Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?, (Sat, Dec 5th)

Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?, (Sat, Dec 5th)

SANS Internet Storm Center, InfoCON: green 2020-12-05

Scanning by IP 91.199.118.137 (first reported in DShield end September) began early this morning which appears to be testing access to site aahwwx.52host.xyz [2] and currently there is little information available for this host. The scan is alternating between ports TCP/81 and TCP/8088. Domaintools [7] shows the root domain 52host.xyz was last updated yesterday.

The only information currently available for this site is "Welcome to nginx!"

Log Examples

20201204-225750: 192.168.25.9:8088-91.199.118.137:18360 data 'GET http://91.199.118.137:12542/19gtaf/1.txt HTTP/1.1\r\nHost: 91.199.118.137:12542\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n' 20201204-235739: 192.168.25.9:81-91.199.118.137:10406 data 'GET http://91.199.118.137:12542/19gtaf/1.txt HTTP/1.1\r\nHost: 91.199.118.137:12542\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n' 20201205-023633: 192.168.25.9:8088-91.199.118.137:57015 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n' 20201205-033442: 192.168.25.9:81-91.199.118.137:57171 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n' [...] 20201205-095707: 192.168.25.9:8088-91.199.118.137:52994 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n' 20201205-105705: 192.168.25.9:81-91.199.118.137:36560 data 'CONNECT aahwwx.52host.xyz:443 HTTP/1.1\r\nHost: aahwwx.52host.xyz:443\r\nUser-Agent: Go-http-client/1.1\r\n\r\n'

Indicators with ASN

91.199.118.137:12542/19gtaf/1.txt aahwwx.52host.xyz 2606:4700:3031::6812:35a7 -> AS13335 2606:4700:3037::ac43:b70a -> AS13335 2606:4700:3036::6812:34a7 104.18.52.167 -> AS13335 172.67.183.10 -> AS42861 104.18.53.167 -> AS13335 91.199.118.137 -> AS62240

[1] https://isc.sans.edu/ipdetails.html?ip=91.199.118.137&34475 [2] https://www.robtex.com/dns-lookup/aahwwx.52host.xyz [3] https://bgp.he.net/AS42861 [4] https://bgp.he.net/AS13335 [5] https://bgp.he.net/AS62240 [6] https://www.robtex.com/ip-lookup/91.199.118.137#analysis [7] https://whois.domaintools.com/52host.xyz

----------- Guy Bruneau IPSS Inc. My Handler Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.