.41.221.142 3600
  186. otnq855s.polarquarterback.pw 31.41.221.142 3600
  187. pa655kdo.polarquarterback.pw 31.41.221.142 3600
  188. ph1z73j.polarquarterback.pw 31.41.221.142 3600
  189. ppnjzma.winterbatter.pw 31.41.221.142 3600
  190. px716.polarquarterback.pw 31.41.221.142 3600
  191. q97nwhrv.polarquarterback.pw 31.41.221.142 3600
  192. qga277r2.polarquarterback.pw 31.41.221.142 3600
  193. r69ipy3.polarquarterback.pw 31.41.221.142 3600
  194. rhoc8.polarquarterback.pw 31.41.221.142 3600
  195. rii2258.polarquarterback.pw 31.41.221.142 3600
  196. rkgnw.polarquarterback.pw 31.41.221.142 3600
  197. rrfjf8.winterbatter.pw 31.41.221.142 3600
  198. rxwdsdl.blanketfield.pw 31.41.221.142 3600
  199. s1ts5.winterbatter.pw 31.41.221.142 3600
  200. s2vs5a.blanketfield.pw 31.41.221.142 3600
  201. sjd273a.flurriescrew.pw 31.41.221.140 3600
  202. sm4b4.blanketfield.pw 31.41.221.142 3600
  203. tlxdm.winterbatter.pw 31.41.221.142 3600
  204. tp97x44y.winterbatter.pw 31.41.221.142 3600
  205. u14zr7.blanketfield.pw 31.41.221.142 3600
  206. u2lds9.polarquarterback.pw 31.41.221.142 3600
  207. uhhvb.flurriescrew.pw 31.41.221.140 3600
  208. ume5971f.winterbatter.pw 31.41.221.142 3600
  209. uo371wd.winterbatter.pw 31.41.221.142 3600
  210. up730zj.polarquarterback.pw 31.41.221.142 3600
  211. ut95y2.winterbatter.pw 31.41.221.142 3600
  212. v2m4c.polarquarterback.pw 31.41.221.142 3600
  213. vcl09fqz.blanketfield.pw 31.41.221.142 3600
  214. vk4zlydt.winterbatter.pw 31.41.221.142 3600
  215. vve63.polarquarterback.pw 31.41.221.142 3600
  216. w262459.winterbatter.pw 31.41.221.142 3600
  217. w4yxhfhe.polarquarterback.pw 31.41.221.142 3600
  218. wskr5.polarquarterback.pw 31.41.221.142 3600
  219. wyhbc3it.winterbatter.pw 31.41.221.142 3600
  220. x0cfw0j.polarquarterback.pw 31.41.221.142 3600
  221. x2bm4.polarquarterback.pw 31.41.221.142 3600
  222. xf1sm2y8.polarquarterback.pw 31.41.221.142 3600
  223. xidofb4.polarquarterback.pw 31.41.221.142 3600
  224. xiegxb.winterbatter.pw 31.41.221.142 3600
  225. xil90ds.blanketfield.pw 31.41.221.142 3600
  226. xqfem.blanketfield.pw 31.41.221.142 3600
  227. xs0xtga8.winterbatter.pw 31.41.221.142 3600
  228. xt7csm.polarquarterback.pw 31.41.221.142 3600
  229. y69rqqi.blanketfield.pw 31.41.221.142 3600
  230. ycpatvz8.blanketfield.pw 31.41.221.142 3600
  231. ydlqk6.polarquarterback.pw 31.41.221.142 3600
  232. ye1ohgk.polarquarterback.pw 31.41.221.142 3600
  233. yfmkvqs.polarquarterback.pw 31.41.221.142 3600
  234. yitw2gf.blanketfield.pw 31.41.221.142 3600
  235. yme4iz0.polarquarterback.pw 31.41.221.142 3600
  236. z17a8.winterbatter.pw 31.41.221.142 3600
  237. z27j7d7.winterbatter.pw 31.41.221.142 3600
  238. z6v56.blanketfield.pw 31.41.221.142 3600
  239. zlr7zup.polarquarterback.pw 31.41.221.142 3600
  240.  
  241. #end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!