ET CNC Ransomware Tracker Reported CnC Server group 82

Description:

• List curated by:
• https://ransomwaretracker.abuse.ch/
• https://ransomwaretracker.abuse.ch/ip/217.70.184.38
• https://www.threatcrowd.org/ip.php?ip=217.70.184.38

False Positive:

• YES
• This IP has definitely been implicated in ransomware attacks and is associated with ransomware infrastructure. However, this is shared hosting:
• http://www.yougetsignal.com/tools/web-sites-on-web-server/
• Found 999 domains hosted on the same web server as 217.70.184.38. (999 is probably a limitation of the software).
• Going with 'not real' for this IP as it doesn't match the known compromised domains.
• It does a SYN on the port and gets rejected.
• See also:
• https://wiki.gandi.net/en/domains/management/domain-as-website/forwarding/faq
• The second event, similar issue (shared hosting by Shark Servers):
• root@ubuntu:~# dig soa 20.248.112.185.in-addr.arpa
• 248.112.185.in-addr.arpa. 60    IN      SOA     ns1.sharkservers.net. info.sharkservers.co.uk. 2016071701 28800 7200 604800 86400
• ns1.sharkservers.net.   913     IN      A       148.253.163.100
• Group 19 (third) hit:
• Reverse IP Check (i.e. is this shared hosting):
  • https://www.robtex.com/?dns=162.255.119.249&rev=1
  • https://www.threatcrowd.org/ip.php?ip=162.255.119.249
  • User is getting content from gamebench.net.
  • gamebench.net appears to have been moved to a new IP (possibly due to being blacklisted)

Action:

• None