Request a Demo
Rewterz
Rewterz Threat Alert – Multi-stage Fileless Banking Trojan – IoCs
April 8, 2019
Rewterz
Rewterz Threat Advisory – CVE-2019-9489 Trend Micro OfficeScan XG Data Manipulation Vulnerability
April 10, 2019

Rewterz Threat Alert – Scanning & Exploiting IPs Observed

Severity

Medium

Analysis Summary

This is a list of IP addresses associated with scanning and exploit activity.  Threat indicators are provided.

Impact

  • SSH Scan
  • SSH Brute Force Attempt
  • Oracle WebLogic Exploitation Attempt
  • JBoss Exploitation Attempt

Indicators of Compromise

IP(s) / Hostname(s)

  • 36[.]156[.]24[.]94
  • 36[.]156[.]24[.]97
  • 61[.]184[.]247[.]2
  • 61[.]184[.]247[.]3
  • 61[.]184[.]247[.]5
  • 61[.]184[.]247[.]7
  • 61[.]184[.]247[.]11
  • 122[.]226[.]181[.]164
  • 122[.]226[.]181[.]167
  • 125[.]65[.]42[.]187
  • 125[.]65[.]42[.]192
  • 185[.]234[.]218[.]248
  • 218[.]92[.]1[.]132
  • 223[.]111[.]139[.]210
  • 223[.]111[.]139[.]247
  • 36[.]156[.]24[.]96
  • 36[.]156[.]24[.]96
  • 36[.]156[.]24[.]99
  • 61[.]184[.]247[.]6
  • 115[.]238[.]245[.]14
  • 125[.]65[.]42[.]192
  • 179[.]60[.]146[.]9
  • 36[.]156[.]24[.]97
  • 115[.]238[.]245[.]4
  • 115[.]238[.]245[.]8
  • 118[.]123[.]15[.]142
  • 179[.]60[.]146[.]9
  • 222[.]186[.]30[.]71
  • 223[.]111[.]139[.]211
  • 223[.]111[.]139[.]247
  • 36[.]156[.]24[.]94
  • 36[.]156[.]24[.]95
  • 36[.]156[.]24[.]98
  • 36[.]156[.]24[.]99
  • 61[.]184[.]247[.]2
  • 61[.]184[.]247[.]6
  • 61[.]184[.]247[.]10
  • 122[.]226[.]181[.]165
  • 223[.]111[.]139[.]211
  • 61[.]184[.]247[.]3
  • 61[.]184[.]247[.]8
  • 61[.]184[.]247[.]8
  • 61[.]184[.]247[.]11
  • 115[.]238[.]245[.]4
  • 118[.]123[.]15[.]142
  • 122[.]226[.]181[.]164
  • 122[.]226[.]181[.]166
  • 125[.]65[.]42[.]187
  • 192[.]99[.]142[.]251
  • 218[.]92[.]1[.]132
  • 223[.]111[.]139[.]210
  • 61[.]184[.]247[.]4
  • 61[.]184[.]247[.]5
  • 61[.]184[.]247[.]7
  • 116[.]31[.]116[.]5
  • 122[.]226[.]181[.]165
  • 218[.]92[.]1[.]131
  • 222[.]186[.]30[.]71
  • 103[.]207[.]36[.]144
  • 115[.]238[.]245[.]2
  • 115[.]238[.]245[.]2
  • 115[.]238[.]245[.]8
  • 115[.]238[.]245[.]14
  • 122[.]226[.]181[.]166
  • 158[.]69[.]133[.]20
  • 218[.]92[.]1[.]131
  • 223[.]111[.]139[.]244
  • 223[.]111[.]139[.]244
  • 36[.]156[.]24[.]95
  • 36[.]156[.]24[.]98
  • 61[.]184[.]247[.]4
  • 61[.]184[.]247[.]10
  • 61[.]184[.]247[.]12
  • 61[.]184[.]247[.]12
  • 116[.]31[.]116[.]5
  • 122[.]226[.]181[.]167

Remediation

  • Consider blocking and alerting on these IP addresses as they have been logged attempting to exploit vulnerabilities or otherwise gain access or information about SLTT network resources.
  • Investigate any logged activity from the noted IP addresses for signs of successful exploitation.