# Copyright (c) 2014-2018 Miroslav Stampar (@stamparm)
# See the file 'LICENSE' for copying permission

# Note: jgou.veia@gmail.com (using for WHOIS records)

# Reference: https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-trojan.rules

195.22.26.231
195.22.26.232

# 195.22.26.192/26

195.22.26.192
195.22.26.193
195.22.26.194
195.22.26.195
195.22.26.196
195.22.26.197
195.22.26.198
195.22.26.199
195.22.26.200
195.22.26.201
195.22.26.202
195.22.26.203
195.22.26.204
195.22.26.205
195.22.26.206
195.22.26.207
195.22.26.208
195.22.26.209
195.22.26.210
# 195.22.26.211  # relay.net.vodafone.pt
# 195.22.26.212  # relay2.net.vodafone.pt
# 195.22.26.213  # relay3.net.vodafone.pt
# 195.22.26.214  # relay4.net.vodafone.pt
195.22.26.215
195.22.26.216
# 195.22.26.217  # anubisnetworks.com
195.22.26.218
195.22.26.219
195.22.26.220
195.22.26.221
195.22.26.222
195.22.26.223
195.22.26.224
195.22.26.225
195.22.26.226
195.22.26.227
195.22.26.228
195.22.26.230
195.22.26.231
195.22.26.232
195.22.26.233
195.22.26.234
195.22.26.235
195.22.26.236
195.22.26.237
195.22.26.238
195.22.26.239
195.22.26.240
195.22.26.241
195.22.26.242
195.22.26.243
195.22.26.244
195.22.26.245
195.22.26.246
195.22.26.247
# 195.22.26.248 (Reference: https://www.alienvault.com/forums/discussion/10634/multiple-alarms-for-sinkhole-anubis-this-week)
195.22.26.249
195.22.26.250
195.22.26.251
195.22.26.252
195.22.26.253
195.22.26.254
195.22.26.255

# Reference: https://www.virustotal.com/en/ip-address/195.22.26.248/information/
# Reference: https://www.zoomeye.org/search?q=snkz%3D
# Note: all domains get prefix [x]sso.<domain> on reaching sinkhole

# Set-Cookie: snkz=x.y.z.w

anbtr.com

92.54.28.100
195.22.28.194
195.22.28.195
195.22.28.196
195.22.28.197
195.22.28.198
195.22.28.199
195.22.28.200
195.22.28.221
195.22.28.222
195.22.26.248

# To find out the domain itself from redirected URL

sso.anbtr.com/domain/
xsso.anbtr.com/domain/

# Reference: https://www.virustotal.com/en/ip-address/195.157.15.100/information/
195.157.15.100

# Reference: https://www.virustotal.com/en/ip-address/195.38.137.100/information/
195.38.137.100

# Reference: https://www.virustotal.com/en/ip-address/212.61.180.100/information/
212.61.180.100

# Reference: https://www.threatcrowd.org/ip.php?ip=89.185.44.100

89.185.44.100

# Misc. (e.g. Set-Cookie: snkz=)
# Note: https://www.virustotal.com/#/domain/anam0rph.su

195.38.137.100
195.22.4.21
63.251.126.8
63.251.126.7
63.251.126.6
63.251.126.9
63.251.126.14
63.251.126.13
63.251.126.12
63.251.126.10
212.61.180.100
195.22.4.21
195.38.137.100