Introduction

These IP addresses are all the devices that joined our Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected system, or security researchers should be seen in this list.

Fields

Field Description
timestamp Timestamp in UTC+0 the IP accessed the sinkhole system
ip IP that accessed the sinkhole
asn ASN of the IP
geo Country location of the IP
url HTTP request
type Drone type (if known)
http_agent HTTP agent
tor If client is a TOR exit node
src_port TCP source port
p0f_genre First level TCP test of the Operating System
p0f_detail Detailed results of the OS test
hostname Reverse DNS of the IP
dst_port TCP destination port
http_host Content of the HTTP Host: header. Normally the fully qualified domain name of the C&C
http_referer HTTP Referer
http_referer_asn HTTP Referer ASN
http_referer_geo HTTP Referer country code
dst_ip Sinkhole IP the target accessed (if available)
dst_asn Sinkhole ASN the target accessed (if available)
dst_geo Sinkhole GEO the target accessed (if available)

Updates

  • Wednesday, 1 September 2010 - Added in the fields dst_ip, dst_asn, and dst_geo to the report

Sample

"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo"
"2010-08-31 00:09:04","202.86.21.11",23456,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,8726,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:09:06","82.115.28.93",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,50499,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:14:50","180.94.94.3",55330,"AF","GET /?3c851a=7932468 HTTP/1.1","sality","KUKU v5.06exp =19026555919",,60564,"Windows","2000 SP2+, XP SP1+ (seldom 98)",,80,"www.kjwre9fqwieluoi.info",,,,,,
"2010-08-31 00:36:05","82.115.10.63",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47947,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:36:05","82.115.10.39",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47928,,,,,,,,,,,
"2010-08-31 00:53:15","82.115.25.117",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,4460,,,,80,"149.20.56.32",,,,,,
"2010-08-31 01:00:26","82.115.23.237",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6)",,2476,,,,,,,,,,,
"2010-08-31 01:02:39","82.115.23.172",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)",,1426,,,,,,,,,,,

<< | Reports | >>