————————————————————————
SBL519488 — The Spamhaus Project — SBL International Anti-Spam System
————————————————————————
Hello hetzner.de Abuse Desk,
This is an automated message from the Spamhaus Block List (SBL) database
to advise that the IP below has been added to sbl.spamhaus.org:
IP/cidr: 88.198.3.5
Problem: *** BOTNET CONTROLLER LISTING ***
RedLineStealer botnet controller @88.198.3.5
SBL Ref: SBL519488
The reason for listing the IP address(es) is explained at the url:
https://www.spamhaus.org/sbl/query/SBL519488
If this problem has already been taken care, a removal request can
be sent for SBL519488 by emailing:
<mailto:sbl-removals@spamhaus.org?Subject=SBL519488_88.198.3.5>
Note that the email must tell us how the problem has been resolved (we need
to know exactly how the issue has been dealt with and that this problem is fully terminated).
Please always include «SBL519488» in the Subject of any emails to
sbl-removals@spamhaus.org regarding this listing.
SBL System Robot
The Spamhaus Project
https://www.spamhaus.org
————————————————————————
You can review all current SBL listings concerning your network here:
https://www.spamhaus.org/sbl/listings/hetzner.de
More information may be availble in the new Spamhaus ISP Portal, including
free API access to CSS and XBL listings. Sign up for a PBL account here
to access the Spamhaus ISP Portal:
https://www.spamhaus.org/pbl/ispaccount/
————————————————————————
You are receiving this notification because you are the designated abuse
contact for your network. If you do not want to be alerted whenever IPs
on your network are listed in the SBL, please advise us by contacting
<mailto:sbl-autonotify@spamhaus.org?Subject=STOP_Notify_hetzner.de>
————————————————————————
ISP Abuse Desk Resources……..: https://www.spamhaus.org/isp/
Spamhaus Block List (SBL)…….: https://www.spamhaus.org/sbl/
Exploits Block List (XBL)…….: https://www.spamhaus.org/xbl/
Botnet Controller List (BCL)….: https://www.spamhaus.org/bcl/
Don’t Route or Peer List (DROP).: https://www.spamhaus.org/drop/
Register Of Known Spammers……: https://www.spamhaus.org/rokso/
————————————————————————
The host at this IP address is obviously operated by cybercriminals. It is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.
Malware botnet controller located at 88.198.3.5 on port 81 TCP:
$ telnet 88.198.3.5 81
Trying 88.198.3.5…
Connected to 88.198.3.5.
Escape character is ‘^]’
$ nslookup 88.198.3.5
static.88.198.3.5.clients.your-server.de
Referencing malware samples (MD5 hash):
487cbebe3e0e954d3cd2d42a5daf2f67 — AV detection: 53 / 71 (74.65%)
4920169cae3b94797609bcf4d6bc5df4 — AV detection: 19 / 70 (27.14%)
4f095e73016bbf9432ec5a14f66239c0 — AV detection: 37 / 71 (52.11%)
6d258ba9a819c1b345e85e857eab26cf — AV detection: 37 / 70 (52.86%)
Malware botnet controller located at 88.198.3.5 on port 81 TCP:
$ telnet 88.198.3.5 81
Trying 88.198.3.5…
Connected to 88.198.3.5.
Escape character is ‘^]’
$ nslookup 88.198.3.5
static.88.198.3.5.clients.your-server.de
Referencing malware samples (MD5 hash):
487cbebe3e0e954d3cd2d42a5daf2f67 — AV detection: 53 / 71 (74.65%)
4920169cae3b94797609bcf4d6bc5df4 — AV detection: 19 / 70 (27.14%)
4f095e73016bbf9432ec5a14f66239c0 — AV detection: 37 / 71 (52.11%)
6d258ba9a819c1b345e85e857eab26cf — AV detection: 37 / 70 (52.86%)