From aa2d7e54d4d7282d51efa85b06dd73dfb43d09ea Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sat, 20 Aug 2022 10:31:50 +0000 Subject: [PATCH] override-{a1,a2,other,xd}: Regular batch of various overrides MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller --- overrides/override-a1.txt | 47 +++++---------- overrides/override-a2.txt | 5 ++ overrides/override-other.txt | 45 ++++++++++++-- overrides/override-xd.txt | 110 ++++++++++++++++++++++++++++------- 4 files changed, 147 insertions(+), 60 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index f56d3b6..b5d9ab3 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -220,19 +220,13 @@ descr: Stingers, Inc. remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ is-anonymous-proxy: yes -aut-num: AS208294 -descr: CIA TRIAD SECURITY LLC -remarks: Tor relay provider located in or near Berlin, DE -is-anonymous-proxy: yes -country: DE - aut-num: AS208323 descr: Foundation for Applied Privacy remarks: Tor relay provider is-anonymous-proxy: yes aut-num: AS208476 -descr: Danilenko, Artyom +descr: Danilenko, Artyom / The PRIVACYFIRST Project / ... remarks: (Rogue) VPN provider is-anonymous-proxy: yes country: EU @@ -302,7 +296,7 @@ remarks: VPN provider is-anonymous-proxy: yes aut-num: AS396507 -descr: Emerald Onion +name: Emerald Onion remarks: Tor relay provider is-anonymous-proxy: yes @@ -518,16 +512,6 @@ descr: GZ Systems Limited / PureVPN remarks: VPN provider is-anonymous-proxy: yes -net: 37.230.170.0/23 -descr: GZ Systems Limited / PureVPN -remarks: VPN provider -is-anonymous-proxy: yes - -net: 37.230.176.0/20 -descr: GZ Systems Limited / PureVPN -remarks: VPN provider -is-anonymous-proxy: yes - net: 37.230.183.0/20 descr: GZ Systems Limited / PureVPN remarks: VPN provider @@ -854,6 +838,11 @@ descr: Zwiebelfreunde e.V. remarks: Tor relay provider is-anonymous-proxy: yes +net: 79.134.225.0/24 +descr: The PRIVACYFIRST Project +remarks: (Rogue) VPN provider hosting C&Cs en masse +is-anonymous-proxy: yes + net: 80.254.74.0/20 descr: Monzoon / SwissVPN remarks: VPN provider @@ -915,11 +904,6 @@ descr: IELO-LIAZO SERVICES SAS remarks: (Rogue) VPN provider hosting C&Cs en masse is-anonymous-proxy: yes -net: 91.193.75.0/24 -descr: KGB Hosting d.o.o. / David Craig -remarks: (Rogue) VPN provider -is-anonymous-proxy: yes - net: 91.238.214.0/23 descr: Privax LTD remarks: VPN provider @@ -930,11 +914,6 @@ descr: "InsatCom-V, ISP: Leased lines, VPN (city Volgograd)" remarks: VPN provider (or something similar) is-anonymous-proxy: yes -net: 92.118.39.0/24 -descr: CloudMine NET -remarks: VPN provider [high confidence, but not proofed] -is-anonymous-proxy: yes - net: 92.118.204.0/22 descr: Mo's Operations GmbH remarks: VPN provider [high confidence, but not proofed] @@ -1330,6 +1309,7 @@ is-anonymous-proxy: yes net: 179.60.147.0/24 descr: Cloud Solutions S.A. remarks: Attack network, rogue VPN operator? +country: NL is-anonymous-proxy: yes drop: yes @@ -1353,6 +1333,11 @@ descr: Private Host BV remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 185.195.71.0/24 +descr: Datasource AG +remarks: VPN / Tor exit network [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 185.99.135.0/24 descr: VpnHt Limited remarks: VPN provider @@ -1388,12 +1373,6 @@ descr: OVPN Integritet AB remarks: VPN provider is-anonymous-proxy: yes -net: 185.162.88.0/24 -descr: Freedom of Speech VPN / nVPN / David Craig / ... -remarks: (Rogue) VPN provider -is-anonymous-proxy: yes -country: EU - net: 185.164.59.0/24 descr: Buyproxies / Yuli Azarch remarks: VPN provider [high confidence, but not proofed] diff --git a/overrides/override-a2.txt b/overrides/override-a2.txt index 1f84462..4172fc5 100644 --- a/overrides/override-a2.txt +++ b/overrides/override-a2.txt @@ -421,6 +421,11 @@ descr: IPStar remarks: Satellite Internet provider [high confidence, but not proofed] is-satellite-provider: yes +aut-num: AS135409 +descr: Kacific Broadband Satellites Pte Ltd +remarks: Satellite Internet provider +is-satellite-provider: yes + aut-num: AS136796 descr: CoreLink Japan remarks: Satellite Internet provider [high confidence, but not proofed] located in JP diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 182609a..356a8f1 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -273,6 +273,11 @@ descr: Isomedia, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage country: US +aut-num: AS18678 +descr: INTERNEXA S.A. E.S.P +remarks: ISP located in CO, but some RIR data for announced prefixes contain garbage +country: CO + aut-num: AS18779 descr: EGIHosting remarks: ISP located in US, but some RIR data for announced prefixes contain garbage @@ -433,6 +438,11 @@ descr: Amanah Tech Inc. remarks: ISP located in CA, but some RIR data for announced prefixes contain garbage country: CA +aut-num: AS33387 +descr: Nocix, LLC +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS34224 descr: Neterra Ltd. remarks: ISP located in BG, but some RIR data for announced prefixes contain garbage @@ -878,6 +888,11 @@ descr: NTX Technologies s.r.o. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS50149 +descr: Servercore B.V. +remarks: Selectel branch in NL +country: NL + aut-num: AS50360 descr: Tamatiya EOOD / 4Vendeta remarks: Questionable ISP located in BG, clients massively tamper with RIR data @@ -1317,6 +1332,11 @@ descr: XRCLOUD.NET INC. remarks: ... located in HK country: HK +aut-num: AS136923 +descr: WitLayer Technologies Inc +remarks: ISP located in NL, some RIR data for announced prefixes contain garbage +country: NL + aut-num: AS136933 descr: Gigabitbank Global / Anchnet Asia Limited (?) remarks: IP hijacker located somewhere in AP area, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data @@ -1427,6 +1447,11 @@ descr: SnTHostings remarks: ISP located in IN, but some RIR data for announced prefixes contain garbage country: IN +aut-num: AS141167 +descr: AgotoZ HK Limited +remarks: ISP located in HK, but some RIR data for announced prefixes contain garbage +country: HK + aut-num: AS141677 descr: Nathosts Limited remarks: ... located in HK? @@ -1597,11 +1622,21 @@ descr: A2 Networks Inc. remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage country: NL +aut-num: AS204997 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS205026 descr: Hauer Hosting Services Limited remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage country: ES +aut-num: AS205090 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS205544 descr: LEASEWEB UK LIMITED remarks: ISP located in London, GB, but many RIR data for announced prefixes contain garbage @@ -1647,6 +1682,11 @@ descr: Kapteyan Bilisim Teknolojileri remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR +aut-num: AS207459 +descr: Taner Temel +remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage +country: TR + aut-num: AS207461 descr: Liquid IO remarks: ISP located in US, but many RIR data for announced prefixes contain garbage @@ -2307,11 +2347,6 @@ descr: Anthony Marshall / Game Hosting Net / FlokiNET Ltd. remarks: fake location (BA), traces back to RO country: RO -net: 179.60.147.0/24 -descr: Flyservers S.A. -remarks: traces back to NL -country: NL - net: 179.60.151.0/24 descr: DATAHOME S.A. remarks: traces back to BR diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index b58200f..f3cb80c 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,6 +26,11 @@ # Please keep this file sorted. # +aut-num: AS7586 +descr: Cloudfort IT +remarks: part of the "Asline" IP hijacking gang +drop: yes + aut-num: AS15828 descr: Blue Diamond Network Co., Ltd. remarks: Shady ISP hosting brute-force login attempt machines galore, claims GB or IR for it's prefixes, but they all end up near Vilnius, LT @@ -77,12 +82,6 @@ remarks: Hijacks IP space and tampers with RIR data, traces back to JP country: JP drop: yes -aut-num: AS44015 -descr: Landgard Management Inc. -remarks: bulletproof ISP with strong links to RU -country: RU -drop: yes - aut-num: AS44446 descr: OOO SibirInvest remarks: bulletproof ISP (related to AS202425 and AS57717) located in NL @@ -101,6 +100,12 @@ remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes +aut-num: AS48950 +descr: GLOBAL COLOCATION LIMITED +remarks: Part of the "Fiber Grid" IP hijacking / dirty hosting operation, RIR data cannot be trusted +country: EU +drop: yes + aut-num: AS49447 descr: Nice IT Services Group Inc. remarks: Rogue ISP @@ -176,6 +181,11 @@ descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Bulletproof ISP drop: yes +aut-num: AS57416 +descr: LLC South Internet +remarks: Bulletproof ISP +drop: yes + aut-num: AS57523 descr: Chang Way Technologies Co. Limited remarks: bulletproof ISP, C&C server hosting galore @@ -211,6 +221,12 @@ remarks: Autonomous System registered to offshore company, abuse contact is a fr country: AP drop: yes +aut-num: AS58931 +descr: 24.hk global BGP +remarks: Part of the "ASLINE" IP hijacking operation +country: HK +drop: yes + aut-num: AS59425 descr: HORIZON LLC remarks: Rogue ISP @@ -244,12 +260,6 @@ remarks: leaf AS with upstream to other dirty hosters, brute-force attacks galor country: RU drop: yes -aut-num: AS61414 -descr: EDGENAP LTD -remarks: part of the "Asline" IP hijacking gang, the majority of announced prefixes trace back to JP -country: JP -drop: yes - aut-num: AS61432 descr: TOV VAIZ PARTNER remarks: Rogue ISP @@ -311,8 +321,8 @@ drop: yes aut-num: AS138648 descr: ASLINE Global Exchange -remarks: IP hijacker located somewhere in AP area -country: AP +remarks: IP hijacker located in HK +country: HK drop: yes aut-num: AS139330 @@ -358,7 +368,7 @@ country: RU drop: yes aut-num: AS200313 -descr: WEB_GroupInternet INC +descr: IT WEB LTD remarks: All bulletproof/cybercrime hosting, all the time, not a safe AS to connect to drop: yes @@ -392,11 +402,6 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes -aut-num: AS203680 -descr: Southern Production and Technical Enterprise Ltd. -remarks: Hijacked? -drop: yes - aut-num: AS204341 descr: Purple Raccoon Ltd. remarks: Bulletproof ISP in an extremely dirty neighborhood full of IP hijackers @@ -466,6 +471,7 @@ drop: yes aut-num: AS210352 descr: Partner LLC remarks: All cybercrime hosting, all the time +country: RU drop: yes aut-num: AS210644 @@ -480,6 +486,11 @@ remarks: Rogue ISP (linked to AS202425) located in NL country: NL drop: yes +aut-num: AS211059 +descr: Tribeka Web Advisors S.A. +remarks: Dirty ISP, see individual network entries below +drop: yes + aut-num: AS211193 descr: ABDILAZIZ UULU ZHUSUP remarks: bulletproof ISP and IP hijacker, traces to RU @@ -498,6 +509,12 @@ remarks: ISP and IP hijacker located in KZ, many RIR data for announced prefixes country: KZ drop: yes +aut-num: AS212283 +descr: ROZA HOLIDAYS EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG +country: BG +drop: yes + aut-num: AS212552 descr: BitCommand LLC remarks: Dirty ISP located somewhere in EU, cannot trust RIR data of this network @@ -586,6 +603,16 @@ descr: MEGA HOLDINGS LIMITED remarks: Based on domains ending up there, this network is entirely malicious drop: yes +net: 61.177.172.0/23 +descr: CHINANET jiangsu province network +remarks: Since July 27, 2022, this network conducts mass brute-force attacks galore +drop: yes + +net: 89.23.103.0/24 +descr: Media Land LLC / abuse-server[.]su +remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/ +drop: yes + net: 91.240.243.0/24 descr: Media Land LLC remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/ @@ -597,6 +624,36 @@ remarks: Attack network tracing back to NL country: NL drop: yes +net: 103.176.21.0/24 +descr: GIAP BICH NGOC COMMUNICATION COMPANY LIMITED +remarks: Brute-force attack network +drop: yes + +net: 109.206.241.0/24 +descr: Serverion B.V. +remarks: Leased to Neterra, all cybercrime, all the time +drop: yes + +net: 114.246.10.0/24 +descr: China Unicom Beijing province network +remarks: Brute-force attack network +drop: yes + +net: 116.7.245.0/24 +descr: CHINANET Guangdong province network +remarks: Brute-force attack network +drop: yes + +net: 116.57.185.0/24 +descr: China Education and Research Network +remarks: Brute-force attack network +drop: yes + +net: 154.89.5.0/24 +descr: Agotoz HK Limited +remarks: Brute-force attack network +drop: yes + net: 185.156.72.0/24 descr: TOV VAIZ PARTNER / InterHost remarks: Attack network tracing back to UA @@ -605,7 +662,12 @@ drop: yes net: 185.196.220.0/24 descr: Makut Investments -remarks: Long-running brute-force attack network +remarks: Brute-force attack network +drop: yes + +net: 193.201.9.0/24 +descr: Infolink LLC +remarks: Based on domains ending up there, this network is entirely malicious drop: yes net: 195.133.20.0/24 @@ -614,6 +676,12 @@ remarks: Tampers with RIR data, traces back to NL, not a safe place to route tra country: NL drop: yes +net: 194.135.24.0/24 +descr: Tribeka Web Advisors S.A. +remarks: Tampers with RIR data, traces back to US, not a safe place to route traffic to +country: US +drop: yes + net: 196.11.32.0/20 descr: Sanlam Life Insurance Limited remarks: Stolen AfriNIC IPv4 space announced from NL? -- 2.39.2