Sinkhole Events Report

This report contains events (connections) to non-http sinkholes. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.

Only infected systems or security researchers should be seen in this list.

File names: event4_sinkhole

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id"
"2021-03-04 00:00:00","tcp","190.113.x.x",17409,12252,"PE","METROPOLITANA DE LIMA","LIMA",,,,,,,"178.162.x.x",4455,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service","eset","victorygate.b",,,,,
"2021-03-04 00:00:00","tcp","217.173.x.x",28940,8220,"IE","DUBLIN","DUBLIN",,541611,"Communications, Service Provider, and Hosting Service",,,,"137.116.x.x",16464,8075,"SG","CENTRAL","SINGAPORE",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
"2021-03-04 00:00:00","tcp","37.212.x.x",36735,6697,"BY","VITEBSKAJA OBLAST'","VITEBSK",,,,,,,"168.63.x.x",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
"2021-03-04 00:00:00","tcp","86.130.x.x",50395,2856,"UK","MID ULSTER","DUNGANNON",,517311,"Communications, Service Provider, and Hosting Service",,,,"40.71.228.10",16471,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU",,,"b68-zeroaccess-1-32bit",,,
"2021-03-04 00:00:00","tcp","35.205.x.x",44696,15169,"BE","BRUXELLES-CAPITALE","BRUSSELS","x.x.205.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.x.x",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,
"2021-03-04 00:00:00","tcp","35.197.x.x",36968,15169,"US","OREGON","THE DALLES","x.x.197.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.111.x.x",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,

Our 111 Report Types