How rely on posts like this?
xes opened this issue · 11 comments
https://twitter.com/FromPorts/status/1572569325730693121
Once parsed this produces a block of:
https://gov.it
Hi, that IOC has been removed. FYI: if I see an account defanging many legitimate sites I add it to the blacklist (not this case yet).
Thanks for the info.
Thank you very much!
Please give a look also to:
2022-09-15 02:08:56,1ZRR4H,domain,windows.net,,https://twitter.com/1ZRR4H/status/1570233170997694466
2022-07-20 09:57:23,BushidoToken,domain,translate.goog,,https://twitter.com/BushidoToken/status/1549694951956660225
2022-09-14 00:53:46,pingineer_jp,domain,g-ec2.images-amazon.com,#phishing #scam,https://twitter.com/pingineer_jp/status/1569851866812661764
All these IOCs have been removed. Thank you!
Thank you! and... sorry, there are few more ...to be evaluated ;)
2022-08-26 09:50:03,PhisScan,url,https://www.microsoft.com,#phishing,https://twitter.com/PhisScan/status/1563101459201552385
2022-10-21 18:46:38,1ZRR4H,url,https://ncv.microsoft.com,,https://twitter.com/1ZRR4H/status/1583530216366174208
2022-10-21 18:46:38,1ZRR4H,url,https://ecv.microsoft.com,,https://twitter.com/1ZRR4H/status/1583530216366174208
Done. I already knew about the last 2, but I left them a few days for hunting purposes. And first one was already cleaned.
All of them are out now. Thanks!
Please be patient..
I think there is a parsing problem or the format of FromPorts's posts is impossible to manage.
an example:
2022-04-09 06:56:34,FromPorts,url,https://aruba.it/,#phishing,https://twitter.com/FromPorts/status/1512685889033543683
2022-06-15 18:44:01,FromPorts,url,https://aruba.it/,#phishing,https://twitter.com/FromPorts/status/1537143909364731904
2022-09-16 12:32:20,FromPorts,url,https://aruba.it/,#phishing,https://twitter.com/FromPorts/status/1570752444682076161
You can identify a lot of those examples with a grep, where in fact those are domains and not urls.
(many are malicious, other are regular domains)
grep -i -r "FromPorts,url.*/,#" *
You're right, made a search and found many non malicious sites as he defang malicious & legitimate sites.
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv | awk -F, '$2 == "FromPorts" && $3 == "url"' | cut -d, -f4
https://www.aruba-sys-fattura.me/
https://www.aruba-area-fattura.com/
https://www.aruba-pagamento-sys.com/
http://www.aruba-servizi-sys.com
https://www.aruba-assenza.com/
https://h2955158.stratoserver.net/
https://mail.rogneda.ru
https://www.aruba-area.it/
https://aruba-fattura.com/
https://rdmgroups.odoo.com/
https://iludeco.com/download/office-new-word/
https://web.app
https://selectel.ru
https://chaew.representacoes.pro
https://atlantisnet.com.tr/
https://aruba.sys.cantinho-do-chico.com
https://aruba.sys.cargopax.com/
https://aruba.id.jm-ts.de/
https://aruba.sys.cargopax.com/
https://aruba.id.cargopax.com/
https://aruba.id.jemyerts.com
https://aruba.id.fatt-inc.com/
https://aruba.sys.jemyerts.com/
https://audio-specialist.nl/cgi-bin/fci/
https://v-realty.ae/wp-content/jsv9xkzj5hydtf6kl20/
https://aruba.assistenza-inc.net
https://aruba.fattura-id.com/
http://www.aruba-id.com/
http://www.aruba-pagamento.com/
https://ukraine-humanitarian.com/
https://cert.br/
https://conectatelecom.com.br/
https://telefonica.com/
https://srv4.southrenlodges.com/
https://mpostait.com/fails/&appname=ymailnorrin&partner=1&locale=2
https://ipconnect.services/
https://aruba.it/
https://urvsp.ru/xmlrp.php
https://combatgurus.com/lav/eneeiaxiopimttrotco
https://loserstocks.com
https://mchost.ru/
https://vps2282999.servdiscount-customer.com
https://aruba-dominio.onthewifi.com
https://aruba-dominio.myftp.org/
https://www.servizio-fattura.com/
https://jopkerto.tech/img/b045/brand.jpg
https://aruba-servizi.myvnc.com/
https://wa.me/message/4isb5jjfvlhyc1
https://assistenza-aruba.ddns.net/
https://fattura-pagamento.ddns.net
https://mihter.com
https://hwsrv-973525.hostwindsdns.com
https://odysseas.lartigiano.gr
https://free.net/emelieru.zensommelier.com/
https://aruba.it/
https://serverpanel.net
https://server-panel.net/mx.yandex.net
https://server-panel.net/zomro/...
https://iam.ma/
https://tellcom.com.tr/
https://dynamic-ip-186863355.cable.net.co
https://agenziariscossione.gov.it/
https://gmo.jp
https://host213-21-37-46.serverdedicati.aruba.it
http://area-f6ed5rf10.myftp.biz
https://area-clienti.serveirc.com/a1b46b518584c1c23f374fde85b1a1/
https://www.aruba.auth-signin.com/162f6a28d2f21abb1dc8b2ffde4fc1/
https://www.aruba.auth-kunden.com/
https://serverpanel.de/
https://trafficplex.de/)
https://proxad.net/)
https://jump.ro/
https://ip.ro/
https://fibre1.net/
https://myloc.de/
https://server-panel.net/
https://ipvolume.net/
https://aruba.it/
https://server-panel.net/
https://35969.hostserv.eu/
https://ipvolume.net/
https://ondigitalocean.app/
https://mail-wr1-f53.google.com
Removing sites above and blacklisting this account for now..
Thank you very much!
Thank you for your feedback @xes !
Also this one should be removed (about customervoice.microsoft.com)
https://twitter.com/1ZRR4H/status/1583521428703322113
It's been removed. Thank you!