LEGACY: Sinkhole HTTP Drone Report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Sinkhole HTTP Events Report.

This report identifies the IP addresses from all the devices that joined our Sinkhole server that did not arrive through an HTTP referrer.

Since the Sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list.

IPv6 Sinkhole data is shared in Sinkhole6 HTTP Drone Report.

Please note this report will be replaced after 2021-06-01 by Sinkhole HTTP Events Report.

As of January 13th, 2021 we have the following tags:

andromeda-b66
avalanche-andromeda
avalanche-bolek
avalanche-citadel
avalanche-corebot
avalanche-dofoil
avalanche-generic
avalanche-gozi2
avalanche-goznym
avalanche-kins
avalanche-marcher
avalanche-matsnu
avalanche-nymaim
avalanche-pandabanker
avalanche-ranbyus
avalanche-rovnix
avalanche-smartapp
avalanche-teslacrypt
avalanche-tinba
avalanche-trusteer
avalanche-unknown
avalanche-urlzone
avalanche-vawtrak
avalanche-xswkit
b54-base
b54-code
b54-config
b54-old
b68-zeroaccess-1-32bit
b68-zeroaccess-2-32bit
b68-zeroaccess-2-64bit
beebone
boaxxe
bookworm
caphaw
comment
conficker.ab
conficker.abc
cve-2009-4324
downadup
dyndns-blatmailers-apt
dyndns-choiceguard-apt
dyndns-mirage-apt
dyndns-sogu-apt
enfal-apt
familyphotos-apt
ghost-push
iframe exploit
infy-apt
ircbot-b58
jdk-update-apt
kovter
machbot
machete-apt
mirage-apt
necurs
null
qsnatch
ramdo
sality
sality_old
sality2
silon
skunkx
spyeye
spyeye-b58
sunburst
sykipot-apt
tinba
torpig
trickbot-c2
trickbot-c2u
trickbot-iot-c2
tsifiri
unknown-apt
vinself
vpnfilter
vpnfilter_stage3
x-agent
xcodeghost
yash rat
yzf
zeus

Note that we also share information in partnership with other organizations under the Drone/Botnet-Drone Report which comes from a wider variety of types of sources which may include sinkhole data. Additionally, sinkhole data from Microsoft is shared via the Microsoft Sinkhole Report.

Fields

  • timestamp
    Timestamp in UTC+0 when the IP accessed the sinkhole system
  • ip
    IP that accessed the sinkhole
  • asn
    ASN of the IP
  • geo
    Country location of the IP
  • url
    HTTP request
  • type
    Drone type (if known)
  • http_agent
    HTTP agent
  • tor
    If client is a TOR exit node
  • src_port
    TCP source port
  • p0f_genre
    First level TCP test of the Operating System
  • p0f_detail
    Detailed results of the OS test
  • hostname
    Reverse DNS of the IP
  • dst_port
    TCP destination port
  • http_host
    Content of the HTTP Host: header — normally the fully qualified domain name of the C&C
  • http_referer
    HTTP Referer
  • http_referer_asn
    HTTP Referer ASN
  • http_referer_geo
    HTTP Referer country code
  • dst_ip
    Sinkhole IP that the target accessed (if available)
  • dst_asn
    Sinkhole ASN that the target accessed (if available)
  • dst_geo
    Sinkhole GEO that the target accessed (if available)

Sample

"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo"
"2010-08-31 00:09:04","202.86.21.11",23456,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,8726,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:09:06","82.115.28.93",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,50499,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:14:50","180.94.94.3",55330,"AF","GET /?3c851a=7932468 HTTP/1.1","sality","KUKU v5.06exp =19026555919",,60564,"Windows","2000 SP2+, XP SP1+ (seldom 98)",,80,"www.kjwre9fqwieluoi.info",,,,,,
"2010-08-31 00:36:05","82.115.10.63",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47947,,,,80,"149.20.56.32",,,,,,
"2010-08-31 00:36:05","82.115.10.39",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,47928,,,,,,,,,,,
"2010-08-31 00:53:15","82.115.25.117",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,4460,,,,80,"149.20.56.32",,,,,,
"2010-08-31 01:00:26","82.115.23.237",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6)",,2476,,,,,,,,,,,
"2010-08-31 01:02:39","82.115.23.172",41152,"AF","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)",,1426,,,,,,,,,,,

Our 132 Report Types