#1250900: Verified Powershell Empire listeners (HTTP/HTTPS)

Description: 002_meterpreter_list.csv

Verified Metasploit Meterpreter handlers (HTTP/HTTPS)

The results of this list have been compiled by extracting results from Censys using the query tags:http AND (8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb AND NOT "text/html"). All results have been checked next by requesting a random path, which should return the same hash (It works!).

There are servers with different server headers (Apache is default), but this can be configured in Meterpreter or being proxied through.
Verified Powershell Empire listeners (HTTP/HTTPS)

Powershell Empire http listeners show index page similar to IIS7 page and an IIS7.5 server header. Instead of using Windows \r\n they are using Linux \n for newlines. The hash for this index page is b8c892fbb49921529be6f6ce17685c31724f76959111b28f39e39dc299b8acaf. The listeners can be verified by requesting non-existing pages and checking for statuscode 200 (OK) instead of 404 (not found). The ending of the page itself, contains a random amount of spaces (to prevent signature based detection).

Sourcecode of Empire listener: https://github.com/EmpireProject/Empire/blob/master/lib/listeners/http_com.py

Servers could be malicious, or just part of a red teaming action.

Thanks to censys.io and Jose.

VERSATEL AS for the Trans-European Tele2 IP Transport backbone Netherlands http 87.213.173.189 80 http://87.213.173.189:80/lfgp 200 lfgp b'\n ' Microsoft-IIS/8.5
VERSATEL AS for the Trans-European Tele2 IP Transport backbone Netherlands http 87.213.173.189 8080 http://87.213.173.189:8080/yaig 200 yaig b'\n ' Microsoft-IIS/8.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 159.203.80.170 80 http://159.203.80.170:80/nipk 200 nipk b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 159.203.80.170 8080 http://159.203.80.170:8080/ziso 200 ziso b'\n ' Microsoft-IIS/7.5
AS-CHOOPA - Choopa, LLC United States https 107.191.45.224 443 https://107.191.45.224:443/qiaq 200 qiaq b'\n ' Microsoft-IIS/8.5
AS-CHOOPA - Choopa, LLC United States http 107.191.45.224 80 http://107.191.45.224:80/tzep 200 tzep b'\n ' Microsoft-IIS/8.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 167.99.59.24 80 http://167.99.59.24:80/oems 200 oems b'\n ' Microsoft-IIS/7.5
HS Romania http 185.244.149.72 80 http://185.244.149.72:80/pchr 200 pchr b'\n ' Apache/2.4.18 (Ubuntu)
RACKSPACE - Rackspace Hosting United States http 104.130.231.211 80 http://104.130.231.211:80/fqus 200 fqus b'\n ' Microsoft-IIS/7.5
MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation United States http 13.89.241.234 80 http://13.89.241.234:80/tpdm 200 tpdm b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC Singapore https 159.65.13.63 443 https://159.65.13.63:443/dlux 200 dlux b'\n ' Microsoft-IIS/7.5
AS-CHOOPA - Choopa, LLC United States http 207.148.6.152 80 http://207.148.6.152:80/hrxr 200 hrxr b'\n ' Microsoft-IIS/7.5
AMAZON-02 - Amazon.com, Inc. United States http 18.188.15.242 80 http://18.188.15.242:80/wjwe 200 wjwe b'\n ' Microsoft-IIS/7.5
AMAZON-02 - Amazon.com, Inc. United States http 54.202.79.250 80 http://54.202.79.250:80/ydle 200 ydle b'\n ' Microsoft-IIS/7.5
OVH Canada http 158.69.40.76 80 http://158.69.40.76:80/renq 200 renq b'\n ' Microsoft-IIS/7.5
LINODE-AP Linode, LLC Singapore https 172.104.189.160 443 https://172.104.189.160:443/rtbk 200 rtbk b'\n ' nginx/1.10.3
LINODE-AP Linode, LLC Singapore http 172.104.189.160 80 http://172.104.189.160:80/bvrj 200 bvrj b'\n ' nginx/1.10.3
LEASEWEB-NL-AMS-01 Netherlands Netherlands http 85.17.26.162 8080 http://85.17.26.162:8080/anyl 200 anyl b'\n ' Microsoft-IIS/7.5
BIGHOST-AS Latvia http 80.233.134.250 80 http://80.233.134.250:80/szyb 200 szyb b'\n ' Microsoft-IIS/7.5
MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation Netherlands http 51.144.106.161 80 http://51.144.106.161:80/xytn 200 xytn b'\n ' Microsoft-IIS/7.5
SOFTLAYER - SoftLayer Technologies Inc. Hong Kong http 103.73.66.174 80 http://103.73.66.174:80/eanc 200 eanc b'\n ' Microsoft-IIS/7.5
LINODE-AP Linode, LLC Singapore https 139.162.17.220 443 https://139.162.17.220:443/uiva 200 uiva b'\n ' Microsoft-IIS/7.5
AS-CHOOPA - Choopa, LLC United States https 149.28.245.254 443 https://149.28.245.254:443/nqqg 200 nqqg b'\n ' Microsoft-IIS/8.5
CROWEHORWATH - Crowe Horwath LLP United States https 159.246.29.75 443 https://159.246.29.75:443/jrzq 200 jrzq b'\n ' Microsoft-IIS/7.5
AS-CHOOPA - Choopa, LLC Singapore http 139.180.214.79 80 http://139.180.214.79:80/uxam 200 uxam b'\n ' Microsoft-IIS/7.5
FISHNET-AS Russia http 94.242.55.169 8080 http://94.242.55.169:8080/jnjo 200 jnjo b'\n ' Microsoft-IIS/7.5
ZAPPIE-HOST-AS Zappie Host South Africa https 169.239.129.108 443 https://169.239.129.108:443/luar 200 luar b'\n ' Microsoft-IIS/7.5
IOMART-AS United Kingdom https 109.200.24.62 443 https://109.200.24.62:443/ihwg 200 ihwg b'\n ' Microsoft-IIS/7.5
AMAZON-AES - Amazon.com, Inc. United States http 54.164.52.153 80 http://54.164.52.153:80/tkmy 200 tkmy b'\n ' Nginx
Uninet S.A. de C.V. Mexico http 187.170.207.51 80 http://187.170.207.51:80/rtnp 200 rtnp b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC Germany http 46.101.240.199 80 http://46.101.240.199:80/vsef 200 vsef b'\n ' Microsoft-IIS/7.5
AMAZON-02 - Amazon.com, Inc. United States http 18.237.164.129 80 http://18.237.164.129:80/zsst 200 zsst b'\n ' Microsoft-IIS/7.5
HS Romania http 185.244.149.74 80 http://185.244.149.74:80/jlxe 200 jlxe b'\n ' Apache/2.4.18 (Ubuntu)
COOOLBOX Bulgaria http 78.130.144.40 80 http://78.130.144.40:80/pdos 200 pdos b'\n ' Microsoft-IIS/7.5
LINODE-AP Linode, LLC Singapore https 139.162.50.77 443 https://139.162.50.77:443/tcuj 200 tcuj b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 142.93.49.54 80 http://142.93.49.54:80/hmxe 200 hmxe b'\n ' Microsoft-IIS/7.5
AS-CHOOPA - Choopa, LLC Germany http 45.76.81.45 80 http://45.76.81.45:80/lmvl 200 lmvl b'\n ' Microsoft-IIS/7.0
M247 Denmark https 185.245.84.106 443 https://185.245.84.106:443/apvz 200 apvz b'\n ' Microsoft-IIS/7.5
LITESERVER Netherlands https 5.2.78.70 443 https://5.2.78.70:443/qglq 200 qglq b'\n ' Microsoft-IIS/7.5
OVH France http 54.38.243.190 80 http://54.38.243.190:80/wrzf 404 wrzf b'\n ' Microsoft-IIS/7.5
GOOGLE - Google LLC United States http 35.245.173.143 80 http://35.245.173.143:80/neia 200 neia b'\n ' Microsoft-IIS/7.5
AMAZON-02 - Amazon.com, Inc. United States http 34.223.226.153 80 http://34.223.226.153:80/eizz 200 eizz b'\n ' Microsoft-IIS/7.5
M247 Czechia https 185.216.35.182 443 https://185.216.35.182:443/iuyq 200 iuyq b'\n ' Microsoft-IIS/7.5
GNJ-AS-KR DAOU TECHNOLOGY South Korea https 27.102.112.219 443 https://27.102.112.219:443/gsde 200 gsde b'\n ' Nginx
SHAW - Shaw Communications Inc. Canada https 208.118.68.73 443 https://208.118.68.73:443/byez 200 byez b'\n ' Microsoft-IIS/7.5
MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation United States https 168.61.219.125 443 https://168.61.219.125:443/ocgq 200 ocgq b'\n ' Microsoft-IIS/7.5
LITESERVER Netherlands https 5.2.70.23 443 https://5.2.70.23:443/xwam 200 xwam b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC Germany http 46.101.231.101 80 http://46.101.231.101:80/izbs 200 izbs b'\n ' Microsoft-IIS/7.5
AS-COLOCROSSING - ColoCrossing United States http 172.245.90.234 80 http://172.245.90.234:80/iinf 200 iinf b'\n ' Microsoft-IIS/7.5
OVH France http 137.74.25.234 8080 http://137.74.25.234:8080/kgaj 200 kgaj b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC Singapore http 159.65.10.135 8080 http://159.65.10.135:8080/xdoa 200 xdoa b'\n ' Microsoft-IIS/7.5
BANDWIDTH-AS United Kingdom https 5.226.139.30 443 https://5.226.139.30:443/wmwr 200 wmwr b'\n ' Microsoft-IIS/7.5
AMAZON-02 - Amazon.com, Inc. Ireland http 52.50.88.164 8080 http://52.50.88.164:8080/ezes 200 ezes b'\n ' Microsoft-IIS/7.5
AS-COLOCROSSING - ColoCrossing United States https 104.168.61.16 443 https://104.168.61.16:443/htru 200 htru b'\n ' Microsoft-IIS/8.5
PONYNET - FranTech Solutions Luxembourg http 104.244.72.144 80 http://104.244.72.144:80/icbu 200 icbu b'\n ' Microsoft-IIS/7.5
TELLCOM-AS Turkey http 213.74.249.43 80 http://213.74.249.43:80/gnog 200 gnog b'\n ' Microsoft-IIS/7.5
OVH Canada http 66.70.247.98 80 http://66.70.247.98:80/ywda 200 ywda b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 165.227.182.106 80 http://165.227.182.106:80/bhxy 200 bhxy b'\n ' Microsoft-IIS/7.5
LITESERVER Netherlands https 5.2.75.112 443 https://5.2.75.112:443/bnom 200 bnom b'\n ' Microsoft-IIS/7.5
AMAZON-AES - Amazon.com, Inc. United States http 54.91.246.45 80 http://54.91.246.45:80/wsdk 200 wsdk b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 68.183.120.111 8080 http://68.183.120.111:8080/gple 200 gple b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC United States http 104.236.186.248 80 http://104.236.186.248:80/qfzl 200 qfzl b'\n ' Microsoft-IIS/7.5
DIGITALOCEAN-ASN - DigitalOcean, LLC Germany http 159.89.99.172

Read the rest in this link
First Aid: IOCs:

https 18.221.129.105 443 https://18.221.129.105:443/wkqp 200 wkqp b'<html><body><h1>It works!</h1></body></html>' nginx/1.10.3 (Ubuntu)
http 18.221.129.105 80 http://18.221.129.105:80/zgdr 200 zgdr b'<html><body><h1>It works!</h1></body></html>' nginx/1.10.3 (Ubuntu)
http 78.40.78.118 80 http://78.40.78.118:80/xosb 200 xosb b'<html><body><h1>It works!</h1></body></html>' Apache
http 208.118.68.77 80 http://208.118.68.77:80/lyya 200 lyya b'<html><body><h1>It works!</h1></body></html>' Apache
https 193.238.47.173 443 https://193.238.47.173:443/xkfh 200 xkfh b'<html><body><h1>It works!</h1></body></html>' Apache
http 95.174.64.99 8080 http://95.174.64.99:8080/earx 200 earx b'<html><body><h1>It works!</h1></body></html>' Apache
https 178.73.220.150 443 https://178.73.220.150:443/mpfv 200 mpfv b'<html><body><h1>It works!</h1></body></html>' Apache
https 58.64.167.53 443 https://58.64.167.53:443/cwsd 200 cwsd b'<html><body><h1>It works!</h1></body></html>' Apache
http 85.13.245.166 8080 http://85.13.245.166:8080/laru 200 laru b'<html><body><h1>It works!</h1></body></html>' Apache
https 34.242.92.127 443 https://34.242.92.127:443/dzdr 200 dzdr b'<html><body><h1>It works!</h1></body></html>' Apache
https 54.85.191.51 443 https://54.85.191.51:443/wkur 200 wkur b'<html><body><h1>It works!</h1></body></html>' Apache
http 54.85.191.51 80 http://54.85.191.51:80/ldpd 200 ldpd b'<html><body><h1>It works!</h1></body></html>' Apache
https 54.84.201.43 443 https://54.84.201.43:443/bajj 200 bajj b'<html><body><h1>It works!</h1></body></html>' Apache
http 54.84.201.43 80 http://54.84.201.43:80/oyqe 200 oyqe b'<html><body><h1>It works!</h1></body></html>' Apache
https 109.234.37.103 443 https://109.234.37.103:443/enrx 200 enrx b'<html><body><h1>It works!</h1></body></html>' Apache
https 80.255.3.94 443 https://80.255.3.94:443/uyec 200 uyec b'<html><body><h1>It works!</h1></body></html>' Apache
https 34.254.165.255 443 https://34.254.165.255:443/fgem 200 fgem b'<html><body><h1>It works!</h1></body></html>' Apache
https 154.70.32.119 443 https://154.70.32.119:443/wsur 200 wsur b'<html><body><h1>It works!</h1></body></html>' Apache
https 89.105.194.202 443 https://89.105.194.202:443/zbns 200 zbns b'<html><body><h1>It works!</h1></body></html>' Apache
https 213.32.95.87 443 https://213.32.95.87:443/waee 200 waee b'<html><body><h1>It works!</h1></body></html>' Apache
https 27.255.92.170 443 https://27.255.92.170:443/imlf 200 imlf b'<html><body><h1>It works!</h1></body></html>' Apache
https 54.36.137.155 443 https://54.36.137.155:443/tkps 200 tkps b'<html><body><h1>It works!</h1></body></html>' Apache
https 54.187.140.101 443 https://54.187.140.101:443/gmbz 200 gmbz b'<html><body><h1>It works!</h1></body></html>' Apache
https 185.202.174.81 443 https://185.202.174.81:443/qerf 200 qerf b'<html><body><h1>It works!</h1></body></html>' Apache
https 103.97.34.86 443 https://103.97.34.86:443/nshn 200 nshn b'<html><body><h1>It works!</h1></body></html>' Apache
https 59.167.178.49 443 https://59.167.178.49:443/gual 200 gual b'<html><body><h1>It works!</h1></body></html>' Apache
https 45.32.117.193 443 https://45.32.117.193:443/hshn 200 hshn b'<html><body><h1>It works!</h1></body></html>' Apache
https 40.143.186.177 443 https://40.143.186.177:443/oocu 200 oocu b'<html><body><h1>It works!</h1></body></html>' Apache

Read the rest in this link
More info: https://gist.github.com/nl5887/230e10909c8369b9586db76f0b12a400#file-002_meterpreter_list-csv

Date added March 15, 2019, 8:34 p.m.
Source Github
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • General Malware - New Reports in
  • Microsoft Windows PowerShell
  • PowerShell Empire