Sinkhole HTTP Drone Report

This report identifies the IP addresses from all the devices that joined our Sinkhole server that did not arrive through an HTTP referrer.

Since the Sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list.

Fields

  • timestamp
    Timestamp in UTC+0 when the IP accessed the sinkhole system
  • ip
    IP that accessed the sinkhole
  • asn
    ASN of the IP
  • geo
    Country location of the IP
  • url
    HTTP request
  • type
    Drone type (if known)
  • http_agent
    HTTP agent
  • tor
    If client is a TOR exit node
  • src_port
    TCP source port
  • p0f_genre
    First level TCP test of the Operating System
  • p0f_detail
    Detailed results of the OS test
  • hostname
    Reverse DNS of the IP
  • dst_port
    TCP destination port
  • http_host
    Content of the HTTP Host: header — normally the fully qualified domain name of the C&C
  • http_referer
    HTTP Referer
  • http_referer_asn
    HTTP Referer ASN
  • http_referer_geo
    HTTP Referer country code
  • dst_ip
    Sinkhole IP that the target accessed (if available)
  • dst_asn
    Sinkhole ASN that the target accessed (if available)
  • dst_geo
    Sinkhole GEO that the target accessed (if available)

Sample

"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo"
"2010-08-31 00:09:04","202.86.21.11",23456,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,8726,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:09:06","82.115.28.93",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,50499,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:14:50","180.94.94.3",55330,"AF","GET /?3c851a=7932468 HTTP/1.1","sality","KUKU v5.06exp =19026555919",,60564,"Windows","2000 SP2+, XP SP1+ (seldom 98)",,80,"www.kjwre9fqwieluoi.info",,,,,,
"2010-08-31 00:36:05","82.115.10.63",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47947,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:36:05","82.115.10.39",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47928,,,,,,,,,,,
"2010-08-31 00:53:15","82.115.25.117",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,4460,,,,80,"149.20.56.32",,,,,,
"2010-08-31 01:00:26","82.115.23.237",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6)",,2476,,,,,,,,,,,
"2010-08-31 01:02:39","82.115.23.172",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)",,1426,,,,,,,,,,,

Our 76 Report Types