飞道的博客

2020.8.17红队威胁情报-日更

2020-08-22 08:07 341人阅读  评论(0)

今日红队ip库,文章每日更新

请在https://www.secshi.com/41563.html评论区留言威胁情报,将会选取用户送出定制鼠标垫!

链接: https://pan.baidu.com/s/1H_quIAqVQyAtVFLblW995w 提取码: u3uf

信息同步:以下恶意IP请重点关注,本地若匹配命中,请及时封禁。
恶意IP如下:
39.156.57.0/24
39.101.xx.xx – 39.107.xx.xx
81.68.167.xx
81.68.168.xx
81.68.169.xx
81.68.170.xx

81.68.167.75有命中

如因封禁IP导致业务问题产生影响自负!!!

红队IP:

154.85.191.30
139.162.114.82
47.91.42.223
61.14.210.152
139.162.196.207
81.68.168.223
81.68.169.72
81.68.167.29
81.68.170.78
81.68.168.250

重点观察IP:
39.156.57.0/24
39.101 – 39.107

攻击ip:

81.68.168.223

81.68.169.72

81.68.167.29

81.68.170.78

81.68.168.250

81.68.173.7

154.85.191.30
139.162.114.82
47.91.42.223
61.14.210.152
139.162.196.207
81.68.168.223
81.68.169.72
81.68.167.29
81.68.170.78
81.68.168.250
81.68.173.7

【友商共享】重点观察IP:
39.156.57.0/24
39.101 – 39.107
确认是攻击队的,可安排着重关注

39.101.141.152

114.247.103.116
121.234.236.193
49.89.250.166
114.239.16.18
49.89.242.53
114.239.104.49
114.239.17.136
114.239.176.240
其他单位已封IP(确定红队)

通知类型:攻击队IP地址通知
处置需求:重点关注
通知内容:以下为确认是攻击队的地址段,不可大段封禁,可安排着重关注
39.156.57.0/24
39.101.0.0/16
39.102.0.0/16
39.103.0.0/16
39.104.0.0/16
39.105.0.0/16
39.106.0.0/16
39.107.0.0/16

[威胁情报]一级预警,现场防守的同学注意,某些版本的网络连接测试工具、客户端等,可能存在远程溢出漏洞,不要在个人电脑尝试连接攻击者的端口,如需要测试端口联通性,一定要在充分隔离的测试虚拟机内尝试。你连接的可能不是对方的桌面,而是攻击方的蜜罐

【综合情报,能源央企蜜罐系统发现以下攻击者IP】
58.218.66.190
122.155.161.107
122.51.16.221
180.76.121.81
47.56.187.209
42.3.24.62
117.136.0.139
攻击方式:针对mysql、redis、weblogic、vpn服务的攻击。

223.104.3.24

vps:115.113.16.226

81.68.168.223
81.68.169.72
81.68.167.29
81.68.170.78
81.68.170.78
81.68.168.250
81.68.173.7

【综合情报,蜜罐系统发现以下攻击者IP】
139.162.66.65
14.187.74.248
189.111.74.178
173.255.211.252
223.105.4.250
42.90.92.205
119.147.46.133
119.147.46.158

情报共享(确定红队):114.247.103.116
121.234.236.193
49.89.250.166
114.239.16.18
49.89.242.53
114.239.104.49
114.239.17.136
114.239.176.240
81.68.168.223
81.68.169.72
81.68.167.29
81.68.170.78
81.68.168.250
81.68.173.7

122.51.247.192
221.6.148.178
60.8.123.29
222.163.80.27
157.185.156.181
115.238.246.74
218.98.14.7
 这几个  后门扫描

标题:XX信x擎EDR管理服务器远程命令执行RCE漏洞
威胁等级:严重
影响范围:使用XX信天擎EDR产品的主机
漏洞描述:暂时不详
说明:该漏洞通过XX服SSL VPN进入内网后,利用这类漏洞控制所有装有edr的机器

攻击IP:
180.126.244.114
110.183.243.11
52.81.95.61
180.126.244.114
111.225.149.121
8.210.153.101
220.168.95.163
220.168.95.161
171.125.18.60
106.75.175.61
129.28.113.46
61.156.113.10
42.248.93.10
116.236.2.254
222.64.84.106
218.3.172.102
43.248.186.159攻击ip:118.24.46.15
118.24.53.251
154.214.28.66
117.136.0.214
185.223.166.11
101.67.19.173
36.5.185.236
36.5.185.177
43.243.222.111 
39.101.137.225 
47.106.204.157 
220.243.135.29 
111.225.148.137 
175.44.42.248 
3.14.145.58 
60.8.123.143 
119.45.135.186 
180.126.244.114 
119.45.232.251 
110.249.202.96 
220.243.135.58 
110.249.202.97 
106.53.242.23 
116.62.27.47 
111.225.148.155 
114.247.103.116 
114.247.103.116 
111.225.149.141 
110.249.202.48 
47.103.145.218 
110.249.202.39 
111.225.149.78 
111.225.149.225 
119.45.238.40 
106.14.14.76 
60.12.124.24 
60.8.123.73 
143.92.32.108 
13.235.59.127 
51.132.243.116 
111.225.149.248 
176.110.35.154 
77.247.108.40 
186.167.2.35 
117.30.36.207 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
122.14.218.133 
209.141.45.223 
58.63.2.60 
121.32.54.139 
124.133.230.74 
124.133.230.74 
194.87.138.147 
116.55.39.30 
1.204.112.183 
58.16.228.95 
114.247.103.116 
220.197.183.201 
3.35.23.225 
45.132.12.125 
123.206.70.180 
103.87.10.8 
1.201.151.8 
47.52.98.110 
43.239.167.146 
117.93.134.152 
103.87.10.6 
183.6.115.9 
114.235.180.31 
115.85.32.210 
121.42.12.130 
139.205.207.122 
143.255.198.242 
175.24.67.69 
175.43.3.82 
175.44.152.123 
193.106.30.234 
195.154.28.233 
195.54.160.104 
195.54.167.183 
195.54.167.62 
195.54.167.63 
195.54.167.64 
80.82.70.106 
89.248.174.53 
94.102.49.28 
94.102.49.29 
94.20.64.42 
196.61.192.252 
172.87.25.74 
114.218.129.252 
45.201.54.66 
172.247.127.14 
103.217.253.181 
103.79.52.75 
106.74.152.42 
124.152.76.193 
45.250.198.234 
180.215.203.10 
49.68.86.195 
157.255.17.17 
175.167.23.194 
149.248.16.76 
123.186.212.151 
163.197.0.31 
60.214.107.172 
163.197.0.74 
195.154.94.15 
106.7.70.140 
114.239.143.28 
114.239.176.240 
114.239.178.107 
49.83.205.49 
49.85.54.100 
49.89.175.30 
49.89.250.103[溯源分析tips]收到攻击ip之后,先在进行相关日志分析,有没有同组或者同段ip对我们防护目标进行过类似攻击,如果有可以更精确的溯源他们的攻击方法,比如在NTA上查找这些攻击者ip,也许能回溯到一些0day

123.246.198段有个团队

112.162.109.34  命令注入

103.145.107.26 这个IP 攻击队

223.104.3.24  39.99.160.90,应该是攻击队现场的4G地址

情报共享:1、第一支队伍出口IP
39.103.138.156
39.103.138.156
39.103.138.154
39.103.138.20 
39.103.138.92 
跳板机IP:
39.156.57.19
39.156.57.17
2、第二支队伍出口IP
39.107.111.182
39.107.108.116
39.107.111.182
39.107.112.96
39.107.112.213
跳板机IP:
39.156.57.120
39.156.57.93
3、攻击队入住酒店IP:
124.202.183.131
4、攻击队物理主机nds服务器:
202.106.46.151
5、目前怀疑39.156.56.0/24 为所有攻击队第一跳出口网段。
6、因为今天是测试,所有IP基本都在一个段里,后期会换。

43.247.90.100 恶意ip直接封

(友商提供,供参考)
各单位封禁:
213.217.0.216
216.126.231.24
216.24.188.130
216.240.134.70
216.250.111.90
217.12.202.89
217.12.208.162
217.12.208.227
217.12.208.251
217.12.218.99
218.253.251.100
218.253.251.74
219.146.156.17
220.197.183.201
221.181.173.48
221.237.189.200
222.186.39.123
223.68.10.24

红队第一批攻击IP清单:
114.247.103.116
121.234.236.193
49.89.250.166
114.239.16.18
49.89.242.53
114.239.104.49
114.239.17.136
114.239.176.240
81.68.168.223
81.68.169.72
81.68.167.29
81.68.170.78
81.68.168.250
81.68.173.7
请各单位根据实际情况进行封禁

可信度高XX集团获得的红队IP:
114.247.103.116
121.234.236.193
49.89.250.166
114.239.16.18
49.89.242.53
114.239.104.49
114.239.17.136
114.239.176.240

近日,网上有关于冰蝎webshell 3.0的工具发布。
处置建议:
【WAF】
自定义规则进行防护:(uri_path * rco .(jsp|jspx|php)$)&&(method * belong POST)&&(request_body * req ^[w+/]{1000,}=?=?$)
【IPS/IDS】
若webshell使用为aspx脚本可采用原有的检测规则进行检测:
规则ID:[41698] 冰蝎加密 ASPX Webshell文件上传 
若webshell为asp、jsp、php脚本,检测规则包预计下午发布。

42.81.56.6 – 北京奇虎科技有限公司

某蓝队同步的攻击IP:
39.107.221.136
103.73.161.42
139.180.158.21
45.153.241.16
36.133.35.7
47.105.94.173
129.204.161.41
185.193.127.203
47.94.173.110
45.32.207.129
185.243.242.116
176.123.3.162
39.106.144.55
123.56.45.146
42.51.203.12
47.113.94.95
193.32.163.21
47.92.157.248
81.70.19.111
23.235.157.250
122.114.195.209
43.226.153.250
47.113.84.149
204.16.247.89
47.93.229.0
217.8.117.36
118.25.146.4
47.114.147.112
47.107.119.102
18.166.31.113
106.52.3.36
47.97.157.24
175.24.46.93
42.194.198.77
47.99.211.221
106.13.8.47
117.174.113.71
180.215.228.28
155.159.252.141
156.96.119.124
154.209.69.6
103.115.44.149
63.33.26.142
150.107.3.134
155.235.36.4
123.56.24.182
121.46.26.213
185.176.27.2
39.106.21.92
103.97.34.151
43.239.158.224
39.108.219.31
198.44.243.217
31.220.42.94
47.93.56.253
59.110.242.202
192.119.111.42
185.236.232.102
185.35.137.219
23.235.147.98
185.35.137.212
114.215.86.71
45.66.250.104
185.35.137.211
210.16.180.151
47.74.39.152
156.96.59.27
45.199.113.43
5.149.253.199
86.105.18.113
154.85.13.47
104.168.242.150
59.110.226.193
140.143.17.16
46.166.129.194
138.91.151.13
23.235.147.131
78.157.28.65

223.223.179.130

攻击源IP:39.106.35.229
漏洞类型:多种漏洞

利用攻击IP:
125.109.194.75   
218.3.182.119
122.4.43.254
117.87.232.117
110.82.64.78
113.120.35.153
117.136.67.2

39.107.221.136
39.106.144.55
39.106.21.92

154.86.3.74、154.8.3.32、154.86.3.59,香港云服务器

Tea0:
218.253.251.30 漏扫

:
【共享情报】
友情提示:其他央企提供信息
新增攻击队4G现场地址
223.104.3.24  
39.99.160.90,建议封掉

【共享情报】
223.223.179.130    
各单位,这个地址是攻击地址,宁夏公司已经抓到攻击,河南也发现了。
请各单位赶紧排查是否被该地址攻击。

将这域名tj.2345ae.com封禁


转载:https://blog.csdn.net/anquanzushiye/article/details/108067963
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场