From Russia with Love: Selectel hosting some busy, malicious IP addresses

Written by Ofir Ashman | March 24, 2021

In the past week we saw a massive surge in hits on customer logs coming from the IP 45.146.165[.]11. Our security research team checked it out, and found that it has been the launch pad for abnormally large amounts of traffic trying to reach customer machines. On one customer network alone they got over 2 million hits.

IP Firewall Hits for IOC: 45.146.165[.]11 in last 7 days
======================================
| Customer | Hits
.....................................
| Customer 1 | 2047378
| Customer 2 | 899092
| Customer 3 | 327551
| Customer 4 | 216128
| Customer 5 | 180210
| Customer 6 | 159771
| Customer 7 | 109563
| Customer 8 | 59206
| Customer 9 | 50229
| Customer 10 | 29400
.....................................

The IP address in question is hosted by the Russian hosting provider Selectel[.ru] (ASN: 49505). ThreatSTOP has been protecting customers from this IP, which was added to our systems thanks to the aggregation of the DShield blocklist, one of our 800+ threat intelligence sources. Selectel is no stranger to this kind of attention, getting flagged already as part of a "bulletproof" hosting system by Spamhaus back in 2019.

Looking into the IP's address space of 45.146.165[.]0/24, our team discovered that many of the IPs in this space are also deemed malicious by DShield, while some even show up on multiple threat intelligence blocklists. For example, the IP 45.146.165[.]157 shows up in our HoneyDB Bad Hosts, Botnets, AlienVault, Telecommunications Attacks, Anonymous Network, and DShield targets.

The following IPs are active in 3 or more of our targets: 45.146.165[.]24, 45.146.165[.]148, 45.146.165[.]149, 45.146.165[.]152, 45.146.165[.]153, 45.146.165[.]157.

We highly recommend blocking these IPs, and consider blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free checkIP tool.

ThreatSTOP users are automatically protected from attacks launched from these IPs and others as they appear. Contact us to know more, or click below to get a demo:

For your convenience, here is a list of all IP addresses in the 45.146.165[.]0/24 range that we have seen as malicious, including the specific targets each IP is in:

IP	ThreatSTOP Target	IP	ThreatSTOP Target	IP	ThreatSTOP Target
45.146.165.0	DSBLEXP	45.146.165.85	DSBLEXP	45.146.165.159	DSBLEXP
45.146.165.1	DSBLEXP	45.146.165.87	DSBLEXP	45.146.165.163	DSBLEXP
45.146.165.2	DSBLEXP	45.146.165.88	DSBLEXP	45.146.165.164	DSBLEXP
45.146.165.4	DSBLEXP	45.146.165.89	DSBLEXP	45.146.165.166	DSBLEXP
45.146.165.6	DSBLEXP	45.146.165.90	DSBLEXP	45.146.165.168	DSBLEXP
45.146.165.7	DSBLEXP	45.146.165.91	DSBLEXP	45.146.165.169	DSBLEXP
45.146.165.9	DSBLEXP	45.146.165.92	DSBLEXP	45.146.165.170	DSBLEXP
45.146.165.10	CINSARMY DSBLEXP	45.146.165.93	DSBLEXP	45.146.165.174	DSBLEXP
45.146.165.11	DSBLEXP	45.146.165.95	DSBLEXP	45.146.165.178	DSBLEXP
45.146.165.12	DSBLEXP	45.146.165.96	DSBLEXP	45.146.165.179	DSBLEXP
45.146.165.15	DSBLEXP	45.146.165.97	DSBLEXP	45.146.165.180	DSBLEXP
45.146.165.19	DSBLEXP	45.146.165.99	DSBLEXP	45.146.165.181	DSBLEXP
45.146.165.20	DSBLEXP	45.146.165.100	DSBLEXP	45.146.165.182	DSBLEXP
45.146.165.21	DSBLEXP	45.146.165.101	DSBLEXP	45.146.165.184	DSBLEXP
45.146.165.23	DSBLEXP	45.146.165.103	DSBLEXP	45.146.165.187	DSBLEXP
45.146.165.24	CINSARMY TSTOPIPS DSBLEXP	45.146.165.104	DSBLEXP	45.146.165.188	DSBLEXP
45.146.165.26	DSBLEXP	45.146.165.105	DSBLEXP	45.146.165.190	DSBLEXP
45.146.165.28	DSBLEXP	45.146.165.106	DSBLEXP	45.146.165.191	DSBLEXP
45.146.165.29	DSBLEXP	45.146.165.107	CINSARMY DSBLEXP	45.146.165.194	DSBLEXP
45.146.165.31	DSBLEXP	45.146.165.108	DSBLEXP	45.146.165.197	DSBLEXP
45.146.165.32	DST4KEXP DSBLEXP	45.146.165.109	DSBLEXP	45.146.165.198	DSBLEXP
45.146.165.34	DSBLEXP	45.146.165.111	DSBLEXP	45.146.165.199	DSBLEXP
45.146.165.37	DSBLEXP	45.146.165.113	DSBLEXP	45.146.165.200	DSBLEXP
45.146.165.38	DSBLEXP	45.146.165.116	DSBLEXP	45.146.165.201	DSBLEXP
45.146.165.39	DSBLEXP	45.146.165.118	DSBLEXP	45.146.165.203	DSBLEXP
45.146.165.40	DSBLEXP	45.146.165.119	DSBLEXP	45.146.165.205	GRSNOWIP DSBLEXP
45.146.165.41	DSBLEXP	45.146.165.120	DSBLEXP	45.146.165.206	DSBLEXP
45.146.165.42	DSBLEXP	45.146.165.122	DSBLEXP	45.146.165.207	DSBLEXP
45.146.165.43	DSBLEXP	45.146.165.123	DSBLEXP	45.146.165.209	DSBLEXP
45.146.165.44	DSBLEXP	45.146.165.125	DSBLEXP	45.146.165.212	DSBLEXP
45.146.165.49	DSBLEXP	45.146.165.126	DSBLEXP	45.146.165.214	DSBLEXP
45.146.165.50	DSBLEXP	45.146.165.128	DSBLEXP	45.146.165.215	DSBLEXP
45.146.165.52	DSBLEXP	45.146.165.130	DSBLEXP	45.146.165.216	CINSARMY DSBLEXP
45.146.165.54	DSBLEXP	45.146.165.131	DSBLEXP	45.146.165.217	DSBLEXP
45.146.165.56	DSBLEXP	45.146.165.133	DSBLEXP	45.146.165.219	DSBLEXP
45.146.165.58	DSBLEXP	45.146.165.134	DSBLEXP	45.146.165.220	DSBLEXP
45.146.165.59	DSBLEXP	45.146.165.136	DSBLEXP	45.146.165.223	DSBLEXP
45.146.165.60	DSBLEXP	45.146.165.137	DSBLEXP	45.146.165.225	DSBLEXP
45.146.165.63	DSBLEXP	45.146.165.138	DSBLEXP	45.146.165.226	DSBLEXP
45.146.165.64	DSBLEXP	45.146.165.139	DSBLEXP	45.146.165.228	DSBLEXP
45.146.165.65	DSBLEXP	45.146.165.143	DSBLEXP	45.146.165.229	DSBLEXP
45.146.165.66	DSBLEXP	45.146.165.144	DSBLEXP	45.146.165.231	DSBLEXP
45.146.165.67	DSBLEXP	45.146.165.146	DSBLEXP	45.146.165.236	DSBLEXP
45.146.165.69	DSBLEXP	45.146.165.147	DSBLEXP	45.146.165.238	DSBLEXP
45.146.165.70	DSBLEXP	45.146.165.148	CINSARMY TSTOPIPS DSBLEXP	45.146.165.241	DSBLEXP
45.146.165.71	DSBLEXP	45.146.165.149	CINSARMY TSTOPIPS DSBLEXP	45.146.165.244	DSBLEXP
45.146.165.75	CINSARMY DSBLEXP	45.146.165.152	CINSARMY TSTOPIPS DSBLEXP	45.146.165.245	DSBLEXP
45.146.165.77	DSBLEXP	45.146.165.153	CINSARMY TSTOPIPS DSBLEXP	45.146.165.250	DSBLEXP
45.146.165.78	DSBLEXP	45.146.165.154	UDGERHA DSBLEXP	45.146.165.252	DSBLEXP
45.146.165.80	DSBLEXP	45.146.165.156	DSBLEXP	45.146.165.253	DSBLEXP
45.146.165.81	DSBLEXP	45.146.165.157	HONEYDB BOTNET2E AVEXP TELATACK AP-THREA DSBLEXP	45.146.165.254	DSBLEXP
45.146.165.83	DSBLEXP	45.146.165.158	DSBLEXP	45.146.165.255	DSBLEXP

Target descriptions:

DSBLEXP - DShield Block List, based on millions of intrusion detection log entries, collected every day from sensors covering over 500,000 IP addresses in over 50 countries by the Internet Storm Center.
GRSNOWIP - Green Snow Block List, these IP addresses were detected as involved in Scan Port of FTP, POP3, mod_security, IMAP, SMTP, SSH, and also in cPanel attacks and brute force attempts. This data is provided thanks to Green Snow.
CINSARMY - The CINS Army list contains IP addresses characterized as malicious across a broad customer-base who use Sentinel's intrusion prevention systems. Sentinel's CINS system gathers attack data from deployed IPS's and the larger security community to identify threat actors and the IP infrastructure they use.
TSTOPIPS - A ThreatSTOP originated target, these are the most blocked IPs by ThreatSTOP customers. This list can contain all types of inbound threats. The list generated daily.
UDGERHA - IPs observed engaging in various HTTP attacks.
DST4KEXP - IP addresses from the DShield Top 4000 list.
HONEYDB - IPs that have connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat.
BOTNET2E - A ThreatSTOP curated target, these are IP addresses of known active C2 infrastructure for major botnets. Attempts to connect to these addresses may show an infected system in need of cleaning.
AVEXP - AlienVault Malware Droppers and Botnet C2 infrastructure.
TELATACK - IP addresses currently attacking Telecommunications infrastructure.
AP-THREA - IP addresses of attackers seen on large anonymous networks.

Reference: https://www.spamhaus.org/news/article/793/spamhaus-botnet-threat-report-2019

View full post