├── Abuse.ch ├── Feodo_Botnet.md ├── Palevo_Worm.md └── Zeus_Botnet.md ├── AlienVault └── Malicious_Activities.md ├── AlienVaultOTX └── Malicious_Activities.md ├── ArborNetworks └── Distributed_SSH_Brute_Force_Attacks.md ├── Autoshun.org └── Malicious_Activities.md ├── Bitsight └── Malicious_Activities.md ├── Blocklist.de ├── Attacks_on_the_service_Apache.md ├── Attacks_on_the_service_FTP.md ├── Attacks_on_the_service_IMAP_SASL_POP3.md ├── Attacks_on_the_service_Mail_Postfix.md ├── Attacks_on_the_service_SSH.md ├── Brute-Force_SIP_VOIP_or_Asterisk-Server_Logins_Attacks.md ├── Brute-Force_Website_Logins.md ├── IRC_Botnet.md ├── REG-Bots_IRC-Bots_or_BadBots_Spamming.md └── Strong_IPs.md ├── Blueliv └── Malicious_Activities.md ├── CINSscore └── Blacklist.md ├── CleanMX.de ├── Malware.md └── Phishing.md ├── DGArchive └── Malware.md ├── DShield ├── AS_Report.md ├── Suspicious_Domains.md └── Top_20_attacking_class_C.md ├── Danger.rulez.sk └── Brute_Force_Attack_Firewall.md ├── DragonResearchGroup ├── SSH_Brute_Force_Attack.md └── VNC_Brute_Force_Attack.md ├── LICENSE ├── Malc0de └── malc0de.md ├── MalwareDomainList └── Malware.md ├── MalwareDomains └── Malware.md ├── MalwareGroup ├── Proxy.md └── Unknown.md ├── MalwarePatrol └── Malware.md ├── OpenBL.org └── Abuse_Reporting_and_Blacklisting.md ├── OpenPhish └── Phishing.md ├── PhishTank └── Phishing.md ├── README.md ├── SecurityResearch └── Ponmocup_Botnet.md ├── Spamhaus └── Dont_Route_Or_Peer_Lists.md ├── SpamhausCERTInsightPortal └── Botnet.md ├── TaichungBlocklist └── Malicious_Activities.md ├── TeamCymru └── Bogons.md ├── TurrisGreylist └── Scanning_Attack.md ├── URLVir └── Malware.md ├── VXVault └── Malware.md ├── hpHosts └── Malicious_Activities.md └── n6stomp └── CERT.md /Abuse.ch/Feodo_Botnet.md: -------------------------------------------------------------------------------- 1 | ## Abuse.ch 2 | 3 | A swiss guy fighting Cybercrime. 4 | 5 | ### Feodo Botnet 6 | 7 | Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud 8 | and steal sensitive information from the victims computer, 9 | such as credit card details or credentials. 10 | 11 | At the moment, Feodo Tracker is tracking four versions of Feodo, 12 | and they are labeled by Feodo Tracker as: 13 | 14 | * Version A: Hosted on compromised webservers running an nginx proxy on port 15 | 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic 16 | usually directly hits these hosts on port 8080 TCP without using a domain 17 | name. 18 | * Version B: Hosted on servers rented and operated by cybercriminals for the 19 | exclusive purpose of hosting a Feodo botnet controller. Usually taking 20 | advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these 21 | domain names using port 80 TCP. 22 | * Version C: Successor of Feodo, completely different code. Hosted on the same 23 | botnet infrastructure as Version A (compromised webservers, nginx on port 8080 24 | TCP or port 7779 TCP, no domain names) but using a different URL structure. 25 | This Version is also known as Geodo and Emotet. 26 | * Version D: Successor of Cridex. This version is also known as Dridex 27 | 28 | #### Domain Name 29 | > 30 | * Website 31 | - `https://feodotracker.abuse.ch/` 32 | * Source 33 | - `https://feodotracker.abuse.ch/blocklist/?download=domainblocklist` 34 | * Data 35 | - Domain Name 36 | * Format 37 | - Text 38 | * API/Token 39 | - None 40 | * Status 41 | - Ok 42 | * Comments 43 | - No present data. 44 | 45 | ##### Sample Output of IntelMQ 46 | 47 | ```javascript 48 | { 49 | null 50 | } 51 | ``` 52 | 53 | #### IP Address 54 | > 55 | * Website 56 | - `https://feodotracker.abuse.ch/` 57 | * Source 58 | - `https://feodotracker.abuse.ch/blocklist/?download=ipblocklist` 59 | * Data 60 | - IP Address 61 | * Format 62 | - Text 63 | * API/Token 64 | - None 65 | * Status 66 | - Ok 67 | * Comments 68 | - No comment 69 | 70 | ##### Sample Output of IntelMQ 71 | 72 | ```javascript 73 | { 74 | "malware": { 75 | "name": "cridex" 76 | }, 77 | "classification": { 78 | "type": "c&c" 79 | }, 80 | "time": { 81 | "source": "2016-07-07T07:58:29+00:00", 82 | "observation": "2016-07-07T07:58:29+00:00" 83 | }, 84 | "raw": "MS4xNzguMTc5LjIxNw==", 85 | "feed": { 86 | "url": "https:\/\/feodotracker.abuse.ch\/blocklist\/?download=ipblocklist", 87 | "accuracy": 100, 88 | "name": "Abuse.ch" 89 | }, 90 | "source": { 91 | "ip": "1.178.179.217" 92 | } 93 | } 94 | ``` 95 | 96 | ---- 97 | 98 | There's only Domain information in 99 | https://zeustracker.abuse.ch/blocklist.php?download=baddomains. It looks like: 100 | 101 | 102 | ########################################################################## 103 | # Feodo Domain Blocklist # 104 | # Generated on 2016-09-26 07:43:48 UTC # 105 | # # 106 | # For questions please refer to https://feodotracker.abuse.ch/blocklist/ # 107 | ########################################################################## 108 | # START 109 | # END (0 entries) 110 | 111 | But the domain information is empty. 112 | 113 | ---- 114 | 115 | There's only IP information in in 116 | https://feodotracker.abuse.ch/blocklist/?download=ipblocklist. It looks like: 117 | 118 | 119 | ########################################################################## 120 | # Feodo IP Blocklist # 121 | # Generated on 2016-08-05 02:39:17 UTC # 122 | # # 123 | # For questions please refer to https://feodotracker.abuse.ch/blocklist/ # 124 | ########################################################################## 125 | # START 126 | 1.178.179.217 127 | 1.179.170.7 128 | # END (683 entries) 129 | 130 | 131 | But there's more information in https://feodotracker.abuse.ch/?sort=lastseen : 132 | 133 | * Firstseen (UTC) 134 | * Version of Feodo 135 | * Feodo C&C (IP) 136 | * Status 137 | * SBL (Spamhaus Block List) 138 | * ASN 139 | * Country 140 | * Lastseen (UTC) 141 | -------------------------------------------------------------------------------- /Abuse.ch/Palevo_Worm.md: -------------------------------------------------------------------------------- 1 | ## Abuse.ch 2 | 3 | A swiss guy fighting Cybercrime. 4 | 5 | ### Palevo Worm 6 | 7 | Palevo is a worm that spreads using instant messaging, P2P networks and 8 | removable drives (like USB sticks). It is being sold in underground forums like 9 | ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press 10 | in 2010. For more information about Palevo you can take a look at the Palevo 11 | readme [file][1]. 12 | 13 | [1]: https://palevotracker.abuse.ch/downloads/palevo_v130_readme.txt 14 | 15 | #### Domain Name 16 | > 17 | * Website 18 | - `https://palevotracker.abuse.ch/` 19 | * Source 20 | - `https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist` 21 | * Data 22 | - Domain Name 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - Palevo Tracker has been discontinued. 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "raw": "YXJ0YS5yb21haWwzYXJuZXN0LmluZm8=", 37 | "classification": { 38 | "type": "c&c" 39 | }, 40 | "source": { 41 | "fqdn": "arta.romail3arnest.info" 42 | }, 43 | "time": { 44 | "observation": "2016-07-07T08:09:47+00:00" 45 | }, 46 | "feed": { 47 | "url": "https:\/\/palevotracker.abuse.ch\/blocklists.php?download=domainblocklist", 48 | "name": "Abuse.ch", 49 | "accuracy": 100 50 | }, 51 | "malware": { 52 | "name": "palevo" 53 | } 54 | } 55 | 56 | ``` 57 | 58 | #### IP Address 59 | > 60 | * Website 61 | - `https://palevotracker.abuse.ch/` 62 | * Source 63 | - `https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist` 64 | * Data 65 | - IP Address 66 | * Format 67 | - Text 68 | * API/Token 69 | - None 70 | * Status 71 | - Ok 72 | * Comments 73 | - Palevo Tracker has been discontinued. 74 | 75 | ##### Sample Output of IntelMQ 76 | 77 | ```javascript 78 | { 79 | "malware": { 80 | "name": "palevo" 81 | }, 82 | "source": { 83 | "ip": "103.51.144.193" 84 | }, 85 | "time": { 86 | "observation": "2016-07-07T08:11:44+00:00" 87 | }, 88 | "raw": "MTAzLjUxLjE0NC4xOTM=", 89 | "classification": { 90 | "type": "c&c" 91 | }, 92 | "feed": { 93 | "accuracy": 100, 94 | "url": "https:\/\/palevotracker.abuse.ch\/blocklists.php?download=ipblocklist", 95 | "name": "Abuse.ch" 96 | } 97 | } 98 | ``` 99 | 100 | ---- 101 | 102 | This project is not continued. We plan to remove this intelligence feed in the 103 | future. 104 | -------------------------------------------------------------------------------- /Abuse.ch/Zeus_Botnet.md: -------------------------------------------------------------------------------- 1 | ## Abuse.ch 2 | 3 | A swiss guy fighting Cybercrime. 4 | 5 | ### Zeus Botnet 6 | 7 | ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials 8 | from various online services like social networks, online banking accounts, ftp 9 | accounts, email accounts and other (phishing). The web admin panel can be bought 10 | for 700$ (source: RSA Security 4/21/2008) and the exe builder for 4'000$ 11 | (source: Prevx 3/15/2009). 12 | 13 | The crimeware kit contains the following modules: 14 | * A web interface to administrate and control the botnet (ZeuS Admin Panel) 15 | * A tool to create the trojan binaries and encrypt the config file (called exe 16 | builder) 17 | 18 | Normaly, a ZeuS host consists of three componets / URIs: 19 | * a config file (mostly with filextension \*.bin) 20 | * a binary file which contains the newest version of the ZeuS trojan 21 | * a dropzone (mostly a php file) 22 | 23 | Some features of ZeuS are: 24 | 25 | * Capture credentails out of HTTP-, HTTPS-, FTP- and POP3-traffic or out of the 26 | bot's protected storage (PStore). 27 | * Group the infected clients into different botnets 28 | * Integrated SOCKS-Proxy 29 | * Web form to search the captured credentials 30 | * Encrypted config file 31 | * Function to kill the Operating System 32 | 33 | Currently there are two versions of the ZeuS config file out there: 34 | 35 | **Version 1** 36 | 37 | Config file is scrambled (not encrypted!). If you know the algorithm, you can 38 | descramble ALL config files which are v1. There is already a plublic tool 39 | available to descramble v1 config files. 40 | 41 | **Version 2** 42 | 43 | Config file is encrypted. Each ZeuS installation has its own key defined by the 44 | botnet master to decrypt the config file . If you have the ZeuS binary, it is 45 | possible to extract the key in order to decrypt associated v2 config files. No 46 | public tool available. 47 | 48 | #### Domain Name 49 | > 50 | * Website 51 | - `https://zeustracker.abuse.ch/` 52 | * Source 53 | - `https://zeustracker.abuse.ch/blocklist.php?download=baddomains` 54 | * Data 55 | - Domain Name 56 | * Format 57 | - Text 58 | * API/Token 59 | - None 60 | * Status 61 | - Ok 62 | * Comments 63 | - No comment 64 | 65 | ##### Sample Output of IntelMQ 66 | 67 | ```javascript 68 | { 69 | "time": { 70 | "observation": "2016-07-07T08:13:55+00:00" 71 | }, 72 | "classification": { 73 | "type": "c&c" 74 | }, 75 | "feed": { 76 | "name": "Abuse.ch", 77 | "accuracy": 100, 78 | "url": "https:\/\/zeustracker.abuse.ch\/blocklist.php?download=baddomains" 79 | }, 80 | "malware": { 81 | "name": "zeus" 82 | }, 83 | "raw": "MHgueC5nZw==", 84 | "source": { 85 | "fqdn": "0x.x.gg" 86 | } 87 | } 88 | ``` 89 | 90 | #### IP Address 91 | > 92 | * Website 93 | - `https://zeustracker.abuse.ch/` 94 | * Source 95 | - `https://zeustracker.abuse.ch/blocklist.php?download=badips` 96 | * Data 97 | - IP Address 98 | * Format 99 | - Text 100 | * API/Token 101 | - None 102 | * Status 103 | - Ok 104 | * Comments 105 | - No comment 106 | 107 | ##### Sample Output of IntelMQ 108 | 109 | ```javascript 110 | { 111 | "malware": { 112 | "name": "zeus" 113 | }, 114 | "raw": "MTAxLjAuODkuMw==", 115 | "source": { 116 | "ip": "101.0.89.3" 117 | }, 118 | "classification": { 119 | "type": "c&c" 120 | }, 121 | "time": { 122 | "observation": "2016-07-07T08:16:17+00:00" 123 | }, 124 | "feed": { 125 | "name": "Abuse.ch", 126 | "accuracy": 100, 127 | "url": "https:\/\/zeustracker.abuse.ch\/blocklist.php?download=badips" 128 | } 129 | } 130 | ``` 131 | 132 | ---- 133 | 134 | There's only Domain information in in https://zeustracker.abuse.ch/blocklist.php?download=baddomains. It looks like: 135 | 136 | ############################################################################ 137 | # abuse.ch ZeuS domain blocklist "BadDomains" (excluding hijacked sites) # 138 | # # 139 | # For questions please refer to https://zeustracker.abuse.ch/blocklist.php # 140 | ############################################################################ 141 | 142 | 1st.technology 143 | arvision.com.co 144 | atmape.ru 145 | bestdove.in.ua 146 | 147 | There's only IP information in https://zeustracker.abuse.ch/blocklist.php?download=badips. 148 | It looks like: 149 | 150 | ############################################################################################# 151 | # abuse.ch ZeuS IP blocklist "BadIPs" (excluding hijacked sites and free hosting providers) # 152 | # # 153 | # For questions please refer to https://zeustracker.abuse.ch/blocklist.php # 154 | ############################################################################################# 155 | 156 | 101.0.89.3 157 | 101.200.81.187 158 | 159 | But there's more information in https://zeustracker.abuse.ch/blocklist.php 160 | 161 | * Compromised URL 162 | * Snort rule 163 | * Iptables rule 164 | * Blocklist for Windows(Hostfile) 165 | * Blocklist for Unix(Hosts.deny) -------------------------------------------------------------------------------- /AlienVault/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Alien Vault 2 | 3 | AlienVault is a developer of commercial and open source solutions to manage 4 | cyber attacks, including the Open Threat Exchange, the world's largest 5 | crowd-sourced computer-security platform with more than 26,000 participants 6 | in 140 countries that share more than one million potential threats daily. 7 | 8 | ### Malicious Activities 9 | 10 | Alienvault IP Reputation Database 11 | 12 | #### IP Address 13 | > 14 | * Website 15 | - `https://www.alienvault.com/` 16 | * Source 17 | - `https://reputation.alienvault.com/reputation.data` 18 | * Data 19 | - IP Address 20 | * Format 21 | - Text 22 | * API/Token 23 | - None 24 | * Status 25 | - Ok 26 | * Comments 27 | - No comment 28 | 29 | ##### Sample Output of IntelMQ 30 | 31 | ```javascript 32 | { 33 | null 34 | } 35 | ``` 36 | 37 | ---- 38 | 39 | There's not only IP information in https://reputation.alienvault.com/reputation.data 40 | It looks like: 41 | 42 | 46.4.123.15#4#2#Malicious Host#DE##51.0,9.0#3 43 | 222.136.71.19#3#2#Scanning Host#CN#Zhengzhou#34.6836013794,113.532501221#11 44 | 116.117.253.243#3#2#Scanning Host#CN#Baotou#40.6521987915,109.82219696#11 45 | 46 | There's more information in https://reputation.alienvault.com 47 | * [reputation.generic] [1] 48 | * [reputation.snort] [2] 49 | * [reputation.iptables] [3] 50 | * [reputation.squid] [4] 51 | * [reputation.unix] [5] 52 | 53 | [1]: https://reputation.alienvault.com/reputation.generic 54 | [2]: https://reputation.alienvault.com/reputation.snort 55 | [3]: https://reputation.alienvault.com/reputation.iptables 56 | [4]: https://reputation.alienvault.com/reputation.squid 57 | [5]: https://reputation.alienvault.com/reputation.unix -------------------------------------------------------------------------------- /AlienVaultOTX/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Alien Vault OTX (Open Threat Exchange) 2 | 3 | AlienVault OTX provides open access to a global community of threat researchers 4 | and security professionals. 5 | 6 | ### Malicious Activities 7 | 8 | At the heart of Open Threat Exchange is the pulse, an investigation of an online 9 | threat. Pulses describe any type of online threat including malware, fraud 10 | campaigns, and even state sponsored hacking. 11 | 12 | #### Security Events 13 | > 14 | * Website 15 | - `https://otx.alienvault.com/` 16 | * Source 17 | - `None` 18 | * Data 19 | - URL, Domain Name, IP Address, etc. 20 | * Format 21 | - Not Available 22 | * API/Token 23 | - `TBD` 24 | * Status 25 | - Ok 26 | * Comments 27 | - No API KEY 28 | 29 | ##### Sample Output of IntelMQ 30 | 31 | ```javascript 32 | { 33 | "raw": "eyJfaWQiOiAiNTc3MzAwODY3NjFiODIwMTNhYjc4MjkzIiwgImNyZWF0ZWQiOiAiMjAxNi0wNi0yOFQyMjo1NjowNi4zNjUiLCAiZGVzY3JpcHRpb24iOiAiIiwgImluZGljYXRvciI6ICJib3g0MDg0Lm5ldCIsICJ0eXBlIjogImRvbWFpbiJ9", 34 | "time": { 35 | "source": "2016-06-28T22:56:06+00:00", 36 | "observation": "2016-07-07T08:27:18+00:00" 37 | }, 38 | "feed": { 39 | "name": "AlienVault OTX", 40 | "accuracy": 100 41 | }, 42 | "classification": { 43 | "type": "blacklist" 44 | }, 45 | "extra": "{\"author\": \"AlienVault\", \"pulse\": \"Prince of Persia \\u2013 Game Over\"}", 46 | "comment": "Unit 42 published a blog at the beginning of May titled \u201cPrince of Persia,\u201d in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide.\nSubsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains. This disabled the attacker\u2019s access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties.", 47 | "source": { 48 | "fqdn": "box4084.net" 49 | } 50 | } 51 | ``` -------------------------------------------------------------------------------- /ArborNetworks/Distributed_SSH_Brute_Force_Attacks.md: -------------------------------------------------------------------------------- 1 | ## Arbor Networks 2 | 3 | Arbor Networks is a software company founded in 2000. The company's products are 4 | used to protect networks from denial-of-service attacks, botnets, computer 5 | worms, and efforts to disable network routers. 6 | 7 | ### Distributed SSH Brute Force Attacks 8 | 9 | Unknown 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://atlas.arbor.net/` 15 | * Source 16 | - `http://atlas-public.ec2.arbor.net/public/ssh_attackers` 17 | * Data 18 | - IP Address 19 | * Format 20 | - XML 21 | * API/Token 22 | - None 23 | * Status 24 | - Error 25 | * Comments 26 | - 403 Forbidden 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | null 33 | } 34 | ``` -------------------------------------------------------------------------------- /Autoshun.org/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Autoshun.org 2 | 3 | Autoshun is the ancestral Open Source Intel sharing service, having been an 4 | email subscription from 1999-2004 and a web download since 2004. 5 | 6 | ### Malicious Activities 7 | 8 | The Autoshun.org list is artificially capped from 600 IPs to no more than 2000 9 | IPs to prevent users from accidentally crushing their firewall. 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://www.autoshun.org/` 15 | * Source 16 | - `https://www.autoshun.org/download/?api_key=< API KEY >&format=csv` 17 | * Data 18 | - IP Address 19 | * Format 20 | - CSV 21 | * API/Token 22 | - `TBD` 23 | * Status 24 | - Error 25 | * Comments 26 | - URL Changed 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | null 33 | } 34 | ``` -------------------------------------------------------------------------------- /Bitsight/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Bitsight 2 | 3 | Translate complex cybersecurity issues into actionable intelligence using the 4 | BitSight platform. 5 | 6 | ### Malicious Activities 7 | 8 | Unknown 9 | 10 | #### Security Events 11 | > 12 | * Website 13 | - `https://www.bitsighttech.com/` 14 | * Source 15 | - `http://alerts.bitsighttech.com:8080/stream?key=< api >` 16 | * Data 17 | - Not Available 18 | * Format 19 | - Not available 20 | * API/Token 21 | - `TBD` 22 | * Status 23 | - Error 24 | * Comments 25 | - No API Key 26 | 27 | ##### Sample Output of IntelMQ 28 | 29 | ```javascript 30 | { 31 | null 32 | } 33 | ``` -------------------------------------------------------------------------------- /Blocklist.de/Attacks_on_the_service_Apache.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Attacks on the service Apache 11 | 12 | All IP addresses which have been reported within the last 48 hours as having run 13 | attacks on the service Apache, Apache-DDOS, RFI-Attacks. 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/apache.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "source": { 37 | "ip": "1.34.139.38" 38 | }, 39 | "time": { 40 | "observation": "2016-07-07T08:46:43+00:00" 41 | }, 42 | "event_description": { 43 | "text": "IP reported as having run attacks on the service Apache, Apache-DDoS, RFI-Attacks" 44 | }, 45 | "classification": { 46 | "type": "ids alert" 47 | }, 48 | "raw": "MS4zNC4xMzkuMzg=", 49 | "feed": { 50 | "name": "BlockList.de", 51 | "accuracy": 100, 52 | "url": "https:\/\/lists.blocklist.de\/lists\/apache.txt" 53 | }, 54 | "protocol": { 55 | "application": "http" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/apache.txt 63 | It looks like: 64 | 65 | 1.180.52.83 66 | 1.189.169.145 67 | 1.212.90.147 68 | -------------------------------------------------------------------------------- /Blocklist.de/Attacks_on_the_service_FTP.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Attacks on the service FTP 11 | 12 | All IP addresses which have been reported within the last 48 hours for attacks 13 | on the Service FTP. 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/ftp.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "protocol": { 37 | "application": "ftp" 38 | }, 39 | "event_description": { 40 | "text": "IP reported as having run attacks on the service FTP" 41 | }, 42 | "time": { 43 | "observation": "2016-07-07T09:02:44+00:00" 44 | }, 45 | "raw": "MS4xODAuMjQzLjEzMQ==", 46 | "source": { 47 | "ip": "1.180.243.131" 48 | }, 49 | "classification": { 50 | "type": "ids alert" 51 | }, 52 | "feed": { 53 | "accuracy": 100, 54 | "name": "BlockList.de", 55 | "url": "https:\/\/lists.blocklist.de\/lists\/ftp.txt" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/ftp.txt 63 | It looks like: 64 | 65 | 101.200.204.27 66 | 101.200.208.208 67 | 101.200.87.177 -------------------------------------------------------------------------------- /Blocklist.de/Attacks_on_the_service_IMAP_SASL_POP3.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Attacks on the service IMAP, SASL, POP3 11 | 12 | All IP addresses which have been reported within the last 48 hours for attacks 13 | on the Service imap, sasl, pop3..... 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/imap.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "event_description": { 37 | "text": "IP reported as having run attacks on the service IMAP, SASL, POP3" 38 | }, 39 | "raw": "MS4xMzIuOTYuMjI=", 40 | "feed": { 41 | "name": "BlockList.de", 42 | "url": "https:\/\/lists.blocklist.de\/lists\/imap.txt", 43 | "accuracy": 100 44 | }, 45 | "protocol": { 46 | "application": "imap" 47 | }, 48 | "classification": { 49 | "type": "ids alert" 50 | }, 51 | "source": { 52 | "ip": "1.132.96.22" 53 | }, 54 | "time": { 55 | "observation": "2016-07-07T09:19:12+00:00" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/imap.txt 63 | It looks like: 64 | 65 | 1.129.96.138 66 | 1.129.96.247 67 | 1.144.97.126 -------------------------------------------------------------------------------- /Blocklist.de/Attacks_on_the_service_Mail_Postfix.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Attacks on the service Mail, Postfix 11 | 12 | All IP addresses which have been reported within the last 48 hours as having run 13 | attacks on the service Mail, Postfix. 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/mail.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "classification": { 37 | "type": "ids alert" 38 | }, 39 | "event_description": { 40 | "text": "IP reported as having run attacks on the service Mail, Postfix" 41 | }, 42 | "time": { 43 | "observation": "2016-07-07T09:23:25+00:00" 44 | }, 45 | "raw": "MS4xMzIuOTYuMjI=", 46 | "source": { 47 | "ip": "1.132.96.22" 48 | }, 49 | "feed": { 50 | "name": "BlockList.de", 51 | "accuracy": 100, 52 | "url": "https:\/\/lists.blocklist.de\/lists\/mail.txt" 53 | }, 54 | "protocol": { 55 | "application": "smtp" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/mail.txt 63 | It looks like: 64 | 65 | 1.126.40.9 66 | 1.129.28.145 67 | 1.129.28.246 -------------------------------------------------------------------------------- /Blocklist.de/Attacks_on_the_service_SSH.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Attacks on the service SSH 11 | 12 | All IP addresses which have been reported within the last 48 hours as having run 13 | attacks on the service SSH. 14 | 15 | #### IP Blacklist 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/ssh.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "source": { 37 | "ip": "1.235.197.132" 38 | }, 39 | "feed": { 40 | "url": "https:\/\/lists.blocklist.de\/lists\/ssh.txt", 41 | "name": "BlockList.de", 42 | "accuracy": 100 43 | }, 44 | "event_description": { 45 | "text": "IP reported as having run attacks on the service SSH" 46 | }, 47 | "time": { 48 | "observation": "2016-07-07T09:32:19+00:00" 49 | }, 50 | "raw": "MS4yMzUuMTk3LjEzMg==", 51 | "classification": { 52 | "type": "ids alert" 53 | }, 54 | "protocol": { 55 | "application": "ssh" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/ssh.txt 63 | It looks like: 64 | 65 | 1.119.3.74 66 | 1.163.186.117 67 | 1.52.96.45 -------------------------------------------------------------------------------- /Blocklist.de/Brute-Force_SIP_VOIP_or_Asterisk-Server_Logins_Attacks.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Brute-Force SIP-, VOIP- or Asterisk-Server Logins Attacks 11 | 12 | All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are 13 | inclueded in the IPs-List from http://www.infiltrated.net/ (Twitter). 14 | 15 | #### IP Blacklist 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/sip.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "time": { 37 | "observation": "2016-07-07T09:30:40+00:00" 38 | }, 39 | "feed": { 40 | "url": "https:\/\/lists.blocklist.de\/lists\/sip.txt", 41 | "name": "BlockList.de", 42 | "accuracy": 100 43 | }, 44 | "raw": "MTA5LjIzNC4zNy41OA==", 45 | "event_description": { 46 | "text": "IP reported as having run attacks on the service SIP, VOIP, Asterisk" 47 | }, 48 | "source": { 49 | "ip": "109.234.37.58" 50 | }, 51 | "protocol": { 52 | "application": "sip" 53 | }, 54 | "classification": { 55 | "type": "ids alert" 56 | } 57 | } 58 | ``` 59 | 60 | ---- 61 | 62 | There's only IP information in https://lists.blocklist.de/lists/sip.txt 63 | It looks like: 64 | 65 | 103.59.129.142 66 | 104.245.100.99 67 | 109.228.102.144 -------------------------------------------------------------------------------- /Blocklist.de/Brute-Force_Website_Logins.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Brute-Force Website Logins 11 | 12 | All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force 13 | Logins. 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://www.blocklist.de/` 19 | * Source 20 | - `https://lists.blocklist.de/lists/bruteforcelogin.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "time": { 37 | "observation": "2016-07-07T09:00:34+00:00" 38 | }, 39 | "classification": { 40 | "type": "brute-force" 41 | }, 42 | "feed": { 43 | "url": "https:\/\/lists.blocklist.de\/lists\/bruteforcelogin.txt", 44 | "name": "BlockList.de", 45 | "accuracy": 100 46 | }, 47 | "raw": "MS41NC4yMTIuMjM1", 48 | "event_description": { 49 | "text": "IP reported as having run attacks on Joomlas, Wordpress and other Web-Logins with Brute-Force Logins" 50 | }, 51 | "source": { 52 | "ip": "1.54.212.235" 53 | } 54 | } 55 | ``` 56 | 57 | ---- 58 | 59 | There's only IP information in https://lists.blocklist.de/lists/bruteforcelogin.txt 60 | It looks like: 61 | 62 | 103.17.48.3 63 | 103.18.4.235 64 | 103.25.203.71 -------------------------------------------------------------------------------- /Blocklist.de/IRC_Botnet.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### IRC Botnet 11 | 12 | IRC Botnet 13 | 14 | #### IP Address 15 | > 16 | * Website 17 | - `http://www.blocklist.de/` 18 | * Source 19 | - `https://lists.blocklist.de/lists/ircbot.txt` 20 | * Data 21 | - IP Address 22 | * Format 23 | - Text 24 | * API/Token 25 | - None 26 | * Status 27 | - Ok 28 | * Comments 29 | - No present data. 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | null 36 | } 37 | ``` -------------------------------------------------------------------------------- /Blocklist.de/REG-Bots_IRC-Bots_or_BadBots_Spamming.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### REG-Bots, IRC-Bots or BadBots (Spamming) 11 | 12 | ll IP addresses which have been reported within the last 48 hours as having run 13 | attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he 14 | has posted a Spam-Comment on a open Forum or Wiki). 15 | 16 | #### IP Address 17 | > 18 | * Website 19 | - `http://www.blocklist.de/` 20 | * Source 21 | - `https://lists.blocklist.de/lists/bots.txt` 22 | * Data 23 | - IP Address 24 | * Format 25 | - Text 26 | * API/Token 27 | - None 28 | * Status 29 | - ok 30 | * Comments 31 | - No comment 32 | 33 | ##### Sample Output of IntelMQ 34 | 35 | ```javascript 36 | { 37 | "event_description": { 38 | "text": "IP reported as having spammed on IRC, open forums, wikis or registration forms." 39 | }, 40 | "classification": { 41 | "type": "spam" 42 | }, 43 | "source": { 44 | "ip": "1.161.142.231" 45 | }, 46 | "raw": "MS4xNjEuMTQyLjIzMQ==", 47 | "feed": { 48 | "accuracy": 100, 49 | "name": "BlockList.de", 50 | "url": "https:\/\/lists.blocklist.de\/lists\/bots.txt" 51 | }, 52 | "time": { 53 | "observation": "2016-07-07T08:58:19+00:00" 54 | } 55 | } 56 | ``` 57 | 58 | ---- 59 | 60 | There's only IP information in https://lists.blocklist.de/lists/bots.txt 61 | It looks like: 62 | 63 | 1.161.154.222 64 | 1.179.183.27 65 | 1.28.135.97 -------------------------------------------------------------------------------- /Blocklist.de/Strong_IPs.md: -------------------------------------------------------------------------------- 1 | ## Blocklist.de 2 | 3 | www.blocklist.de is a free and voluntary service provided by a 4 | Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, 5 | FTP-, Webserver- and other services. 6 | The mission is to report any and all attacks to the respective abuse departments 7 | of the infected PCs/servers, to ensure that the responsible provider can inform 8 | their customer about the infection and disable the attacker. 9 | 10 | ### Strong IPs 11 | 12 | All IPs which are older then 2 month and have more then 5.000 attacks. 13 | 14 | #### IP Address 15 | > 16 | * Website 17 | - `http://www.blocklist.de/` 18 | * Source 19 | - `https://lists.blocklist.de/lists/strongips.txt` 20 | * Data 21 | - IP Address 22 | * Format 23 | - Text 24 | * API/Token 25 | - None 26 | * Status 27 | - Ok 28 | * Comments 29 | - No comment 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | "time": { 36 | "observation": "2016-07-07T09:34:52+00:00" 37 | }, 38 | "event_description": { 39 | "text": "IP reported as having run attacks in last 2 months" 40 | }, 41 | "classification": { 42 | "type": "blacklist" 43 | }, 44 | "source": { 45 | "ip": "188.143.232.24" 46 | }, 47 | "raw": "MTg4LjE0My4yMzIuMjQ=", 48 | "feed": { 49 | "name": "BlockList.de", 50 | "accuracy": 100, 51 | "url": "https:\/\/lists.blocklist.de\/lists\/strongips.txt" 52 | } 53 | } 54 | ``` 55 | 56 | ---- 57 | 58 | There's only IP information in https://lists.blocklist.de/lists/strongips.txt 59 | It looks like: 60 | 61 | 112.85.218.11 62 | 116.31.116.25 63 | 116.31.116.34 -------------------------------------------------------------------------------- /Blueliv/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Blueliv 2 | 3 | Blueliv’s Threat Exchange Network is designed to protect your enterprise and the 4 | community against today’s latest threats. By providing expert threat data, 5 | Blueliv Community allows you and your peers improve incident response and get 6 | recognized. 7 | 8 | ### Malicious Activities 9 | 10 | Blueliv Threat Exchange Network is designed to share IoCs such as IPs, URLs and 11 | file hashes to protect the community against today’s latest threats. 12 | 13 | #### Security Events 14 | > 15 | * Website 16 | - `https://community.blueliv.com/` 17 | * Source 18 | - `None` 19 | * Data 20 | - URL, Domain Name, IP Address, etc. 21 | * Format 22 | - CSV 23 | * API/Token 24 | - `TBD` 25 | * Status 26 | - Error 27 | * Comments 28 | - No Comment 29 | 30 | ##### Sample Output of IntelMQ 31 | 32 | ```javascript 33 | { 34 | null 35 | } 36 | ``` -------------------------------------------------------------------------------- /CINSscore/Blacklist.md: -------------------------------------------------------------------------------- 1 | ## The CINS Score 2 | 3 | CINS is an IP reputation database that provides an accurate and timely score for 4 | any IP address in the world. 5 | 6 | ### The CI Army List 7 | 8 | CI Army is a way for our company to give back to the community by sharing 9 | valuable threat intelligence harvested from our CINS system. The CI Army list is 10 | a subset of the CINS Active Threat Intelligence ruleset, and consists of IP 11 | addresses that meet two basic criteria: 1) The IP's recent Rogue Packet score 12 | factor is very poor, and 2) The InfoSec community has not yet identified the IP 13 | as malicious. 14 | 15 | #### IP Address 16 | > 17 | * Website 18 | - `http://cinsscore.com/` 19 | * Source 20 | - `http://cinsscore.com/list/ci-badguys.txt` 21 | * Data 22 | - IP Address 23 | * Format 24 | - Text 25 | * API/Token 26 | - None 27 | * Status 28 | - Ok 29 | * Comments 30 | - No comment 31 | 32 | ##### Sample Output of IntelMQ 33 | 34 | ```javascript 35 | { 36 | "source": { 37 | "ip": "1.63.153.99" 38 | }, 39 | "time": { 40 | "observation": "2016-07-12T04:25:31+00:00" 41 | }, 42 | "feed": { 43 | "accuracy": 100, 44 | "url": "http:\/\/cinsscore.com\/list\/ci-badguys.txt", 45 | "name": "CI Army" 46 | }, 47 | "raw": "MS42My4xNTMuOTk=", 48 | "classification": { 49 | "type": "blacklist" 50 | } 51 | } 52 | ``` 53 | 54 | ---- 55 | 56 | There's only IP information in http://cinsscore.com/list/ci-badguys.txt 57 | It looks like: 58 | 59 | 1.52.183.130 60 | 1.160.43.42 61 | 1.162.168.77 62 | -------------------------------------------------------------------------------- /CleanMX.de/Malware.md: -------------------------------------------------------------------------------- 1 | ## CleanMX.de 2 | 3 | VirusWatch Watching adress changes of Malware Url's 4 | 5 | ### Malware 6 | 7 | This database consists of Virus URI, collected and verified since Feb 2006. 8 | 9 | #### URL 10 | > 11 | * Website 12 | - `http://support.clean-mx.de/clean-mx/viruses.php` 13 | * Source 14 | - `http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&format=csv&domain=` 15 | * Data 16 | - URL, Domain Name, IP Address, ASN, Country Code, Contact Mail, etc. 17 | * Format 18 | - Text 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - Drop a mail to mailto:"abuse@clean-mx.de" get data 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "malware": { 31 | "name": "worm.win32.autoit" 32 | }, 33 | "source": { 34 | "asn": 10103, 35 | "ip": "202.77.59.48", 36 | "abuse_contact": "abuse@hkbn.com.hk", 37 | "geolocation": { 38 | "cc": "HK" 39 | }, 40 | "url": "http:\/\/202.77.59.48\/update1.dlied.qq.com\/lol\/autopatch\/3189\/LOL_V3189_0617123122_15D.exe?mkey=577e0af794dea683&f=6606&c=0&p=.exe" 41 | }, 42 | "raw": "Zmlyc3R0aW1lLGlkLGxhc3R0aW1lLGRkZXNjcixuczUsbGluZSxpbmV0bnVtLHN1YixuZXRuYW1lLGlwLG5zNCx1cmwsbnMxLGNvdW50cnksc2Nhbm5lcix2aXJ1c25hbWUsbnMyLGVtYWlsLHJlY2VudCxzb3VyY2UsYXMsbnMzLHJlc3BvbnNlLGRvbWFpbixyZXZpZXc=", 43 | "classification": { 44 | "type": "malware" 45 | }, 46 | "feed": { 47 | "url": "http:\/\/support.clean-mx.de\/clean-mx\/xmlviruses?response=alive&format=csv&domain=", 48 | "name": "CleanMX", 49 | "accuracy": 100 50 | }, 51 | "time": { 52 | "observation": "2016-07-07T12:09:04+00:00", 53 | "source": "2016-07-07T14:43:37+00:00" 54 | } 55 | } 56 | ``` -------------------------------------------------------------------------------- /CleanMX.de/Phishing.md: -------------------------------------------------------------------------------- 1 | ## CleanMX.de 2 | 3 | PhishWatch Watching adress changes of Phishing Url's 4 | 5 | ### Phishing 6 | 7 | This database consists of Phishing URI, collected and verified since Oct 2006. 8 | Some of them may be already closed, but are still recognized as fraud by firefox 9 | and opera also offending domain names are honored by SURBL. 10 | 11 | #### URL 12 | > 13 | * Website 14 | - `http://support.clean-mx.de/clean-mx/phishing.php` 15 | * Source 16 | - `http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&format=csv&domain=` 17 | * Data 18 | - URL, Domain Name, IP Address, ASN, Country Code, Contact Mail, etc. 19 | * Format 20 | - Text 21 | * API/Token 22 | - None 23 | * Status 24 | - Ok 25 | * Comments 26 | - Drop a mail to mailto:"abuse@clean-mx.de" get data 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | "source": { 33 | "url": "http:\/\/1stbrowser.com\/landingdirect\/personalisation\/pt-BR?refid=2150&popup=1&aff_id=87&offer_id=805&intent=1&trafficsourceid=1&aff_sub=016282590036939875664&source=016282590", 34 | "abuse_contact": "abuse@cdnetworks.com", 35 | "geolocation": { 36 | "cc": "GB" 37 | }, 38 | "ip": "151.249.94.68", 39 | "fqdn": "1stbrowser.com" 40 | }, 41 | "time": { 42 | "source": "2016-07-07T10:13:37+00:00", 43 | "observation": "2016-07-07T10:49:10+00:00" 44 | }, 45 | "classification": { 46 | "type": "phishing" 47 | }, 48 | "raw": "bGFzdHRpbWUsbGluZSxuczIsdXJsLGlwLGlkLGRkZXNjcixzb3VyY2UsZmlyc3R0aW1lLGluZXRudW0sbnM1LHBoaXNodGFuayxyZWNlbnQsbnMzLGRvbWFpbixuczEsbnM0LHJldmlldyxuZXRuYW1lLGVtYWlsLHZpcnVzbmFtZSxyZXNwb25zZSxjb3VudHJ5", 49 | "feed": { 50 | "accuracy": 100, 51 | "url": "http:\/\/support.clean-mx.de\/clean-mx\/xmlphishing?response=alive&format=csv&domain=", 52 | "name": "CleanMX" 53 | } 54 | } 55 | ``` -------------------------------------------------------------------------------- /DGArchive/Malware.md: -------------------------------------------------------------------------------- 1 | ## DGArchive 2 | 3 | DGArchive is a free service offered by Fraunhofer FKIE. It is administrated by 4 | Daniel Plohmann. It allows resolving or calculating domain names that are 5 | dynamically created by malware using Domain Generation Algorithms (DGAs). 6 | 7 | ### Malware 8 | 9 | A databse of malicious domain names which generated by Domain Generation 10 | Algorithms (DGAs) 11 | 12 | #### Domain Name 13 | > 14 | * Website 15 | - `https://dgarchive.caad.fkie.fraunhofer.de/site/` 16 | * Source 17 | - `None` 18 | * Data 19 | - Domain Name 20 | * Format 21 | - JSON 22 | * API/Token 23 | - `TBD` 24 | * Status 25 | - Ok 26 | * Comments 27 | - To request access, write an email to ed.refohnuarf.eikf@nnamholp.leinad 28 | 29 | ##### Sample Output of IntelMQ 30 | 31 | ```javascript 32 | { 33 | null 34 | } 35 | ``` -------------------------------------------------------------------------------- /DShield/AS_Report.md: -------------------------------------------------------------------------------- 1 | ## DShield: Internet Storm Center 2 | 3 | The ISC provides a free analysis and warning service to thousands of Internet 4 | users and organizations, and is actively working with Internet Service Providers 5 | to fight back against the most malicious attackers. 6 | 7 | ### AS Report 8 | 9 | Number of source IPs within the AS that sent packets detected by our sensors. 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://www.dshield.org/as.html` 15 | * Source 16 | - `https://www.dshield.org/asdetailsascii.html?as=4782` 17 | * Data 18 | - IP Address 19 | * Format 20 | - Text 21 | * API/Token 22 | - None 23 | * Status 24 | - Ok 25 | * Comments 26 | - No comment 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | "feed": { 33 | "name": "DShield", 34 | "accuracy": 100.0, 35 | "url": "https://dshield.org/asdetailsascii.html?as=4782" 36 | }, 37 | "extra": "{\"last_seen\": \"2016-07-06\", \"reports\": 151, \"targets\": 75}", 38 | "source": { 39 | "ip": "117.56.109.226", 40 | "asn": 4782 41 | }, 42 | "time": { 43 | "observation": "2016-07-07T11:57:20+00:00", 44 | "source": "2016-07-07T07:41:20+00:00" 45 | }, 46 | "raw": "MTE3LjA1Ni4xMDkuMjI2CTE1MQk3NQkJMjAxNi0wNy0wNgkyMDE2LTA3LTA3IDA3OjQxOjIw", 47 | "classification": { 48 | "type": "brute-force" 49 | } 50 | } 51 | ``` 52 | 53 | ---- 54 | There's not only IP information in https://www.dshield.org/asdetailsascii.html?as=4782, but also more information like: 55 | 56 | * First Seen 57 | * Last Seen 58 | 59 | It looks like: 60 | 61 | # asdetailsascii.html 62 | # created: Tue, 30 Aug 2016 06:22:09 +0000# 63 | # Source IP is 0 padded so each byte is three digits long 64 | # Reports: number of packets received 65 | # Targets: number of target IPs that reported packets from this source. 66 | # First Seen: First time we saw a packet from this source 67 | # Last Seen: Last time we saw a packet from this source 68 | # Updated: Last time the record was updated. 69 | # 70 | # IPs are removed if they have not been seen in 30 days. 71 | # 72 | # source IP Reports Targets First Seen Last Seen Updated 73 | 117.056.109.226 131 54 2016-08-29 2016-08-29 23:04:06 74 | 061.067.077.098 64 46 2016-08-28 2016-08-28 23:40:42 75 | 211.079.148.155 1 1 2016-08-11 2016-08-16 12:36:48 76 | # (c) SANS Inst. / DShield. some rights reserved. 77 | # Creative Commons ShareAlike License 2.5 78 | # http://creativecommons.org/licenses/by-nc-sa/2.5/ -------------------------------------------------------------------------------- /DShield/Suspicious_Domains.md: -------------------------------------------------------------------------------- 1 | ## DShield: Internet Storm Center 2 | 3 | The ISC provides a free analysis and warning service to thousands of Internet 4 | users and organizations, and is actively working with Internet Service Providers 5 | to fight back against the most malicious attackers. 6 | 7 | ### Suspicious Domains 8 | 9 | There are many suspicious domains on the internet. In an effort to identify 10 | them, as well as false positives, we have assembled weighted lists based on 11 | tracking and malware lists from different sources. ISC is collecting and 12 | categorizing various lists associated with a certain level of sensitivity. 13 | 14 | #### Domain Name 15 | > 16 | * Website 17 | - `https://www.dshield.org/suspicious_domains.html` 18 | * Source 19 | - `https://www.dshield.org/feeds/suspiciousdomains_High.txt` 20 | * Data 21 | - Domain Name 22 | * Format 23 | - Text 24 | * API/Token 25 | - None 26 | * Status 27 | - Ok 28 | * Comments 29 | - No comment 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | "feed": { 36 | "name": "DShield", 37 | "url": "https://www.dshield.org/feeds/suspiciousdomains_High.txt", 38 | "accuracy": 100.0 39 | }, 40 | "classification": { 41 | "type": "malware" 42 | }, 43 | "source": { 44 | "fqdn": "000007.ru" 45 | }, 46 | "raw": "MDAwMDA3LnJ1CQ==", 47 | "time": { 48 | "source": "2016-07-07T04:10:24+00:00", 49 | "observation": "2016-07-07T12:06:13+00:00" 50 | } 51 | } 52 | ``` 53 | 54 | ---- 55 | There's only Domain information in in https://www.dshield.org/feeds/suspiciousdomains_High.txt. It looks like: 56 | 57 | # 58 | # DShield.org Suspicious Domain List 59 | # (c) 2016 DShield.org 60 | # some rights reserved. Details http://creativecommons.org/licenses/by-nc-sa/2.5/ 61 | # use on your own risk. No warranties implied. 62 | # primary URL: http://www.dshield.org/feeds/suspiciousdomains_High.txt 63 | # 64 | # comments: info@dshield.org 65 | # updated: Mon Aug 29 04:09:47 2016 UTC 66 | # 67 | # This list consists of High Level Sensitivity website URLs 68 | # Columns (tab delimited): 69 | # 70 | # (1) site 71 | # 72 | Site 73 | pmenboeqhyrpvomq.azwsxe.top 74 | rbwubtpsyokqn.info 75 | swfqg.in 76 | fnjyygovdjyemga.xyz 77 | # 78 | # STATISTICS 79 | # 80 | # Total In Database: 37981 81 | # Total In Report: 135 82 | # Percent of Total: 0.36 % 83 | # 84 | # END 85 | # 86 | # finished list generation: Mon Aug 29 04:09:47 2016 UTC 87 | -------------------------------------------------------------------------------- /DShield/Top_20_attacking_class_C.md: -------------------------------------------------------------------------------- 1 | ## DShield: Internet Storm Center 2 | 3 | The ISC provides a free analysis and warning service to thousands of Internet 4 | users and organizations, and is actively working with Internet Service Providers 5 | to fight back against the most malicious attackers. 6 | 7 | ### Top 20 attacking class C 8 | 9 | This list summarizes the top 20 attacking class C (/24) subnets over the last 10 | three days. The number of 'attacks' indicates the number of targets reporting 11 | scans from this subnet. 12 | 13 | #### IP Address 14 | > 15 | * Website 16 | - `https://www.dshield.org/` 17 | * Source 18 | - `https://www.dshield.org/block.txt` 19 | * Data 20 | - Net Block 21 | * Format 22 | - Text 23 | * API/Token 24 | - None 25 | * Status 26 | - Ok 27 | * Comments 28 | - No comment 29 | 30 | ##### Sample Output of IntelMQ 31 | 32 | ```javascript 33 | { 34 | "feed": { 35 | "url": "https://www.dshield.org/block.txt", 36 | "accuracy": 100.0, 37 | "name": "DShield" 38 | }, 39 | "extra": "{\"attacks\": 3049, \"network_name\": \"IUnet S.p.A.\"}", 40 | "time": { 41 | "source": "2016-07-07T12:38:15+00:00", 42 | "observation": "2016-07-07T12:04:18+00:00" 43 | }, 44 | "source": { 45 | "abuse_contact": "l.cerbai@iunet.it", 46 | "geolocation": { 47 | "cc": "IT" 48 | }, 49 | "network": "164.132.54.0/24" 50 | }, 51 | "raw": "MTY0LjEzMi41NC4wCTE2NC4xMzIuNTQuMjU1CTI0CTMwNDkJSVVuZXQgUy5wLkEuCUlUCWwuY2VyYmFpQGl1bmV0Lml0", 52 | "classification": { 53 | "type": "blacklist" 54 | } 55 | } 56 | ``` 57 | 58 | --- 59 | 60 | There's not only IP information in https://www.dshield.org/block.txt, but also more information like: 61 | 62 | * Number of targets scanned 63 | * Name of Network 64 | * Country 65 | * Contact email address 66 | 67 | It looks like: 68 | 69 | # DShield.org Recommended Block List 70 | # (c) 2007 DShield.org 71 | # some rights reserved. Details http://creativecommons.org/licenses/by-nc-sa/2.5/ 72 | # use on your own risk. No warranties implied. 73 | # primary URL: http://feeds.dshield.org/block.txt 74 | # PGP Sign.: http://feeds.dshield.org/block.txt.asc 75 | # 76 | # comments: info@dshield.org 77 | # updated: Tue Aug 30 07:11:21 2016 UTC 78 | # 79 | # This list summarizes the top 20 attacking class C (/24) subnets 80 | # over the last three days. The number of 'attacks' indicates the 81 | # number of targets reporting scans from this subnet. 82 | # 83 | # 84 | # Columns (tab delimited): 85 | # 86 | # (1) start of netblock 87 | # (2) end of netblock 88 | # (3) subnet (/24 for class C) 89 | # (4) number of targets scanned 90 | # (5) name of Network 91 | # (6) Country 92 | # (7) contact email address 93 | # 94 | # If a range is assigned to multiple users, the first one is listed. 95 | # 96 | Start End Netblock Attacks Name Country email 97 | 124.232.156.0 124.232.156.255 24 6286 CHINANET-BACKBONE No.31,Jin-rong Street CN lzl@public.yc.nx.cn 98 | 209.126.136.0 209.126.136.255 24 2769 California Regional Internet, Inc. US abuse@cari.net 99 | 116.31.116.0 116.31.116.255 24 993 CHINANET-BACKBONE No.31,Jin-rong Street CN bad userid (abuse_gdnoc)bad userid (abuse_gdnoc)bad userid (abuse_gdnoc)IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn 100 | # END 101 | # 102 | # finished list generation: Tue Aug 30 07:11:22 2016 UTC -------------------------------------------------------------------------------- /Danger.rulez.sk/Brute_Force_Attack_Firewall.md: -------------------------------------------------------------------------------- 1 | ## Danger.rulez.sk 2 | 3 | Yet another FreeBSD committer's homepage 4 | 5 | ### Brute Force Attack (Firewall) 6 | 7 | BruteForceBlocker for iptables 8 | 9 | #### IP Address 10 | > 11 | * Website 12 | - `http://danger.rulez.sk/` 13 | * Source 14 | - `http://danger.rulez.sk/projects/bruteforceblocker/blist.php` 15 | * Data 16 | - IP Address 17 | * Format 18 | - Text 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - No comment 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "raw": "OTMuMTc0LjkzLjE4CQkjIDIwMTYtMDYtMjQgMDU6MTg6MDMJCTg4CTEwNDA3NjI=", 31 | "time": { 32 | "observation": "2016-07-07T12:09:49+00:00", 33 | "source": "2016-06-24T05:18:03+00:00" 34 | }, 35 | "feed": { 36 | "accuracy": 100.0, 37 | "name": "Danger Rulez", 38 | "url": "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" 39 | }, 40 | "source": { 41 | "ip": "93.174.93.18" 42 | }, 43 | "classification": { 44 | "type": "brute-force" 45 | } 46 | } 47 | ``` 48 | 49 | ---- 50 | 51 | There's only IP information in http://danger.rulez.sk/projects/bruteforceblocker/blist.php 52 | It looks like: 53 | 54 | # IP # Last Reported Count ID 55 | 154.16.199.174 # 2016-08-17 14:15:10 98 1060564 56 | 91.224.160.106 # 2016-08-29 20:58:57 71 1055410 57 | 154.16.199.47 # 2016-08-19 17:13:39 67 1061671 -------------------------------------------------------------------------------- /DragonResearchGroup/SSH_Brute_Force_Attack.md: -------------------------------------------------------------------------------- 1 | ## Dragon Research Group 2 | 3 | The Dragon Research Group (DRG) is a volunteer research organization dedicated 4 | to further understanding of online criminality and to provide actionable 5 | intelligence for the benefit of the entire Internet community. 6 | 7 | ### SSH Brute Force Attack 8 | 9 | SSH Password Authentication Report 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://dragonresearchgroup.org/insight/` 15 | * Source 16 | - `https://dragonresearchgroup.org/insight/sshpwauth.txt` 17 | * Data 18 | - IP Address 19 | * Format 20 | - Text 21 | * API/Token 22 | - None 23 | * Status 24 | - Ok 25 | * Comments 26 | - Data didn't update, and stoped on 2016-05-18. 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | "time": { 33 | "source": "2016-05-17T06:39:10+00:00", 34 | "observation": "2016-07-07T12:13:43+00:00" 35 | }, 36 | "feed": { 37 | "accuracy": 100.0, 38 | "name": "Dragon Research Group", 39 | "url": "https://dragonresearchgroup.org/insight/sshpwauth.txt" 40 | }, 41 | "source": { 42 | "ip": "185.130.5.56" 43 | }, 44 | "classification": { 45 | "type": "brute-force" 46 | }, 47 | "destination": { 48 | "port": 22 49 | }, 50 | "raw": "TkEgICAgICAgICAgIHwgIE5BICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgMTg1LjEzMC41LjU2ICB8ICAyMDE2LTA1LTE3IDA2OjM5OjEwICB8ICBzc2hwd2F1dGg=", 51 | "protocol": { 52 | "application": "ssh", 53 | "transport": "tcp" 54 | } 55 | } 56 | ``` 57 | -------------------------------------------------------------------------------- /DragonResearchGroup/VNC_Brute_Force_Attack.md: -------------------------------------------------------------------------------- 1 | ## Dragon Research Group 2 | 3 | The Dragon Research Group (DRG) is a volunteer research organization dedicated 4 | to further understanding of online criminality and to provide actionable 5 | intelligence for the benefit of the entire Internet community. 6 | 7 | ### VNC Brute Force Attack 8 | 9 | VNC Probe Report 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://dragonresearchgroup.org/insight/` 15 | * Source 16 | - `https://dragonresearchgroup.org/insight/vncprobe.txt` 17 | * Data 18 | - IP Address 19 | * Format 20 | - Text 21 | * API/Token 22 | - None 23 | * Status 24 | - Ok 25 | * Comments 26 | - Data didn't update, and stoped on 2016-05-18. 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | "feed": { 33 | "url": "https://dragonresearchgroup.org/insight/vncprobe.txt", 34 | "accuracy": 100.0, 35 | "name": "Dragon Research Group" 36 | }, 37 | "time": { 38 | "source": "2016-05-17T05:09:34+00:00", 39 | "observation": "2016-07-07T12:50:59+00:00" 40 | }, 41 | "protocol": { 42 | "transport": "tcp", 43 | "application": "vnc" 44 | }, 45 | "source": { 46 | "as_name": "HINET Data Communication Busin", 47 | "ip": "1.170.51.152", 48 | "asn": 3462 49 | }, 50 | "raw": "MzQ2MiAgICAgICAgIHwgIEhJTkVUIERhdGEgQ29tbXVuaWNhdGlvbiBCdXNpbiAgfCAgICAgMS4xNzAuNTEuMTUyICB8ICAyMDE2LTA1LTE3IDA1OjA5OjM0ICB8ICB2bmNwcm9iZQ==", 51 | "classification": { 52 | "type": "brute-force" 53 | } 54 | } 55 | ``` 56 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Malc0de/malc0de.md: -------------------------------------------------------------------------------- 1 | ## Malc0de 2 | 3 | Malc0de database is run by a security researcher. 4 | 5 | ### Malware 6 | 7 | An updated database of domains hosting malicious executables. 8 | 9 | #### Domain Name 10 | > 11 | * Website 12 | - `http://malc0de.com/bl/` 13 | * Source 14 | - `http://malc0de.com/bl/BOOT` 15 | * Data 16 | - Domain Name 17 | * Format 18 | - Text 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - No comment 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "time": { 31 | "observation": "2016-07-07T13:02:52+00:00" 32 | }, 33 | "classification": { 34 | "type": "malware" 35 | }, 36 | "source": { 37 | "fqdn": "2biking.com" 38 | }, 39 | "raw": "UFJJTUFSWSAyYmlraW5nLmNvbSBibG9ja2VkZG9tYWluLmhvc3Rz", 40 | "feed": { 41 | "accuracy": 100.0, 42 | "url": "https://malc0de.com/bl/BOOT", 43 | "name": "Malc0de" 44 | } 45 | } 46 | ``` 47 | 48 | #### IP Address 49 | > 50 | * Website 51 | - `http://malc0de.com/bl/` 52 | * Source 53 | - `https://malc0de.com/bl/IP_Blacklist.txt` 54 | * Data 55 | - IP Address 56 | * Format 57 | - Text 58 | * API/Token 59 | - None 60 | * Status 61 | - Ok 62 | * Comments 63 | - No comment 64 | 65 | ##### Sample Output of IntelMQ 66 | 67 | ```javascript 68 | { 69 | "source": { 70 | "ip": "192.254.235.178" 71 | }, 72 | "raw": "MTkyLjI1NC4yMzUuMTc4", 73 | "feed": { 74 | "accuracy": 100.0, 75 | "url": "https://malc0de.com/bl/IP_Blacklist.txt", 76 | "name": "Malc0de" 77 | }, 78 | "classification": { 79 | "type": "malware" 80 | }, 81 | "time": { 82 | "observation": "2016-07-07T13:11:35+00:00" 83 | } 84 | } 85 | ``` 86 | 87 | ---- 88 | 89 | There's only Domain information in in http://malc0de.com/bl/BOOT. It looks like: 90 | 91 | // This file will be automatically updated daily and populated with the last 30 days of malicious domains. 92 | // It will return 127.0.0.1 for all domains found to be distributing malware 93 | // Additional information to get this working can be found http://www.malwaredomains.com/wordpress/?page_id=6 94 | // Last updated 2016-08-28 95 | 96 | PRIMARY 2biking.com blockeddomain.hosts 97 | PRIMARY antalyanalburiye.com blockeddomain.hosts 98 | PRIMARY bellefonte.net blockeddomain.hosts 99 | PRIMARY fssblangenlois.ac.at blockeddomain.hosts 100 | PRIMARY gasparini.com.br blockeddomain.hosts 101 | 102 | There's only IP information in http://malc0de.com/bl/IP_Blacklist.txt 103 | It looks like: 104 | 105 | // This file will be automatically updated daily and populated with the last 30 days of malicious IP addresses. 106 | // Last updated 2016-08-29 107 | 108 | 198.57.247.219 109 | 94.73.147.76 110 | 199.30.57.225 111 | 112 | But there's more information in http://malc0de.com/database/: 113 | 114 | * Domain 115 | * IP 116 | * CC 117 | * ASN 118 | * Autonomous System Name 119 | * Click Md5 for VirusTotal Report -------------------------------------------------------------------------------- /MalwareDomainList/Malware.md: -------------------------------------------------------------------------------- 1 | ## Malware Domain List 2 | 3 | Malware Domain List is a non-commercial community project. 4 | 5 | ### Malware 6 | 7 | All domains on this website should be considered dangerous. 8 | 9 | #### Domain Name 10 | > 11 | * Website 12 | - `http://www.malwaredomainlist.com/` 13 | * Source 14 | - `http://www.malwaredomainlist.com/updatescsv.php` 15 | * Data 16 | - Domain Name 17 | * Format 18 | - CSV 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - Complete database in csv format: http://www.malwaredomainlist.com/mdlcsv.php 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "time": { 31 | "source": "2016-07-04T12:06:00+00:00", 32 | "observation": "2016-07-07T07:52:57+00:00" 33 | }, 34 | "event_description": { 35 | "text": "iframe on compromised site leads to EK" 36 | }, 37 | "raw": "MjAxNi8wNy8wNF8xMjowNix3d3cuZWllbGVjdHJvbmljcy5jb20vLDQ2LjIyLjEzOC4yMSwxMzgtMjEuY29sby5zdGEuYmxhY2tuaWdodC5pZS4saWZyYW1lIG9uIGNvbXByb21pc2VkIHNpdGUgbGVhZHMgdG8gRUssUmVnaXN0cmFyIEFidXNlIENvbnRhY3QgYWJ1c2VAc29mdGxheWVyLmNvbSwzOTEyMg0K", 38 | "source": { 39 | "url": "http://www.eielectronics.com/", 40 | "ip": "46.22.138.21", 41 | "asn": 39122, 42 | "reverse_dns": "138-21.colo.sta.blacknight.ie" 43 | }, 44 | "classification": { 45 | "type": "malware" 46 | }, 47 | "feed": { 48 | "url": "http://www.malwaredomainlist.com/updatescsv.php", 49 | "accuracy": 100.0, 50 | "name": "Malware Domain List" 51 | } 52 | } 53 | ``` 54 | 55 | ---- 56 | 57 | But there's more information in http://www.malwaredomainlist.com/mdl.php: 58 | 59 | * Domain 60 | * IP 61 | * Reverse Lookup 62 | * Description 63 | * Registrant 64 | * ASN -------------------------------------------------------------------------------- /MalwareDomains/Malware.md: -------------------------------------------------------------------------------- 1 | ## Malware Domains 2 | 3 | The DNS-BH project creates and maintains a listing of domains that are known to 4 | be used to propagate malware and spyware. This project creates the Bind and 5 | Windows zone files required to serve fake replies to localhost for any requests 6 | to these, thus preventing many spyware installs and reporting. 7 | 8 | ### Malware 9 | 10 | Malware and spyware blocklist. 11 | 12 | #### Domain Name 13 | > 14 | * Website 15 | - `http://www.malwaredomains.com/` 16 | * Source 17 | - `http://mirror2.malwaredomains.com/files/domains.txt` 18 | * Data 19 | - Domain Name 20 | * Format 21 | - Text 22 | * API/Token 23 | - None 24 | * Status 25 | - Ok 26 | * Comments 27 | - No comment 28 | 29 | ##### Sample Output of IntelMQ 30 | 31 | ```javascript 32 | { 33 | "classification": { 34 | "type": "malware" 35 | }, 36 | "event_description": { 37 | "text": "phishing" 38 | }, 39 | "source": { 40 | "fqdn": "amazon.co.uk.security-check.ga" 41 | }, 42 | "time": { 43 | "source": "2016-05-27T00:00:00+00:00", 44 | "observation": "2016-07-07T13:30:14+00:00" 45 | }, 46 | "raw": "CQlhbWF6b24uY28udWsuc2VjdXJpdHktY2hlY2suZ2EJcGhpc2hpbmcJb3BlbnBoaXNoLmNvbQkyMDE2MDUyNwkyMDE2MDEwOA==", 47 | "feed": { 48 | "url": "http://mirror2.malwaredomains.com/files/domains.txt", 49 | "accuracy": 100.0, 50 | "name": "MalwareDomains" 51 | } 52 | } 53 | ``` 54 | 55 | ---- 56 | 57 | There's only Domain information in in http://mirror2.malwaredomains.com/files/domains.txt. It looks like: 58 | 59 | ## if you do not accept these terms, then do not use this information. 60 | ## for noncommercial use only. using this information indicates you agree to be bound by these terms. 61 | ## nextvalidation domain type original_reference-why_it_was_listed 62 | ## notice notice duplication is not permitted #=comment 63 | amazon.co.uk.security-check.ga phishing openphish.com 20160527 20160108 64 | autosegurancabrasil.com phishing openphish.com 20160527 20160108 65 | christianmensfellowshipsoftball.org phishing openphish.com 20160527 20160108 66 | dadossolicitado-antendimento.sad879.mobi phishing openphish.com 20160527 20160108 67 | hitnrun.com.my phishing openphish.com 20160527 20160108 68 | 69 | -------------------------------------------------------------------------------- /MalwareGroup/Proxy.md: -------------------------------------------------------------------------------- 1 | ### Proxy 2 | 3 | #### IP Blacklist 4 | > 5 | * Website 6 | - `http://www.malwaregroup.com/` 7 | * Source 8 | - `http://www.malwaregroup.com/proxies` 9 | * Data 10 | - IP Address 11 | * Format 12 | - Not Aavailable 13 | * API/Token 14 | - None 15 | * Status 16 | - Error 17 | * Comments 18 | - Not Available 19 | 20 | ##### Sample Output of IntelMQ 21 | 22 | ```javascript 23 | { 24 | null 25 | } 26 | ``` 27 | 28 | -------------------------------------------------------------------------------- /MalwareGroup/Unknown.md: -------------------------------------------------------------------------------- 1 | ## Malware Group 2 | 3 | ### Unknown 4 | 5 | #### Domain Blacklist 6 | > 7 | * Website 8 | - `http://www.malwaregroup.com/` 9 | * Source 10 | - `http://www.malwaregroup.com/domains` 11 | * Data 12 | - Domain Name 13 | * Format 14 | - Not Available 15 | * API/Token 16 | - None 17 | * Status 18 | - Error 19 | * Comments 20 | - Not Available 21 | 22 | ##### Sample Output of IntelMQ 23 | 24 | ```javascript 25 | { 26 | null 27 | } 28 | ``` 29 | 30 | #### IP Blacklist 31 | > 32 | * Website 33 | - `http://www.malwaregroup.com/` 34 | * Source 35 | - `http://www.malwaregroup.com/ipaddresses` 36 | * Data 37 | - IP Address 38 | * Format 39 | - Not Available 40 | * API/Token 41 | - None 42 | * Status 43 | - Error 44 | * Comments 45 | - Not Available 46 | 47 | ##### Sample Output of IntelMQ 48 | 49 | ```javascript 50 | { 51 | null 52 | } 53 | ``` 54 | -------------------------------------------------------------------------------- /MalwarePatrol/Malware.md: -------------------------------------------------------------------------------- 1 | ## Malware Patrol 2 | 3 | The Malware Patrol project began in 2005 as an open source community for sharing 4 | malicious URLs. This community, more active than ever, continues to collect, 5 | analyze, and monitor malware. 6 | 7 | ### Malicious Activities 8 | 9 | DansGuardian block list 10 | 11 | #### URL 12 | > 13 | * Website 14 | - `https://www.malwarepatrol.net/` 15 | * Source 16 | - `https://lists.malwarepatrol.net/cgi/getfile?receipt=< API KEY >&product=8&list=dansguardian` 17 | * Data 18 | - URL 19 | * Format 20 | - Text 21 | * API/Token 22 | - `TBD` 23 | * Status 24 | - Error 25 | * Comments 26 | - Parsing Error 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | null 33 | } 34 | ``` 35 | -------------------------------------------------------------------------------- /OpenBL.org/Abuse_Reporting_and_Blacklisting.md: -------------------------------------------------------------------------------- 1 | ## OpenBL.org 2 | 3 | The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, 4 | logging and reporting various types of internet abuse. 5 | 6 | ### Abuse Reporting and Blacklisting 7 | 8 | Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 9 | 110(POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for 10 | bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for 11 | vulnerable installations of phpMyAdmin and other web applications. 12 | 13 | #### IP Address 14 | > 15 | * Website 16 | - `https://www.openbl.org/` 17 | * Source 18 | - `https://www.openbl.org/lists/date_all.txt` 19 | * Data 20 | - IP Address 21 | * Format 22 | - Text 23 | * API/Token 24 | - None 25 | * Status 26 | - Ok 27 | * Comments 28 | - No comment 29 | 30 | ##### Sample Output of IntelMQ 31 | 32 | ```javascript 33 | { 34 | "classification": { 35 | "type": "blacklist" 36 | }, 37 | "source": { 38 | "ip": "121.18.238.29" 39 | }, 40 | "raw": "MTIxLjE4LjIzOC4yOQkxNDY3OTAyMjI1", 41 | "feed": { 42 | "name": "OpenBL", 43 | "url": "https://www.openbl.org/lists/date_all.txt", 44 | "accuracy": 100.0 45 | }, 46 | "time": { 47 | "observation": "2016-07-07T14:01:47+00:00", 48 | "source": "2016-07-07T14:37:05+00:00" 49 | } 50 | } 51 | ``` 52 | 53 | ---- 54 | 55 | There's only IP information in https://www.openbl.org/lists/date_all.txt 56 | It looks like: 57 | 58 | # openbl.org/lists/date_all.txt 59 | # Tue Aug 30 07:52:27 2016 UTC 60 | # 61 | # source ip date 62 | 91.224.160.184 1472542163 63 | 77.243.183.61 1472542093 64 | 210.30.128.25 1472542086 -------------------------------------------------------------------------------- /OpenPhish/Phishing.md: -------------------------------------------------------------------------------- 1 | ## OpenPhish 2 | 3 | OpenPhish launched in June 2014 as a result of a three-year research project on 4 | phishing detection. The research yielded a set of autonomous algorithms for 5 | detecting zero-day phishing sites. These algorithms form a self-contained kernel 6 | that can tell whether a given URL is a phish or not. Essentially, OpenPhish is 7 | the algorithmic kernel complemented with data extraction and analysis 8 | functionalities for generating various feeds. 9 | 10 | ### Phishing 11 | 12 | OpenPhish uses proprietary Artificial Intelligence algorithms to automatically 13 | identify zero-day phishing sites and provide comprehensive, actionable, 14 | real-time threat intelligence. 15 | 16 | #### URL 17 | > 18 | * Website 19 | - `https://www.openphish.com/` 20 | * Source 21 | - `https://www.openphish.com/feed.txt` 22 | * Data 23 | - URL 24 | * Format 25 | - Text 26 | * API/Token 27 | - None 28 | * Status 29 | - Ok 30 | * Comments 31 | - No comment 32 | 33 | ##### Sample Output of IntelMQ 34 | 35 | ```javascript 36 | { 37 | "time": { 38 | "observation": "2016-07-07T14:06:16+00:00" 39 | }, 40 | "classification": { 41 | "type": "phishing" 42 | }, 43 | "source": { 44 | "url": "http://2ztc3.sunucubilisim.net/cartasi/" 45 | }, 46 | "raw": "aHR0cDovLzJ6dGMzLnN1bnVjdWJpbGlzaW0ubmV0L2NhcnRhc2kv", 47 | "feed": { 48 | "name": "OpenPhish", 49 | "accuracy": 100.0, 50 | "url": "https://www.openphish.com/feed.txt" 51 | } 52 | } 53 | ``` 54 | 55 | ---- 56 | 57 | There's only Url information in in https://www.openphish.com/feed.txt. 58 | It looks like: 59 | 60 | http://www.boushehr-ems.ir/apple/clients/ 61 | http://www.boushehr-ems.ir/apple/clients/initiate.php 62 | http://www.maxmunus.com/images/demo/slider/alibaba/ 63 | http://www.hermes-cargo.com/Docssecured/ 64 | http://www.japcolor.com.ar/login.jsp.htm 65 | http://www.senaranews.com/libraries/simplepie/idn/done/auth/view/share/ 66 | http://www.pomaranczowapomoc.pl/xmlpr/db/box/ 67 | http://nlsmail.nottslawsoc.org/ap/servic/home/service/costumer/information/check/af09d63c1874c89d929de3a4b98123fe/index/web/a2d01ec0e86accddfd5277a9f87cc4bd/information.php 68 | http://nlsmail.nottslawsoc.org/ap/servic/home/service/costumer/information/check/af09d63c1874c89d929de3a4b98123fe/index/web/a2d01ec0e86accddfd5277a9f87cc4bd/confirmed.php 69 | 70 | But there's more information in https://www.openphish.com/: 71 | 72 | * Targeted Brand -------------------------------------------------------------------------------- /PhishTank/Phishing.md: -------------------------------------------------------------------------------- 1 | ## PhishTank 2 | 3 | PhishTank is a free community site where anyone can submit, verify, track and 4 | share phishing data. 5 | 6 | ### Phishing 7 | 8 | Phishing is a fraudulent attempt, usually made through email, to steal your 9 | personal information. The best way to protect yourself from phishing is to learn 10 | how to recognize a phish. 11 | 12 | #### URL 13 | > 14 | * Website 15 | - `https://www.phishtank.com` 16 | * Source 17 | - `https://data.phishtank.com/data/< API KEY >/online-valid.csv` 18 | * Data 19 | - URL 20 | * Format 21 | - CSV 22 | * API/Token 23 | - `TBD` 24 | * Status 25 | - Ok 26 | * Comments 27 | - No API Key 28 | 29 | ##### Sample Output of IntelMQ 30 | 31 | ```javascript 32 | { 33 | "source": { 34 | "url": "http://ow.ly/YDN26" 35 | }, 36 | "time": { 37 | "observation": "2016-07-07T14:15:22+00:00", 38 | "source": "2016-07-07T11:26:05+00:00" 39 | }, 40 | "event_description": { 41 | "url": "http://www.phishtank.com/phish_detail.php?phish_id=4278837", 42 | "target": "DHL" 43 | }, 44 | "feed": { 45 | "url": "https://data.phishtank.com/data/00625bb72461632c0e7d494baba9b3524e439c672c4deab6f09a617b2fa887f8/online-valid.csv", 46 | "name": "Phishtank", 47 | "accuracy": 100.0 48 | }, 49 | "classification": { 50 | "type": "phishing" 51 | }, 52 | "raw": "NDI3ODgzNyxodHRwOi8vb3cubHkvWUROMjYsaHR0cDovL3d3dy5waGlzaHRhbmsuY29tL3BoaXNoX2RldGFpbC5waHA/cGhpc2hfaWQ9NDI3ODgzNywyMDE2LTA3LTA3VDExOjI2OjA1KzAwOjAwLHllcywyMDE2LTA3LTA3VDEzOjMyOjU1KzAwOjAwLHllcyxESEw=" 53 | } 54 | ``` 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Cyber Threat Intelligence Feeds (CTIFeeds) 2 | ========================================== 3 | @(Information Security)[resource, links, security] 4 | 5 | ---------- 6 | 7 | [TOC] 8 | 9 | ---------- 10 | 11 | ## IP Address 12 | 13 | ### [Abuse.ch - Feodo Botnet][1] (O) 14 | * IntelMQ - OK 15 | * Open Source Intelligence 16 | 17 | 18 | ### [Abuse.ch - Palevo Worm][2] (O) 19 | * IntelMQ - OK 20 | * Open Source Intelligence 21 | 22 | ### [Abuse.ch - Zeus Botnet][3] (O) 23 | * IntelMQ - OK 24 | * Open Source Intelligence 25 | 26 | ### [Alien Vault - Reputation][4] (O) 27 | * IntelMQ - Parsing Error 28 | * Open Source Intelligence 29 | 30 | ### [Arbor - Distributed SSH Brute Force Attacks][5] (O) 31 | * IntelMQ - Collecting Error 32 | - 403 Forbidden 33 | * Closed Source Intelligence 34 | 35 | ### [Blocklist.de - Attacks on the Service Apache][6] (O) 36 | * IntelMQ - OK 37 | * Open Source Intelligence 38 | 39 | ### [Blocklist.de - REG-Bots, IRC-Bots or BadBots (Spamming)][7] (O) 40 | * IntelMQ - OK 41 | * Open Source Intelligence 42 | 43 | ### [Blocklist.de - Brute-Force Website Logins][8] (O) 44 | * IntelMQ - OK 45 | * Open Source Intelligence 46 | 47 | ### [Blocklist.de - Attacks on the Service FTP][9] (O) 48 | * IntelMQ - OK 49 | * Open Source Intelligence 50 | 51 | ### [Blocklist.de - Attacks on the Service IMAP, SASL, POP3][10] (O) 52 | * IntelMQ - OK 53 | * Open Source Intelligence 54 | 55 | ### [Blocklist.de - IRC Botnet][11] (O) 56 | * IntelMQ - OK 57 | - No Present Data 58 | * Open Source Intelligence 59 | 60 | ### [Blocklist.de - Attacks on the Service Mail, Postfix][12] (O) 61 | * IntelMQ - OK 62 | * Open Source Intelligence 63 | 64 | ### [Blocklist.de - Brute-Force SIP, VOIP or Asterisk-Server Logins Attacks][13] (O) 65 | * IntelMQ - OK 66 | * Open Source Intelligence 67 | 68 | ### [Blocklist.de - Attacks on the Service SSH][14] (O) 69 | * IntelMQ - OK 70 | * Open Source Intelligence 71 | 72 | ### [Blocklist.de - Strong IPs][15] (O) 73 | * IntelMQ - OK 74 | * Open Source Intelligence 75 | 76 | ### [CINSscore.com - The CI Army List][16] (O) 77 | * IntelMQ - Collecting Error 78 | - Can not access the link via our IP. 79 | * Open Source Intelligence 80 | 81 | ### [Team Cymru - Bogons IP List][19] (O) 82 | * IntelMQ - OK 83 | * Open Source Intelligence 84 | 85 | ### [DShield - AS Report][20] (O) 86 | * IntelMQ - OK 87 | * Open Source Intelligence 88 | 89 | ### [DShield - Top 20 Attacking Class C][21] (O) 90 | * IntelMQ - OK 91 | * Open Source Intelligence 92 | 93 | ### [Danger.rulez.sk - Brute Force Attack (Firewall)][23] (O) 94 | * IntelMQ - OK 95 | * Open Source Intelligence 96 | 97 | ### [Dragon Research Group - SSH Brute Force Attack][24] (O) 98 | * IntelMQ - OK 99 | * Open Source Intelligence 100 | 101 | ### [Dragon Research Group - VNC Brute Force Attack][25] (O) 102 | * IntelMQ - OK 103 | * Open Source Intelligence 104 | 105 | ### [Malc0de - Malware][28] (O) 106 | * IntelMQ - OK 107 | * Open Source Intelligence 108 | 109 | ### [Malware Group - Unknown][31] (O) 110 | * IntelMQ - Collecting Error 111 | - Resource Not Available 112 | * Open Source Intelligence 113 | 114 | ### [Malware Group - Proxy][32] (O) 115 | * IntelMQ - Collecting Error 116 | - Resource Not Available 117 | * Open Source Intelligence 118 | 119 | ### [OpenBL.org - Abuse Reporting and Blacklisting][33] (O) 120 | * IntelMQ - OK 121 | * Open Source Intelligence 122 | 123 | ### [Spamhaus - DROP (Don't Route Or Peer Lists)][35] (O) 124 | * IntelMQ - OK 125 | * Open Source Intelligence 126 | 127 | ### [Taichung Blacklist - Malicious Activities][36] (O) 128 | * IntelMQ - OK 129 | * Open Source Intelligence 130 | 131 | ### [Turris Greylist - Scanning Attack][37] (O) 132 | * IntelMQ - OK 133 | * Open Source Intelligence 134 | 135 | ### [URLVir - Malware][38] (O) 136 | * IntelMQ - OK 137 | * Open Source Intelligence 138 | 139 | ### [Autoshun shunlist - Malicious Activities][41] (O) 140 | * IntelMQ - Collecting Error 141 | - URL Changed 142 | * Closed Source Intelligence 143 | 144 | ### [Spamhaus CERT Insight Portal - Botnet][48] (O) 145 | * IntelMQ - Collecting Error 146 | - No API Key 147 | * Community Source Intelligence 148 | 149 | ## Domain Name 150 | 151 | ### [Abuse.ch (Feodo Botnet)][1] (O) 152 | * IntelMQ - OK 153 | - No Present Data 154 | * Open Source Intelligence 155 | * TBD 156 | - Add new collector, parser, etc. 157 | 158 | ### [Abuse.ch (Palevo Worm)][2] (O) 159 | * IntelMQ - OK 160 | * Open Source Intelligence 161 | * TBD 162 | - Nothing to do 163 | 164 | ### [Abuse.ch (Zeus Botnet)][3] (O) 165 | * IntelMQ - OK 166 | * Open Source Intelligence 167 | * TBD 168 | - Add new collector, parser, etc. 169 | 170 | ### [DShield - Suspicious Domains][22] (O) 171 | * IntelMQ - OK 172 | * Open Source Intelligence 173 | * TBD 174 | - Nothing to do 175 | 176 | ### [Malwarebytes hpHosts - Malicious Activities][27] (O) 177 | * IntelMQ - OK 178 | * Open Source Intelligence 179 | * TBD 180 | - Add new collector, parser, etc. 181 | 182 | ### [Malc0de - Malware][28] (O) 183 | * IntelMQ - OK 184 | * Open Source Intelligence 185 | * TBD 186 | - Add new collector, parser, etc. 187 | 188 | ### [Malware Domains - Malware][30] (O) 189 | * IntelMQ - OK 190 | * Open Source Intelligence 191 | * TBD 192 | - Add new collector, parser, etc. 193 | 194 | ### [Malware Group - Unknown][31] (O) 195 | * IntelMQ - Collecting Error 196 | - Resource Not Available 197 | * Open Source Intelligence 198 | * TBD 199 | - Nothing to do 200 | 201 | ### [URLVir - Malware][38] (O) 202 | * IntelMQ - OK 203 | * Open Source Intelligence 204 | * TBD 205 | - Add new collector, parser, etc. 206 | 207 | ### [DGArchive - Malware][44] (O) 208 | * IntelMQ - OK 209 | * Community Source Intelligence 210 | * TBD 211 | - Fix the collector 212 | 213 | ### [n6stomp - Malicious Activities][47] (O) 214 | * IntelMQ - Collecting Error 215 | - No API Key 216 | * Community Source Intelligence 217 | * TBD 218 | - Nothing to do 219 | 220 | ## URL 221 | 222 | ### [CleanMX.de - Malware][17] (O) 223 | * IntelMQ - OK 224 | * Open Source Intelligence 225 | 226 | ### [CleanMX.de - Phishing][18] (O) 227 | * IntelMQ - OK 228 | * Open Source Intelligence 229 | 230 | ### [Security Research - Ponmocup Botnet][26] (O) 231 | * IntelMQ - OK 232 | * Open Source Intelligence 233 | 234 | ### [Malware Domain List - Malware][29] (O) 235 | * IntelMQ - OK 236 | * Open Source Intelligence 237 | 238 | ### [OpenPhish - Phishing][34] (O) 239 | * IntelMQ - OK 240 | * Open Source Intelligence 241 | * Missing 'Target' column 242 | 243 | ### [VXVault - Malware][39] (O) 244 | * IntelMQ - OK 245 | * Open Source Intelligence 246 | 247 | ### [Alien Vault OTX - Malicious Activities][40] (O) 248 | * IntelMQ - OK 249 | * Community Source Intelligence 250 | 251 | ### [Blueliv - Malicious Activities][42] (O) 252 | * IntelMQ - Collecting Error 253 | - URL Changed 254 | * Community Source Intelligence 255 | 256 | ### [Bitsight - Malicious Activities][43] (O) 257 | * IntelMQ - Collecting Error 258 | - No API Key 259 | * Closed Source Intelligence 260 | 261 | ### [Malware Patrol - Malware][45] (O) 262 | * IntelMQ - Parsing Error 263 | * Closed Source Intelligence 264 | 265 | ### [PhishTank - Phishing][46] (O) 266 | * IntelMQ - OK 267 | * Community Source Intelligence 268 | 269 | 270 | [1]: ./Abuse.ch/Feodo_Botnet.md 271 | [2]: ./Abuse.ch/Palevo_Worm.md 272 | [3]: ./Abuse.ch/Zeus_Botnet.md 273 | [4]: ./AlienVault/Malicious_Activities.md 274 | [5]: ./ArborNetworks/Distributed_SSH_Brute_Force_Attacks.md 275 | [6]: ./Blocklist.de/Attacks_on_the_service_Apache.md 276 | [7]: ./Blocklist.de/REG-Bots_IRC-Bots_or_BadBots_Spamming.md 277 | [8]: ./Blocklist.de/Brute-Force_Website_Logins.md 278 | [9]: ./Blocklist.de/Attacks_on_the_service_FTP.md 279 | [10]: ./Blocklist.de/Attacks_on_the_service_IMAP_SASL_POP3.md 280 | [11]: ./Blocklist.de/IRC_Botnet.md 281 | [12]: ./Blocklist.de/Attacks_on_the_service_Mail_Postfix.md 282 | [13]: ./Blocklist.de/Brute-Force_SIP_VOIP_or_Asterisk-Server_Logins_Attacks.md 283 | [14]: ./Blocklist.de/Attacks_on_the_service_SSH.md 284 | [15]: ./Blocklist.de/Strong_IPs.md 285 | [16]: ./CINSscore/Blacklist.md 286 | [17]: ./CleanMX.de/Malware.md 287 | [18]: ./CleanMX.de/Phishing.md 288 | [19]: ./TeamCymru/Bogons.md 289 | [20]: ./DShield/AS_Report.md 290 | [21]: ./DShield/Top_20_attacking_class_C.md 291 | [22]: ./DShield/Suspicious_Domains.md 292 | [23]: ./Danger.rulez.sk/Brute_Force_Attack_Firewall.md 293 | [24]: ./DragonResearchGroup/SSH_Brute_Force_Attack.md 294 | [25]: ./DragonResearchGroup/VNC_Brute_Force_Attack.md 295 | [26]: ./SecurityResearch/Ponmocup_Botnet.md 296 | [27]: ./hpHosts/Malicious_Activities.md 297 | [28]: ./Malc0de/malc0de.md 298 | [29]: ./MalwareDomainList/Malware.md 299 | [30]: ./MalwareDomains/Malware.md 300 | [31]: ./MalwareGroup/Unknown.md 301 | [32]: ./MalwareGroup/Proxy.md 302 | [33]: ./OpenBL.org/Abuse_Reporting_and_Blacklisting.md 303 | [34]: ./OpenPhish/Phishing.md 304 | [35]: ./Spamhaus/Dont_Route_Or_Peer_Lists.md 305 | [36]: ./TaichungBlocklist/Malicious_Activities.md 306 | [37]: ./TurrisGreylist/Scanning_Attack.md 307 | [38]: ./URLVir/Malware.md 308 | [39]: ./VXVault/Malware.md 309 | [40]: ./AlienVaultOTX/Malicious_Activities.md 310 | [41]: ./Autoshun.org/Malicious_Activities.md 311 | [42]: ./Blueliv/Malicious_Activities.md 312 | [43]: ./Bitsight/Malicious_Activities.md 313 | [44]: ./DGArchive/Malware.md 314 | [45]: ./MalwarePatrol/Malware.md 315 | [46]: ./PhishTank/Phishing.md 316 | [47]: ./n6stomp/CERT.md 317 | [48]: ./SpamhausCERTInsightPortal/Botnet.md 318 | -------------------------------------------------------------------------------- /SecurityResearch/Ponmocup_Botnet.md: -------------------------------------------------------------------------------- 1 | ## Security Research 2 | 3 | Security Research is run by a security researcher. 4 | 5 | ### Ponmocup Botnet 6 | 7 | This list contains ponmocup malware redirection domains and infected 8 | web-servers. 9 | 10 | #### Domain Name 11 | > 12 | * Website 13 | - `http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt` 14 | * Source 15 | - `http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt` 16 | * Data 17 | - URL, Domain Name 18 | * Format 19 | - Text 20 | * API/Token 21 | - None 22 | * Status 23 | - Ok 24 | * Comments 25 | - Website not found. 26 | 27 | ##### Sample Output of IntelMQ 28 | 29 | ```javascript 30 | { 31 | "time":{ 32 | "observation":"2016-07-07T12:48:53+00:00" 33 | }, 34 | "source":{ 35 | "fqdn":"-sso.anbtr.com" 36 | }, 37 | "raw":"MTI3LjAuMC4xCS1zc28uYW5idHIuY29t", 38 | "classification":{ 39 | "type":"blacklist" 40 | }, 41 | "feed":{ 42 | "accuracy":100.0, 43 | "url":"http://hosts-file.net/download/hosts.txt", 44 | "name":"HpHosts" 45 | } 46 | } 47 | ``` 48 | 49 | There's only Url information in in http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt. It looks like: 50 | 51 | # 52 | # this list of ponmocup malware redirection domains and infected web-servers is maintained by 53 | # email: toms.security.stuff -at- gmail.com 54 | # twitter: @c_APT_ure 55 | # blog: http://c-apt-ure.blogspot.com/ 56 | # 57 | # full log file: 58 | # http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-latest.txt 59 | # 60 | # format: 61 | # ponmocup-malware-IP ponmocup-malware-domain ponmocup-malware-URI-path ponmocup-htaccess-infected-domain 62 | # 63 | # last updated: Mon Aug 29 00:43:24 PDT 2016 64 | # 65 | / 41018.pballgames.com http://41018.pballgames.com/url www.hummel-print.biz 66 | / 52910.clickbanksite.org http://52910.clickbanksite.org/url infobunda.com 67 | / 53604.azdiscus.com http://53604.azdiscus.com/url www.rdm.hr 68 | / 59341.p-balls.com http://59341.p-balls.com/url meteomaastricht.nl 69 | -------------------------------------------------------------------------------- /Spamhaus/Dont_Route_Or_Peer_Lists.md: -------------------------------------------------------------------------------- 1 | ## Spamhaus 2 | 3 | The Spamhaus DROP (Don't Route Or Peer) lists are advisory "drop all traffic" 4 | lists, consisting of netblocks that are "hijacked" or leased by professional 5 | spam or cyber-crime operations (used for dissemination of malware, trojan 6 | downloaders, botnet controllers). 7 | 8 | ### Don't Route Or Peer Lists 9 | 10 | DROP will only include netblocks allocated directly by an established Regional 11 | Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, 12 | AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. 13 | 14 | #### IP Address 15 | > 16 | * Website 17 | - `https://www.spamhaus.org/drop/` 18 | * Source 19 | - `https://www.spamhaus.org/drop/drop.txt` 20 | * Data 21 | - Net Block 22 | * Format 23 | - Text 24 | * API/Token 25 | - None 26 | * Status 27 | - Ok 28 | * Comments 29 | - No comment 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | "event_description":{ 36 | "text":"has malicious code redirecting to malicious host" 37 | }, 38 | "time":{ 39 | "observation":"2016-07-07T12:18:38+00:00", 40 | "source":"2016-07-07T07:44:04+00:00" 41 | }, 42 | "raw":"LyAyODU2MC5wb2xpdGNhbG5ld3MuY29tIGh0dHA6Ly8yODU2MC5wb2xpdGNhbG5ld3MuY29tL3VybCBtLmtmYy5mcg==", 43 | "feed":{ 44 | "url":"http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt", 45 | "accuracy":100.0, 46 | "name":"DynDNS ponmocup Domains" 47 | }, 48 | "source":{ 49 | "url":"http://28560.politcalnews.com/url", 50 | "fqdn":"28560.politcalnews.com" 51 | }, 52 | "destination":{ 53 | "fqdn":"m.kfc.fr" 54 | }, 55 | "classification":{ 56 | "type":"malware" 57 | } 58 | } 59 | ``` 60 | 61 | There's only IP information in https://www.spamhaus.org/drop/drop.txt 62 | It looks like: 63 | 64 | ; Spamhaus DROP List 2016/08/30 - (c) 2016 The Spamhaus Project 65 | ; https://www.spamhaus.org/drop/drop.txt 66 | ; Last-Modified: Tue, 30 Aug 2016 05:17:00 GMT 67 | ; Expires: Tue, 30 Aug 2016 09:03:35 GMT 68 | 1.4.0.0/17 ; SBL256893 69 | 1.10.16.0/20 ; SBL256894 70 | 1.32.128.0/18 ; SBL286275 -------------------------------------------------------------------------------- /SpamhausCERTInsightPortal/Botnet.md: -------------------------------------------------------------------------------- 1 | ## Spamhaus CERT Insight Portal 2 | 3 | The aim of the Spamhaus CERT Insight Portal is to help Computer Emergency 4 | Response Teams (CERTs) and Computer Security Incident Response Team (CSIRTs) 5 | with a national or regional responsibility to protect their critical 6 | infrastructure and IP address space from cyberthreats. 7 | 8 | ### Botnet 9 | 10 | The CERT Insight Portal, which is available for free, provides information about 11 | malware infected computers (bots) within a CERT/CSIRT area of responsibility — 12 | the specific country or region that the CERT or CSIRT is responsible for. 13 | 14 | #### IP Address 15 | > 16 | * Website 17 | - `https://www.spamhaus.org/` 18 | * Source 19 | - `https://www.spamhaus.org/news/article/705/spamhaus-launches-cert-insight-portal` 20 | * Data 21 | - IP Address 22 | * Format 23 | - Not available 24 | * API/Token 25 | - `TBD` 26 | * Status 27 | - Error 28 | * Comments 29 | - No API Key 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | null 36 | } 37 | ``` -------------------------------------------------------------------------------- /TaichungBlocklist/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Taichung Blacklist 2 | 3 | The Education Bureau of Taichung City Hall 4 | 5 | ### Malicious Activities 6 | 7 | A public blocklist of IP addresses suspected in malicious activities on-line. 8 | 9 | #### IP Address 10 | > 11 | * Website 12 | - `https://www.tc.edu.tw/net/netflow/lkout/recent/30` 13 | * Source 14 | - `https://www.tc.edu.tw/net/netflow/lkout/recent/30` 15 | * Data 16 | - IP Address 17 | * Format 18 | - Text 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - No comment 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "time":{ 31 | "source":"2016-05-18T01:33:43+00:00", 32 | "observation":"2016-07-07T14:46:02+00:00" 33 | }, 34 | "raw":"PHRkPjE8L3RkPjx0ZD48aW1nIHNyYz0iL2ltYWdlcy9mbGFncy9qcC5naWYiIGFsdD0iIj48c3BhbiBzdHlsZT0iY29sb3I6IGJsYWNrOyI+MTA2LjE4NC4yLjI5PC9zcGFuPjwvdGQ+PHRkPlNTSCBBdHRhY2s8L3RkPgogICAgICAgIDx0ZD7miYvli5XoqK3lrpo8L3RkPjx0ZD4yMDE2LTA1LTE4IDA5OjMzOjQzPC90ZD48dGQ+NTAuNTc8L3RkPgogICAgICAgIDx0ZCBzdHlsZT0iY29sb3I6cmVkOyI+5bCB6Y6WPC90ZD48L3RyPiAgICAgICAg", 35 | "event_description":{ 36 | "text":"SSH Attack" 37 | }, 38 | "classification":{ 39 | "type":"unknown" 40 | }, 41 | "source":{ 42 | "ip":"106.184.2.29" 43 | }, 44 | "feed":{ 45 | "accuracy":100.0, 46 | "name":"Taichung", 47 | "url":"https://www.tc.edu.tw/net/netflow/lkout/recent/30" 48 | } 49 | } 50 | ``` 51 | 52 | There's only IP information in https://www.openbl.org/lists/date_all.txt 53 | It looks like: 54 | 55 | 序 限制IP 限制型態 流量 起限時間 距日 管理 56 | 1 106.184.2.29 SSH Attack 手動設定 2016-05-18 09:33:43 104.27 封鎖 57 | 2 91.201.236.155 SSH Attack 手動設定 2016-05-18 09:33:04 104.27 封鎖 58 | 3 91.201.236.158 SSH Attack 手動設定 2016-05-18 09:32:46 104.27 封鎖 -------------------------------------------------------------------------------- /TeamCymru/Bogons.md: -------------------------------------------------------------------------------- 1 | ## Team Cymru 2 | 3 | Team Cymru Research NFP is an Illinois non-profit and a US Federal 501(c)3 4 | organization. 5 | 6 | ### The Bogon Reference 7 | 8 | A bogon prefix is a route that should never appear in the Internet routing 9 | table. A packet routed over the public Internet (not including over VPNs or 10 | other tunnels) should never have a source address in a bogon range. These are 11 | commonly found as the source addresses of DDoS attacks. 12 | 13 | #### IP Address 14 | > 15 | * Website 16 | - `https://www.team-cymru.org/bogon-reference.html` 17 | * Source 18 | - `https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt` 19 | * Data 20 | - IP Address 21 | * Format 22 | - Text 23 | * API/Token 24 | - None 25 | * Status 26 | - Ok 27 | * Comments 28 | - No comment 29 | 30 | ##### Sample Output of IntelMQ 31 | 32 | ```javascript 33 | { 34 | "feed":{ 35 | "accuracy":100.0, 36 | "url":"https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt", 37 | "name":"Cymru" 38 | }, 39 | "classification":{ 40 | "type":"blacklist" 41 | }, 42 | "source":{ 43 | "network":"0.0.0.0/8" 44 | }, 45 | "time":{ 46 | "observation":"2016-07-07T11:40:52+00:00", 47 | "source":"2016-07-07T08:50:01+00:00" 48 | }, 49 | "raw":"MC4wLjAuMC84" 50 | } 51 | ``` 52 | 53 | There's only IP information in https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 54 | It looks like: 55 | 56 | # last updated 1472532602 (Tue Aug 30 04:50:02 2016 GMT) 57 | 0.0.0.0/8 58 | 2.56.0.0/14 59 | 5.8.248.0/21 60 | -------------------------------------------------------------------------------- /TurrisGreylist/Scanning_Attack.md: -------------------------------------------------------------------------------- 1 | ## Turris Greylist 2 | 3 | Project Turris is a service helping to protect its user's home network with the 4 | help of a special router. 5 | 6 | ### Scanning Attack 7 | 8 | A list of addresses that have tried to obtain information about services on the 9 | Turris router or tried to gain access to them. 10 | 11 | #### IP Address 12 | > 13 | * Website 14 | - `https://www.turris.cz/en/greylist` 15 | * Source 16 | - `https://www.turris.cz/greylist-data/greylist-latest.csv` 17 | * Data 18 | - IP Address 19 | * Format 20 | - CSV 21 | * API/Token 22 | - None 23 | * Status 24 | - Ok 25 | * Comments 26 | - No comment 27 | 28 | ##### Sample Output of IntelMQ 29 | 30 | ```javascript 31 | { 32 | "classification":{ 33 | "type":"scanner" 34 | }, 35 | "time":{ 36 | "observation":"2016-07-07T14:53:37+00:00" 37 | }, 38 | "raw":"MS4xMS40NS41LEtSLG5ldGlzLDE4MzEz", 39 | "feed":{ 40 | "url":"https://www.turris.cz/greylist-data/greylist-latest.csv", 41 | "name":"Turris Greylist", 42 | "accuracy":100.0 43 | }, 44 | "event_description":{ 45 | "text":"netis" 46 | }, 47 | "source":{ 48 | "ip":"1.11.45.5" 49 | } 50 | } 51 | ``` 52 | 53 | There's not only IP information in https://www.turris.cz/greylist-data/greylist-latest.csv, but also more information like: 54 | 55 | * Country 56 | * Tags 57 | * ASN 58 | 59 | It looks like: 60 | 61 | Address,Country,Tags,ASN 62 | 1.9.165.178,MY,"samba,torrent",4788 63 | 1.23.82.242,IN,databases,45528 64 | 1.25.224.180,CN,databases,4837 65 | -------------------------------------------------------------------------------- /URLVir/Malware.md: -------------------------------------------------------------------------------- 1 | ## URLVir 2 | 3 | URLVir is an online security service developed by NoVirusThanks Company Srl that 4 | automatically monitors changes of malicious URLs (executable files). 5 | 6 | ### Malware 7 | 8 | Monitor Malicious Executable URLs 9 | 10 | #### Domain Name 11 | > 12 | * Website 13 | - `http://www.urlvir.com/` 14 | * Source 15 | - `http://www.urlvir.com/export-hosts/` 16 | * Data 17 | - Domain Name 18 | * Format 19 | - Text 20 | * API/Token 21 | - None 22 | * Status 23 | - Ok 24 | * Comments 25 | - No comment 26 | 27 | ##### Sample Output of IntelMQ 28 | 29 | ```javascript 30 | { 31 | "feed":{ 32 | "url":"http://www.urlvir.com/export-ip-addresses/", 33 | "name":"URLVir", 34 | "accuracy":100.0 35 | }, 36 | "raw":"MTAzLjI2Ljk5LjE0Nw==", 37 | "source":{ 38 | "ip":"103.26.99.147" 39 | }, 40 | "time":{ 41 | "observation":"2016-07-07T14:57:12+00:00" 42 | }, 43 | "classification":{ 44 | "type":"malware" 45 | } 46 | } 47 | ``` 48 | 49 | #### IP Address 50 | > 51 | * Website 52 | - `http://www.urlvir.com/` 53 | * Source 54 | - `http://www.urlvir.com/export-ip-addresses/` 55 | * Data 56 | - IP Address 57 | * Format 58 | - Text 59 | * API/Token 60 | - None 61 | * Status 62 | - Ok 63 | * Comments 64 | - No comment 65 | 66 | ##### Sample Output of IntelMQ 67 | 68 | ```javascript 69 | { 70 | "time":{ 71 | "observation":"2016-07-07T14:55:14+00:00" 72 | }, 73 | "raw":"aW5kaXJsaXZleHN0b3JlLmNvbQ==", 74 | "classification":{ 75 | "type":"malware" 76 | }, 77 | "source":{ 78 | "fqdn":"indirlivexstore.com" 79 | }, 80 | "feed":{ 81 | "accuracy":100.0, 82 | "name":"URLVir", 83 | "url":"http://www.urlvir.com/export-hosts/" 84 | } 85 | } 86 | ``` 87 | 88 | ---- 89 | 90 | There's only Domain information in in http://www.urlvir.com/export-hosts/. It looks like: 91 | 92 | ################################################################## 93 | #URLVir Active Malicious Hosts #Updated on August 29, 2016, 4:40 am 94 | #Free for noncommercial use only, contact us for more information 95 | ################################################################## 96 | indirlivexstore.com 97 | smoon.co.kr 98 | mytnoc.com 99 | w3.gazi.edu.tr 100 | expoperfumes.com.mx 101 | 102 | ---- 103 | 104 | There's only IP information in http://www.urlvir.com/export-ip-addresses/ 105 | It looks like: 106 | 107 | ################################################################## 108 | #URLVir Active Malicious IP Addresses Hosting Malware #Updated on August 30, 2016, 5:22 am 109 | #Free for noncommercial use only, contact us for more information 110 | ################################################################## 111 | 115.239.248.50 112 | 117.52.31.226 113 | 121.78.246.30 -------------------------------------------------------------------------------- /VXVault/Malware.md: -------------------------------------------------------------------------------- 1 | ## VXVault 2 | 3 | VXVault is run by a security researcher. 4 | 5 | ### Malware 6 | 7 | VXVault publishes a list of malicious URLs. 8 | 9 | #### Domain Name 10 | > 11 | * Website 12 | - `http://vxvault.net/` 13 | * Source 14 | - `http://vxvault.net/URL_List.php` 15 | * Data 16 | - URL 17 | * Format 18 | - Text 19 | * API/Token 20 | - None 21 | * Status 22 | - Ok 23 | * Comments 24 | - No comment 25 | 26 | ##### Sample Output of IntelMQ 27 | 28 | ```javascript 29 | { 30 | "source":{ 31 | "fqdn":"five5lesson.top", 32 | "url":"http://five5lesson.top/2.gif" 33 | }, 34 | "feed":{ 35 | "name":"VxVault", 36 | "url":"http://vxvault.siri-urz.net/URL_List.php", 37 | "accuracy":100.0 38 | }, 39 | "time":{ 40 | "observation":"2016-07-07T15:00:04+00:00" 41 | }, 42 | "raw":"aHR0cDovL2ZpdmU1bGVzc29uLnRvcC8yLmdpZg==", 43 | "classification":{ 44 | "type":"malware" 45 | } 46 | } 47 | ``` 48 | 49 | There's only URL information in in http://vxvault.net/URL_List.php. 50 | It looks like: 51 | 52 | VX Vault last 100 Links 53 | Mon, 29 Aug 2016 08:30:42 +0000 54 | 55 | http://kelurahanpanjunan.com/wp-content/file.exe 56 | http://www.dryversandsettyngsall0ficceversions.info/Off1cce365upd4te.exe 57 | http://www.przemyslawszymanowski.pl/20000.exe 58 | http://www.przemyslawszymanowski.pl/test/trust.exe 59 | http://www.przemyslawszymanowski.pl/test/kc.exe 60 | 61 | But there's more information in http://vxvault.net/ViriList.php: 62 | 63 | * MD5 64 | * IP 65 | * Tools -------------------------------------------------------------------------------- /hpHosts/Malicious_Activities.md: -------------------------------------------------------------------------------- 1 | ## Malwarebytes hpHosts 2 | 3 | hpHosts is a community managed and maintained hosts file that allows an 4 | additional layer of protection against access to ad, tracking and malicious 5 | websites. 6 | 7 | ### Malicious Activities 8 | 9 | The following classifications are used to determine the reason for inclusion 10 | into hpHosts and have been published here for those wondering what the 11 | classification means when viewing the domain's information on the hpHosts Online 12 | website. 13 | 14 | 1. ATS - Ad/tracking servers 15 | 2. EMD - Sites engaged in malware distribution 16 | 3. EXP - Sites engaged in the housing, development or distribution of exploits, 17 | including but not limited to exploitation of browser, software (inclusive of 18 | website software such as CMS), operating system exploits aswell as those 19 | engaged in exploits via social engineering. 20 | 4. FSA - Sites engaged in the selling or distribution of bogus or fraudulent 21 | applications and/or provision of fraudulent services. 22 | 5. GRM - Sites engaged in astroturfing (otherwise known as grass roots 23 | marketing) or spamming 24 | 6. HFS - Special classification for persons caught spamming the hpHosts forums 25 | 7. HJK - Sites engaged in browser hijacking or other forms of hijacking (OS 26 | services, bandwidth, DNS, etc.) 27 | 8. MMT - Sites engaged in the use of misleading marketing tactics 28 | 9. PHA - Sites engaged in illegal pharmacy activities 29 | 10. PSH - Sites engaged in Phishing 30 | 11. WRZ - Sites engaged in the selling, distribution or provision of warez 31 | (including but not limited to keygens, serials etc), where such provisions 32 | do not contain malware 33 | 34 | #### Domain Name 35 | > 36 | * Website 37 | - `https://www.hosts-file.net/` 38 | * Source 39 | - `http://hosts-file.net/download/hosts.txt` 40 | * Data 41 | - Domain Name 42 | * Format 43 | - Text 44 | * API/Token 45 | - None 46 | * Status 47 | - Ok 48 | * Comments 49 | - No comment 50 | 51 | ##### Sample Output of IntelMQ 52 | 53 | ```javascript 54 | { 55 | "source":{ 56 | "ip":"1.34.139.38" 57 | }, 58 | "time":{ 59 | "observation":"2016-07-07T08:46:43+00:00" 60 | }, 61 | "event_description":{ 62 | "text":"IP reported as having run attacks on the service Apache, Apache-DDoS, RFI-Attacks" 63 | }, 64 | "classification":{ 65 | "type":"ids alert" 66 | }, 67 | "raw":"MS4zNC4xMzkuMzg=", 68 | "feed":{ 69 | "name":"BlockList.de", 70 | "accuracy":100.0, 71 | "url":"https://lists.blocklist.de/lists/apache.txt" 72 | }, 73 | "protocol":{ 74 | "application":"http" 75 | } 76 | } 77 | ``` 78 | 79 | There's only Domain information in in http://hosts-file.net/download/hosts.txt. It looks like: 80 | 81 | # hpHosts last updated on: 06/08/2016 82 | # hpHosts last verified by Steven Burn: 06/08/2016 83 | # 84 | # IMPORTANT: Rename this file to "HOSTS" (no .txt extension) 85 | # 86 | # Support: http://mysteryfcm.co.uk/?mode=contact 87 | # http://forum.hosts-file.net 88 | # 89 | # Download: http://hosts-file.net/?s=Download 90 | # Mirrors: http://hosts-file.net/?s=Help#dlmirrors 91 | # 92 | # Intermittent updates: 93 | # 94 | # Sites are also added between updates. If you are using a program such as Hostsman, 95 | # or are running a script or anything, or simply want to stay protected against sites 96 | # between updates, please put a watch on the following URL. 97 | # 98 | # http://hosts-file.net/hphosts-partial.asp 99 | # 100 | # localhost address - DO NOT REMOVE! (unless on Windows 7) 101 | 127.0.0.1 localhost #IPv4 102 | # IPv6 localhost - add "#" to the beginning of the line if using Windows XP or below, or a system without IPv6 support. 103 | ::1 localhost # IPv6 104 | # 105 | # Trusted Hosts - Insert your trusted hosts with their correct IP addresses below this line. 106 | # 107 | # 422,975 - BAD HOSTS BEGIN HERE!!!! 108 | # 109 | 127.0.0.1 -sso.anbtr.com 110 | 127.0.0.1 0.gvt0.com 111 | 127.0.0.1 000-101.org 112 | 127.0.0.1 00000000080000000000000008000000000000000.com 113 | 127.0.0.1 0000663c.tslocosumo.us 114 | # 115 | ## Append critical updates below ############################ 116 | # 117 | 118 | But there's more information in https://hosts-file.net/?s=Browse&f=2016: 119 | 120 | * Hostname 121 | * IP 122 | * class -------------------------------------------------------------------------------- /n6stomp/CERT.md: -------------------------------------------------------------------------------- 1 | ## CERT Polska n6stomp 2 | 3 | Platform n6 is created by CERT Polish system for collection, processing and 4 | communication of information about security events on your network 5 | 6 | ### Malicious Activities 7 | 8 | The source system data n6 are many distribution channels providing information 9 | about security events. These events are detected as a result of the systems used 10 | by various third parties (such as other certification, security organizations, 11 | software vendors, independent security experts, etc.) And monitoring systems 12 | operated by CERT Poland. 13 | 14 | #### Security Events 15 | > 16 | * Website 17 | - `http://n6.cert.pl/` 18 | * Source 19 | - `None` 20 | * Data 21 | - Not Available 22 | * Format 23 | - Not available 24 | * API/Token 25 | - `TBD` 26 | * Status 27 | - Error 28 | * Comments 29 | - No API Key 30 | 31 | ##### Sample Output of IntelMQ 32 | 33 | ```javascript 34 | { 35 | null 36 | } 37 | ``` --------------------------------------------------------------------------------