drb-ra / c2intelfeeds Goto Github PK

Please, could be possible to add wikipedia.org to exception list?

Thanks in advance

Hello there!

The domain reported on May 26, m.ctrip.com is no longer resolving the IP address having a C2:
103[.]100[.]159[.]212,/restapi/soa2/21881/json/gethotdestination

nslookup m.ctrip.com
Server: 169.254.169.254
Address: 169.254.169.254#53

Non-authoritative answer:
m.ctrip.com canonical name = slb-03-xy5-rb5-c11954.ctripgslb.com.
slb-03-xy5-rb5-c11954.ctripgslb.com canonical name = c11954.edgekey.net.
c11954.edgekey.net canonical name = e11954.a.akamaiedge.net.
Name: e11954.a.akamaiedge.net
Address: 23.34.184.62

Ctrip is a legitimate chinese holidays agency.

Could you please remove the domain from the list?
Thanks in advance!

add new domain in exclusions.rex
^huawei.com

This is an awesome project.
But i don't see any code in how to selfhost this.
Just csv and json files

Good Day,

Thank you for this data. Can you add a license in the readme, or a reference to an open source licensing model ?

Thanks

Seems like all feeds are broken.

for example: https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv

Would it make sense to provide the specific queries used, to get these results? (this may help people re-create these results on their own, or possibly contribute additional detections/improvements to support this project)

Dear drb-ra,

Would it be possible to remove following entries for my IP 81.82.57.202?

https://x.com/drb_ra/status/1809795625237536833
https://www.virustotal.com/gui/ip-address/81.82.57.202/community [VirusTotal Comment]
https://threatfox-api.abuse.ch/ioc/1295395/

There was indeed a Havoc CnC server running, but this was for a legitimate awareness demo for one of my clients.
The server was live for a maximum of 2 hours and hasn't seen it live again ever since.

Sorry for the inconvenience, I am impressed by this project and especially the speed of detection.
Big + for protecting our industry.

Kr,

Lesley

Hello,

Thank you for the great datasets. Is it possible to add timestamps or datetimes (UTC) to each of the detections, so that individuals or organization can better correlate, verify, and remediate any identified activity?

Thanks very much

151.139.128.11 c2u7f8y9.stackpathcdn.com and stackpath.com
I believe I got all of the feeds but I could have missed one. This is apparently causing false positives for our customers. Can you remove the above from the feeds?

feeds/domainC2swithURLwithIP-30day.csv
Line 134 and 135
feeds/domainC2swithURLwithIP.csv
Line 73, 368
feeds/domainC2swithURLwithIP-filter-abused.csv
Line 65
feeds/domainC2swithURLwithIP-30day-filter-abused.csv
Line 125 and 126
feeds/domainC2swithURL.csv
Line 71 and 341
feeds/domainC2swithURL-filter-abused.csv
Line 63
feeds/domainC2s-30day-filter-abused.csv
Line 116 and 117
feeds/domainC2s-30day.csv
Line 110
feeds/domainC2swithURL.csv
Line 71 and 341

I think it is good idea to print AS number too, because AS name cannot be used as percise ID.

Hi team, thanks for your work as always.

We have detected a high number of false positives regarding the following indicator:
jspassport[.]ssl[.]qhimg[.]com[.]
Apparently the C2 Server you detected it is on:
jspassport[.]ssl[.]qhimg[.]com[.]dsa[.]dnsv1[.]com[.]cn

This is already on your domain list.

Could you please check this?
Best regards

Please add google.fr to exclusions.

Thanks for the hard work!

Hello,

please remove the IPs 167.235.231.252 and 2a01:4f8:c012:6ae9:0:0:0:1 and take down the twitter postings 1 2 and 3. It is a false positive. The server hasn't has hosted a cnc since at least 8/27/22 when i created it. It is just my public reverse proxy for a private service, that presented an empty 204 response when the wrong hostname, client certificate and user agent was used This was done in order to conceal the actual backing service from simple web scanners. I changed that to a generic html and also changed the certificate to a shorter lived one with just the IP as the subject, to hopefully not trip up simple malware scanners anymore. I also have to say, having an empty response and the openssl default values for certificate information is not a very good indicator of compromise in my eyes and is now a headache for me, convincing security vendors and my provider that this report was unfounded.

I would have sent this as a twitter DM but unfortunately you don't let unverified people message you and I refuse to give Elon money.

Best Regard,
Bennet.

Hello there,

Could you please remove consumer-img.huawei.com from Domain lists?

JS has been cleaned up, site is a legitimate Huawei source:
wget http://consumer-img.huawei.com/lib/v2/wcp-consent.js

--2023-07-06 13:06:04-- http://consumer-img.huawei.com/lib/v2/wcp-consent.js
Resolving consumer-img.huawei.com... 184.24.201.117
Connecting to consumer-img.huawei.com|184.24.201.117|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-07-06 13:06:04 ERROR 404: Not Found.

Self-explanatory

Please remove 131.154.128.183. It is not a deimos c&C but a service used by the High Energy Physics community.