IP Address | Port | Hostname | |
---|---|---|---|
Source | (local) | 52107 | |
Destination | 217.70.184.38 (France) | https (443) | webredir.vip.gandi.net |
Description:
- List curated by:
False Positive:
- YES
- This IP has definitely been implicated in ransomware attacks and is associated with ransomware infrastructure. However, this is shared hosting:
- Found 999 domains hosted on the same web server as 217.70.184.38. (999 is probably a limitation of the software).
- Going with 'not real' for this IP as it doesn't match the known compromised domains.
- It does a SYN on the port and gets rejected.
- See also:
- The second event, similar issue (shared hosting by Shark Servers):
- root@ubuntu:~# dig soa 20.248.112.185.in-addr.arpa
- 248.112.185.in-addr.arpa. 60 IN SOA ns1.sharkservers.net. info.sharkservers.co.uk. 2016071701 28800 7200 604800 86400
- ns1.sharkservers.net. 913 IN A 148.253.163.100
- Group 19 (third) hit:
- Reverse IP Check (i.e. is this shared hosting):
- https://www.robtex.com/?dns=162.255.119.249&rev=1
- https://www.threatcrowd.org/ip.php?ip=162.255.119.249
- User is getting content from gamebench.net.
- gamebench.net appears to have been moved to a new IP (possibly due to being blacklisted)
Action:
- None
Comments