# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ninoseki/status/1168102281713045504
# Reference: https://otx.alienvault.com/pulse/5be215744ab6fe50c74e94e6
# Reference: https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/

http://104.196.177.180
http://104.196.232.200
http://104.197.106.6
http://104.198.54.181
http://104.198.77.60
http://104.199.77.41
http://104.248.155.139
http://107.155.132.186
http://107.155.152.10
http://107.155.152.16
http://132.148.148.78
http://139.60.162.188
http://139.60.162.201
http://144.22.104.185
http://155.94.88.155
http://162.216.152.58
http://166.62.103.184
http://173.82.168.104
http://185.137.94.120
http://185.162.229.147
http://185.70.186.4
http://191.252.191.180
http://191.252.203.201
http://192.99.133.147
http://192.99.187.193
http://198.27.121.241
http://198.50.212.232
http://198.50.222.139
http://200.196.240.104
http://200.196.240.120
http://34.73.48.65
http://34.83.129.246
http://35.185.127.39
http://35.185.9.164
http://35.187.149.224
http://35.187.202.208
http://35.187.238.80
http://35.187.246.103
http://35.188.134.185
http://35.189.101.217
http://35.189.125.149
http://35.189.30.127
http://35.189.59.155
http://35.189.63.168
http://35.189.92.68
http://35.194.197.94
http://35.195.116.90
http://35.195.176.44
http://35.196.101.227
http://35.196.89.26
http://35.197.148.253
http://35.197.160.167
http://35.197.172.214
http://35.198.11.42
http://35.198.203.18
http://35.198.22.154
http://35.198.31.197
http://35.198.39.201
http://35.198.5.34
http://35.198.56.227
http://35.198.74.14
http://35.199.117.75
http://35.199.151.193
http://35.199.2.186
http://35.199.61.19
http://35.199.66.147
http://35.199.75.224
http://35.199.77.82
http://35.199.98.107
http://35.200.179.26
http://35.200.186.172
http://35.200.28.69
http://35.201.11.237
http://35.201.4.21
http://35.203.111.239
http://35.203.116.212
http://35.203.135.65
http://35.203.143.138
http://35.203.167.224
http://35.203.18.30
http://35.203.183.182
http://35.203.25.136
http://35.203.3.16
http://35.203.48.110
http://35.203.5.160
http://35.203.8.203
http://35.203.81.109
http://35.203.85.130
http://35.203.99.113
http://35.204.103.135
http://35.204.146.109
http://35.204.148.156
http://35.204.237.126
http://35.204.51.103
http://35.204.77.160
http://35.204.80.189
http://35.205.148.72
http://35.205.24.104
http://35.207.28.174
http://35.221.109.188
http://35.221.110.75
http://35.221.192.155
http://35.221.71.123
http://35.227.25.22
http://35.228.156.223
http://35.228.156.99
http://35.228.240.14
http://35.228.244.19
http://35.228.73.198
http://35.228.90.15
http://35.230.104.237
http://35.230.149.66
http://35.230.158.25
http://35.230.162.54
http://35.230.165.35
http://35.230.38.33
http://35.231.163.40
http://35.231.52.239
http://35.231.68.186
http://35.232.10.244
http://35.233.135.207
http://35.234.131.31
http://35.234.136.116
http://35.234.155.174
http://35.234.156.85
http://35.234.158.120
http://35.234.77.117
http://35.234.89.25
http://35.234.94.97
http://35.235.89.254
http://35.236.116.201
http://35.236.117.108
http://35.236.2.49
http://35.236.203.212
http://35.236.205.241
http://35.236.222.1
http://35.236.246.82
http://35.236.25.247
http://35.236.254.11
http://35.236.34.51
http://35.236.46.246
http://35.236.94.2
http://35.237.127.167
http://35.237.204.11
http://35.237.215.211
http://35.237.32.144
http://35.237.68.143
http://35.237.98.219
http://35.238.4.122
http://35.238.74.24
http://35.240.156.17
http://35.240.176.163
http://35.240.212.106
http://35.240.234.169
http://35.240.94.181
http://35.241.151.23
http://35.242.134.99
http://35.242.140.13
http://35.242.143.117
http://35.242.152.241
http://35.242.203.94
http://35.242.245.109
http://35.243.195.131
http://35.247.224.113
http://40.114.78.143
http://40.74.85.45
http://51.68.184.181
http://51.75.89.185
http://52.234.212.27
http://80.211.37.41
http://93.188.161.184

# Reference: https://decoded.avast.io/simonamusilova/ghostdns-exploit-kit-strikes-back/

http://138.197.149.162
avast.users.scale.virtualcloud.com.br
cvtonelli.com.br
novonovonovo.users.scale.virtualcloud.com.br

# Reference: https://www.platinbilisim.com.tr/TR/Medya/Duyurular/dikkat-ghost-dns-261 (Turkish)
# Reference: https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/

139.60.162.188:53
139.60.162.201:53
144.22.104.185:53
173.82.168.104:53
18.223.2.98:53
192.99.187.193:53
198.27.121.241:53
200.196.240.104:53
200.196.240.120:53
35.185.9.164:53
80.211.37.41:53

# Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/37214.txt

133.71.33.7:53

# Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/42197.sh

133.7.133.7:53

# Reference: https://twitter.com/ninoseki/status/1207634830927679488

107.155.152.15:53

# Reference: https://twitter.com/ninoseki/status/1250014776014454784

167.114.178.206:53

# Reference: https://twitter.com/bad_packets/status/1264290514406240257
# Reference: https://twitter.com/bad_packets/status/1295782392649535488
# Reference: https://otx.alienvault.com/pulse/5f57d49ace88612cf9f49b34
# Reference: https://team-cymru.com/2020/09/08/ghostdnsbusters/
# Reference: https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/
# Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/

http://104.215.74.207
http://107.155.132.188
http://107.155.152.21
http://107.155.152.24
http://107.155.152.26
http://107.155.152.28
http://107.155.152.3
http://134.209.194.220
http://149.56.79.215
http://149.56.79.217
http://161.35.82.213
http://164.90.195.195
http://167.172.47.178
http://178.62.205.16
http://178.62.208.183
http://178.62.211.51
http://192.99.208.102
http://200.98.134.184
http://209.61.253.201
http://23.101.189.23
http://35.203.119.123
http://45.62.198.154
http://45.62.198.155
http://45.62.198.156
http://45.62.198.157
http://45.62.198.160
http://45.62.198.161
http://45.62.198.162
http://45.62.198.163
http://45.62.198.165
http://45.62.198.166
http://51.159.71.63
http://64.225.66.217
http://65.52.36.98
http://70.37.165.155
http://70.37.90.42
107.155.132.186:53
107.155.132.189:53
107.155.152.13:53
107.155.152.14:53
107.155.152.15:53
107.155.152.17:53
107.155.152.20:53
107.155.152.27:53
107.155.152.28:53
107.155.152.5:53
111.90.159.53:53
144.217.42.134:53
149.56.152.185:53
162.248.164.36:53
192.169.7.38:53
192.95.42.19:53
45.62.198.242:53
45.62.198.243:53
45.62.198.73:53
45.62.198.74:53
45.62.198.89:53
51.81.27.247:53
80.82.77.163:53
[0:0:0:0:0:ffff:2d3e:c649]:53
[0:0:0:0:0:ffff:2d3e:c64a]:53

# Reference: https://twitter.com/albertzsigovits/status/1323211552380588032
# Reference: https://urlscan.io/result/5a9b6153-e218-4051-9ec0-b89caafbb4e0/

http://91.234.99.178

# Reference: https://twitter.com/ninoseki/status/1339464021389365249

3.131.142.96:53
http://3.25.124.206

# Reference: https://twitter.com/MrsYisWhy/status/1342380641539796993
# Reference: https://twitter.com/bad_packets/status/1330346587126632451

158.69.37.88:53
167.114.138.250:53
192.95.59.130:53

# Reference: https://twitter.com/siimi_m_/status/1349796184370634754

62.182.83.86:53

# Reference: https://twitter.com/teamcymru/status/1354059873953132547
# Reference: https://team-cymru.com/blog/2021/01/26/illuminating-ghostdns-infrastructure/

http://144.217.105.149
http://18.197.159.147
http://45.62.198.176
http://45.62.198.69
http://47.88.76.58
http://68.183.245.48
192.95.63.156:53
45.62.198.50:53
45.62.198.54:53
51.81.101.114:53
51.81.28.240:53

# Reference: https://twitter.com/ninoseki/status/1356455460778299392
# Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_101_josh-niseki_jp.pdf (slide 37)

185.125.216.173:53
206.166.251.163:53

# Reference: https://twitter.com/AvastThreatLabs/status/1536322428875440129

asamas.com.br/loja01
167.114.43.24:53
66.70.155.224:53

# Generic

/api.init.php?d=
