LEGACY: Sinkhole6 HTTP Drone Report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Sinkhole HTTP Events Report.

This report lists the IPv6 addresses for all the devices that connected to our IPv6 Sinkhole server.

Since the Sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list.

For a list of tags supported please visit the  Sinkhole HTTP Drone Report.

Please note this report will be replaced after 2021-06-01 by Sinkhole HTTP Events Report.

Fields

  • timestamp
    Timestamp in UTC+0 the IPv6 IP accessed the sinkhole system
  • src_ip
    IPv6 address that accessed the sinkhole
  • src_asn
    ASN of the IPv6 IP accessing the sinkhole
  • src_geo
    Country location of the IPv6 IP accessing the sinkhole
  • src_region
    Region of the IPv6 IP accessing the sinkhole
  • src_port
    TCP source port
  • dst_ip
    Destination/sinkhole IP
  • dst_asn
    ASN of the destination/sinkhole IP
  • dst_geo
    Country location of the destination/sinkhole IP
  • dst_region
    Region of the destination/sinkhole IP
  • dst_port
    TCP destination port
  • protocol
    Protocol used to perform the connection
  • tag
    Description of the malware/infection that is causing the IP to communicate with the sinkhole
  • hostname
    PTR record of the IPv6 address that accessed the sinkhole
  • sysdesc
    System description
  • sysname
    Operating system
  • http_url
    HTTP request
  • http_agent
    HTTP User Agent
  • http_host
    Content of the HTTP Host: header; normally the fully qualified domain name of the C&C
  • http_referer
    Content of the HTTP Referer: header
  • http_referer_ip
    IP of the HTTP referer
  • http_referer_asn
    ASN of the IP of the HTTP referer
  • http_referer_geo
    Country of the IP of the HTTP referer
  • http_referer_region
    Region of the IP of the HTTP referer
  • forwarded_by
    HTTP Proxy header: if the FORWARDED_FOR header is present, the src_ip is set to the FORWARDED_FOR ip and the forwarded_by field is set to the client's IP

Sample

"timestamp","src_ip","src_asn","src_geo","src_region","src_port","dst_ip","dst_asn","dst_geo","dst_region","dst_port","protocol","tag","hostname","sysdesc","sysname","http_url","http_agent","http_host","http_referer","http_referer_ip","http_referer_asn","http_referer_geo","http_referer_region","forwarded_by"
"2017-04-13 00:00:00","2405:205:148e:c034:790f:a853:511d:4288",237,"IN",,50713,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:00","2405:204:5288:d4e6::1709:30ad",237,"IN",,56706,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:00","2405:205:a02d:8b6b::1967:b8a1",237,"IN",,38979,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:00","2404:160:a410:2c77:1:1:dda8:249",10030,"MY",,46193,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:00","2800:4f0:6b:5450:24d8:3201:13e3:2747",237,"EC",,48756,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:01","2405:205:4208:92da::40a:8ad",237,"IN",,60217,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:01","2804:d49:d01:c900:7a52:1aff:fe7b:71bf",237,"BR",,53992,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:01","2804:d45:2d16:7c00:115a:51cd:7b93:4b8c",237,"BR",,52836,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,
"2017-04-13 00:00:01","2800:370:77:4760:805:a672:fb1d:e1df",26613,"EC",,38586,"2a02:1668:1034::2",51088,"NL",,80,,"ghost-push",,,,"POST /aum/api/1/ HTTP/1.1",,"u.amobisc.com",,,,,,

Our 132 Report Types