# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Generic detection for compromised WordPress CMS

# Reference: https://twitter.com/unmaskparasites/status/1355301566933213185

subl.net

# Reference: https://twitter.com/unmaskparasites/status/1367183133938831361

checklist.directory

# Reference: https://twitter.com/unmaskparasites/status/1369733061680586755
# Reference: https://twitter.com/unmaskparasites/status/1402047210343174146
# Reference: https://twitter.com/riper81/status/1404487096778170379

blameworthy.buzz
xn--80a1alg.xn--p1ai
xn--80a3afwhsk.xn--p1ai
xn--80aa4ce2a.xn--p1ai
xn--80ad2akx.xn--p1ai
xn--80adoej5a8h.xn--p1ai
xn--80ady8a.xn--p1ai
xn--80adzf.xn--p1ai
xn--80ae5bng4au.xn--p1ai
xn--80ahxth.xn--p1ai
xn--80aj4ae6d.xn--p1ai
xn--80aj6ah1a.xn--p1ai
xn--80amqk.xn--p1ai
xn--80azck0a.xn--p1ai
xn--90a7a4a.xn--p1ai
xn--90a8cf.xn--p1ai
xn--90achpp5d0c.xn--p1ai
xn--90aixnm.xn--p1ai
xn--b1axdhie3a.xn--p1ai
xn--b1ayb4b.xn--p1ai
xn--c1ab3awv.xn--p1ai
xn--c1ae0ahg.xn--p1ai
xn--c1aeyy.xn--p1ai
xn--c1alehkf5a3d.xn--p1ai
xn--c1anqe5e.xn--p1ai
xn--d1ad5e.xn--p1ai
xn--e1adtoj.xn--p1ai
xn--e1annge.xn--p1ai
xn--g1a1aom.xn--p1ai
xn--g1a2abr.xn--p1ai
xn--g1aehqp.xn--p1ai
xn--g1aey4a.xn--p1ai
xn--g1asqf.xn--p1ai
xn--h1aiml3a.xn--p1ai
xn--h1at3a.xn--p1ai
xn--i1abh6c.xn--p1ai
xn--i1aefi6c.xn--p1ai
xn--i1an6ab.xn--p1ai
xn--i1avf9a.xn--p1ai
xn--i1avu.xn--p1ai
xn--j1alm4a.xn--p1ai
xn--j1amtse.xn--p1ai
xn--k1akc5b.xn--p1ai
xn--k1aty.xn--p1ai
xn--o1aofd.xn--p1ai
xn--p1aldhp.xn--p1ai
xn--q1admt.xn--p1ai
xn--s1afb.xn--p1ai

# Reference: https://twitter.com/unmaskparasites/status/1370579966069383168

/SMILODON/index.php?view=

# Reference: https://twitter.com/unmaskparasites/status/1376690495477276674
# Reference: https://www.virustotal.com/gui/ip-address/194.61.25.77/relations

declarebusinessgroup.ga
dontkinhooot.tw
lovegreenpencils.ga
lowerthenskyactive.ga
strongcapitalads.ga
talkingaboutfirms.ga
travelfornamewalking.ga
travelinskydream.ga

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/SimplePie/Net/IPv5.php

# Reference: https://twitter.com/unmaskparasites/status/1394487078952398848

driverfortnigtly.ga

# Reference: https://twitter.com/unmaskparasites/status/1402346388617236481

digitalclimatestrike.net
assets.digitalclimatestrike.net

# Reference: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
# Reference: https://otx.alienvault.com/pulse/60be1d277d109b2b37060c4c

http://46.53.253.152
http://69.12.71.82
http://92.53.124.123

# Reference: https://twitter.com/rootprivilege/status/1470821225542742016
# Reference: https://lukeleal.com/research/posts/trainresistor-cc-mass-injection/
# Reference: https://www.virustotal.com/gui/ip-address/45.9.150.64/relations

belonnanotservice.ga
piterreceiver.ga
trainresistor.cc

# Reference: https://twitter.com/unmaskparasites/status/1458970080797073413

blngblngs.rocks

# Reference: https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
# Reference: https://www.virustotal.com/gui/domain/wp-theme-connect.com/detection

wp-theme-connect.com

# Reference: https://twitter.com/unmaskparasites/status/1494462138298953736

cartoonmines.com

# Reference: https://twitter.com/unmaskparasites/status/1499593717845348354
# Reference: https://twitter.com/unmaskparasites/status/1506671930425823234
# Reference: https://twitter.com/unmaskparasites/status/1506728492016185348
# Reference: https://twitter.com/unmaskparasites/status/1507038308789936150
# Reference: https://www.virustotal.com/gui/domain/turnedpro.xyz/relations
# Reference: https://www.virustotal.com/gui/ip-address/188.213.5.197/relations
# Reference: https://www.virustotal.com/gui/ip-address/74.91.31.50/relations
# Reference: https://www.virustotal.com/gui/domain/firstok.xyz/relations
# Reference: https://www.virustotal.com/gui/domain/officialservicejp.com/relations
# Reference: https://www.virustotal.com/gui/domain/flyingfishes.online/relations
# Reference: https://www.virustotal.com/gui/domain/runpenguin.online/relations
# Reference: https://www.virustotal.com/gui/domain/tophead.online/relations
# Reference: https://www.virustotal.com/gui/domain/walkdolphin.online/relations
# Reference: https://qna.habr.com/q/1058482 (Russian)

anonymousfox.co
anonymousfox.io
anonymousfox.is
anonymousfox.mx
anonymousfox.to
golang666.xyz
firstguide.xyz
firstok.xyz
hahaha666.xyz
ok2345678.xyz
turnedpro.xyz
officialservicejp.com
flyingfishes.online
pinkpigs.online
runpenguin.online
tophead.online
walkdolphin.online
api.firstguide.xyz
hello.firstguide.xyz
hello.hahaha666.xyz
hello.ok2345678.xyz
seo23.firstok.xyz
seo30-1.firstok.xyz
seo30-2.firstok.xyz
seo32.firstok.xyz
seo35-1.firstok.xyz
seo35-2.firstok.xyz
seo50-1.firstok.xyz
seo50-2.firstok.xyz
seo50-3.firstok.xyz
seo601-1.firstok.xyz
seo601-2.firstok.xyz
seo801-1.firstok.xyz
seo802-1.firstok.xyz
seo804-2.firstok.xyz
seo805-1.firstok.xyz
seo806-2.firstok.xyz
seo808-1.firstok.xyz
seo809-1.firstok.xyz
seo810-1.firstok.xyz
seo811-1.firstok.xyz
seo82.firstok.xyz
seo92.firstok.xyz
a.turnedpro.xyz
api.turnedpro.xyz
hello.turnedpro.xyz
mn.turnedpro.xyz
seo1.turnedpro.xyz
seo10.turnedpro.xyz
seo2.turnedpro.xyz
seo3.turnedpro.xyz
seo4.turnedpro.xyz
seo5.turnedpro.xyz
seo6.turnedpro.xyz
seo7.turnedpro.xyz
seo8.turnedpro.xyz
seo9.turnedpro.xyz
track.turnedpro.xyz
seo45.officialservicejp.com
seo74.officialservicejp.com
seo802-8.officialservicejp.com
seo808-4.officialservicejp.com
seo824-2.officialservicejp.com
seo825-1.officialservicejp.com
seo826-1.officialservicejp.com
seo86.officialservicejp.com
seob215.officialservicejp.com
seoc226.officialservicejp.com
seo806-7.flyingfishes.online
seo812-8.flyingfishes.online
seo36.pinkpigs.online
seo804-6.pinkpigs.online
seo809-7.pinkpigs.online
seo810-6.pinkpigs.online
seo811-7.pinkpigs.online
seo814-7.pinkpigs.online
seo816-5.pinkpigs.online
seoa256.pinkpigs.online
seoc246.pinkpigs.online
seoc256.pinkpigs.online
seo104.runpenguin.online
seo35.runpenguin.online
seo54.runpenguin.online
seo602-3.runpenguin.online
seo801-4.runpenguin.online
seo801-5.runpenguin.online
seo802-2.runpenguin.online
seo802-3.runpenguin.online
seo804-4.runpenguin.online
seo806-4.runpenguin.online
seo808-3.runpenguin.online
seo809-4.runpenguin.online
seo810-2.runpenguin.online
seo810-5.runpenguin.online
seo811-3.runpenguin.online
seo812-5.runpenguin.online
seo815-3.runpenguin.online
seo815-4.runpenguin.online
seo817-2.runpenguin.online
seo818-2.runpenguin.online
seo819-2.runpenguin.online
seo819-3.runpenguin.online
seo820-2.runpenguin.online
seo821-1.runpenguin.online
seo821-3.runpenguin.online
seo822-1.runpenguin.online
seo824-1.runpenguin.online
seo824-3.runpenguin.online
seo84.runpenguin.online
seoa224.runpenguin.online
seob244.runpenguin.online
seob255.runpenguin.online
seoc215.runpenguin.online
seoc224.runpenguin.online
seoc244.runpenguin.online
seoc245.runpenguin.online
test.runpenguin.online
seo25.walkdolphin.online
seo11.tophead.online
seo51.tophead.online
seo81.tophead.online
seoa21.tophead.online
seoa212.tophead.online
seoa22.tophead.online
seoa221.tophead.online
seoa23.tophead.online
seoa232.tophead.online
seoa24.tophead.online
seoa241.tophead.online
seoa242.tophead.online
seoa243.tophead.online
seoa253.tophead.online
seob21.tophead.online
seob213.tophead.online
seob22.tophead.online
seob233.tophead.online
seob251.tophead.online
seob253.tophead.online
seoc21.tophead.online
seoc212.tophead.online
seoc22.tophead.online
seoc221.tophead.online
seoc23.tophead.online
seoc233.tophead.online
seoc24.tophead.online
seoc251.tophead.online
seoc253.tophead.online
seo805-4.walkdolphin.online
seo819-1.walkdolphin.online
seo820-1.walkdolphin.online
seo94.walkdolphin.online
/seeolkxa/

# Reference: https://twitter.com/unmaskparasites/status/1499536320896507906

classicpartnerships.com
specialadves.com
storerightdesicion.com
ads.specialadves.com
click.specialadves.com
links.specialadves.com
refer.specialadves.com
blame.storerightdesicion.com
brr.storerightdesicion.com
chess.storerightdesicion.com
glove.storerightdesicion.com
lin.storerightdesicion.com
line.storerightdesicion.com
store.storerightdesicion.com
event.classicpartnerships.com
events.classicpartnerships.com
scripts.classicpartnerships.com
simple.classicpartnerships.com

# Reference: https://twitter.com/unmaskparasites/status/1503550611756789760

32868.port0.org

# Reference: https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/

http://166.62.110.72
t-fish-ka.ru
