Malware Domain List

Malware Related => Malicious Domains => Topic started by: BenENichols on March 27, 2016, 01:22:19 am

Title: Compromised Russian Webserver Bruting my RDP
Post by: BenENichols on March 27, 2016, 01:22:19 am
I get rdp bruted all the time, I just happened to notice my firewall blocking this one while working. Figured I would share it, nmapped the ip, port 80 was open, so I found the domain name.

Server Type    Status    ContentType
Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.14    200 OK    text/html; charset=UTF-8

host - 188x134x1x20.static-business.iz.ertelecom.ru

http://bazamaria.ru/

http://188.134.1.20/

(http://www.squidblacklist.org/images/rdpbrute324.png)
Title: Re: Compromised Russian Webserver Bruting my RDP
Post by: dlipman on March 28, 2016, 10:52:09 pm
From the IP address, you get the network and their IP range; 188.134.0.0 - 188.134.63.255.
Block the address range in the computer's Firewalll or on the enclave's perimeter Firewall.
Title: Re: Compromised Russian Webserver Bruting my RDP
Post by: BenENichols on March 29, 2016, 01:04:14 am
I actually forgot to setup this router, were blocking ALL of Russian ip space actually.