Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?

Published: 2020-12-05. Last Updated: 2020-12-05 19:31:48 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Scanning by IP 91.199.118.137 (first reported in DShield end September) began early this morning which appears to be testing access to site aahwwx.52host.xyz [2] and currently there is little information available for this host. The scan is alternating between ports TCP/81 and TCP/8088. Domaintools [7] shows the root domain 52host.xyz was last updated yesterday.

The only information currently available for this site is "Welcome to nginx!"

Log Examples

20201204-225750: 192.168.25.9:8088-91.199.118.137:18360 data 'GET http://91.199.118.137:12542/19gtaf/1.txt HTTP/1.1\r\nHost: 91.199.118.137:12542\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n'
20201204-235739: 192.168.25.9:81-91.199.118.137:10406 data 'GET http://91.199.118.137:12542/19gtaf/1.txt HTTP/1.1\r\nHost: 91.199.118.137:12542\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n'
20201205-023633: 192.168.25.9:8088-91.199.118.137:57015 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n'
20201205-033442: 192.168.25.9:81-91.199.118.137:57171 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n'
[...]
20201205-095707: 192.168.25.9:8088-91.199.118.137:52994 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n'
20201205-105705: 192.168.25.9:81-91.199.118.137:36560 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n'

Indicators with ASN

91.199.118.137:12542/19gtaf/1.txt
aahwwx.52host.xyz
2606:4700:3031::6812:35a7 -> AS13335
2606:4700:3037::ac43:b70a -> AS13335
2606:4700:3036::6812:34a7
104.18.52.167 -> AS13335
172.67.183.10 -> AS42861
104.18.53.167 -> AS13335
91.199.118.137 -> AS62240

[1] https://isc.sans.edu/ipdetails.html?ip=91.199.118.137&34475
[2] https://www.robtex.com/dns-lookup/aahwwx.52host.xyz
[3] https://bgp.he.net/AS42861
[4] https://bgp.he.net/AS13335
[5] https://bgp.he.net/AS62240
[6] https://www.robtex.com/ip-lookup/91.199.118.137#analysis
[7] https://whois.domaintools.com/52host.xyz

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: Indicators Scanning Suspicious Hostname Threat Intel
1 comment(s)

Comments

Noticed scanning across a larger number of ports

Time src_ip dst_port
December 4th 2020, 05:03 91.199.118.137 8008
December 3rd 2020, 03:50 91.199.118.137 8090
December 2nd 2020, 22:50 91.199.118.137 23500
December 2nd 2020, 21:43 91.199.118.137 808
December 2nd 2020, 19:32 91.199.118.137 10000
December 2nd 2020, 16:50 91.199.118.137 9999
December 2nd 2020, 16:22 91.199.118.137 8123
December 2nd 2020, 13:38 91.199.118.137 8090
November 19th 2020, 21:48 91.199.118.137 82
November 19th 2020, 21:17 91.199.118.137 8008
November 19th 2020, 21:07 91.199.118.137 8123
November 19th 2020, 20:07 91.199.118.137 83
November 19th 2020, 19:17 91.199.118.137 999

Anonymous

Dec 6th 2020
4 years ago

Login here to join the discussion.


Top of page
Diary Archives