209.141.34.39 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 209.141.34.39 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Known Malicious Host 🔴 100/100

Host and Network Information

• Mitre ATT&CK IDs: T1078 - Valid Accounts, T1083 - File and Directory Discovery, T1098.004 - SSH Authorized Keys, T1105 - Ingress Tool Transfer, T1110.004 - Credential Stuffing, T1110 - Brute Force

• Tags: Bruteforce, Brute-Force, cowrie, cyber security, ioc, LokiBot, LokiPWS, malicious, Nextray, phishing, ssh, SSH, stealer

• Known tor exit node

• JARM: 07d14d16d21d21d00042d43d00000021abd22a3b99c8267613a45603d83df2

• View other sources: Spamhaus VirusTotal

• Contained within other IP sets: blocklist_net_ua, haley_ssh, stopforumspam_180d, stopforumspam_365d, stopforumspam_90d, stopforumspam

• Known TOR node
• Country: United States
• Network:
• Noticed: 50 times
• Protocols Attacked: ssh
• Countries Attacked: Canada, Czechia, Denmark, Estonia, France, Germany, Latvia, Lithuania, Norway, Poland, Romania, Turkey, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: juanda-pickup.com www.arcraftpnrg.com arcraftpnrg.com lppksakinahngawi.com mayangarum.com www.mayangarum.com faizarnovie.store faizarnovie.online jayapura-la.dropadi.com creawcreative.online brodifood.com microdozage.com cloudmerdeka.com medpro-127.getfoxyproxy.org

Malware Detected on Host

Count: 17 ba906c9581ca9d94f2a79185bdd2c3232fe6be4e9ab6f92d547834558a1c29aa b30f4811b107e57be7a9a25efeb8004856117ee70a25607d5d70097bc3af0be1 d59a619839722d1eafe4e0008355fb40606b4c2e758e53187bc07a0956a13d28 19ffe4beae3d2a1c8237077cb4230af2d91213e3ae8c7b5ba94f97320cf012c3 f7fb72bfbdd97c744a53a1120d809a42e67f46df190b2c1782e5ad3fad02961b 43a90fad356464953de14ff41ea31363b371d8612c4b411c397ce1df377fd2b1 8efd1270bebdd589a5f264fe90ac2d2b163b245b7009290c4a4b763504269cdb d70f6f599cff525b117325b63eb2b77f07b8569df8f7d9afdffe2125d2814f8e 00dc81db82fd264aa369b855dc21957ad780742f0f62ab3d62408e13a457199d d4c31dc11a210569b421e881d1b0d828276a473418b93adc6febc1ed178aeb56

Open Ports Detected

10000 21 22 3306 50000 80

CVEs Detected

CVE-2024-20996 CVE-2024-21047 CVE-2024-21062 CVE-2024-21069 CVE-2024-21087 CVE-2024-21090 CVE-2024-21096 CVE-2024-21101 CVE-2024-21102 CVE-2024-21125 CVE-2024-21127 CVE-2024-21129 CVE-2024-21130 CVE-2024-21134 CVE-2024-21135 CVE-2024-21142 CVE-2024-21157 CVE-2024-21159 CVE-2024-21160 CVE-2024-21162 CVE-2024-21163 CVE-2024-21165 CVE-2024-21166 CVE-2024-21171 CVE-2024-21173 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21207 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247

Map

Whois Information

• NetRange: 209.141.32.0 - 209.141.63.255
• CIDR: 209.141.32.0/19
• NetName: PONYNET-04
• NetHandle: NET-209-141-32-0-1
• Parent: NET209 (NET-209-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS53667
• Organization: FranTech Solutions (SYNDI-5)
• RegDate: 2011-01-27
• Updated: 2012-03-25
• Ref: https://rdap.arin.net/registry/ip/209.141.32.0
• OrgName: FranTech Solutions
• OrgId: SYNDI-5
• Address: 1621 Central Ave
• City: Cheyenne
• StateProv: WY
• PostalCode: 82001
• Country: US
• RegDate: 2010-07-21
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/SYNDI-5
• OrgAbuseHandle: FDI19-ARIN
• OrgAbuseName: Dias, Francisco
• OrgAbusePhone: +1-778-977-8246
• OrgAbuseEmail: admin@frantech.ca
• OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
• OrgTechHandle: FDI19-ARIN
• OrgTechName: Dias, Francisco
• OrgTechPhone: +1-778-977-8246
• OrgTechEmail: admin@frantech.ca
• OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
• NetRange: 209.141.34.0 - 209.141.34.255
• CIDR: 209.141.34.0/24
• NetName: BUYVM-US-209-141-34-0-24
• NetHandle: NET-209-141-34-0-1
• Parent: PONYNET-04 (NET-209-141-32-0-1)
• NetType: Reallocated
• OriginAS:
• Organization: BuyVM Services (BS-28)
• RegDate: 2011-08-14
• Updated: 2011-08-14
• Ref: https://rdap.arin.net/registry/ip/209.141.34.0
• OrgName: BuyVM Services
• OrgId: BS-28
• Address: 55 S. Market Street, Suite 1090
• City: San Jose
• StateProv: CA
• PostalCode: 95113
• Country: US
• RegDate: 2011-08-14
• Updated: 2011-09-24
• Ref: https://rdap.arin.net/registry/entity/BS-28
• OrgTechHandle: FDI19-ARIN
• OrgTechName: Dias, Francisco
• OrgTechPhone: +1-778-977-8246
• OrgTechEmail: admin@frantech.ca
• OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
• OrgAbuseHandle: FDI19-ARIN
• OrgAbuseName: Dias, Francisco
• OrgAbusePhone: +1-778-977-8246
• OrgAbuseEmail: admin@frantech.ca
• OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN

Links to attack logs

bruteforce-ip-list-2022-10-14 ****** dosing-ssh-bruteforce-ip-list-2022-10-17 dolondon-ssh-bruteforce-ip-list-2022-10-07 ****** ****** dosing-ssh-bruteforce-ip-list-2022-10-23