Suricata Network IDS.

Suricata → High & Medium Alert IPs – Australia – November 2025

Executive Summary

Ah, November. While most were busy stocking up on holiday cheer, some shady characters were on a different mission. During this jolly period, the Suricata IDS (T-Pot Sydney) decided to play Grinch and caught hordes of dubious IPs, up to no good across Australia. From attempts to play superuser to dubious downloads that your mother warned you about, the month's activity was an eyebrow-raiser. All signs point to Mirai-style botnets throwing a party we weren't invited to, hosted thanks to some accommodating ISPs around the globe.

Key Stats

• Timeframe: November 2025
• Sensor: Suricata IDS (T-Pot Sydney)
• Volume: Hundreds of attempts targeting IoT devices, with a heavy hand on admin privilege exploitation.
• Noteworthy ASNs & Infra:
  • Data Communication Business Group (ASN: 3462)
  • DigitalOcean (ASN: 14061)
  • Hurricane Electric (ASN: 6939)
  • Contabo GmbH (ASN: 51167)
  • RailTel Corporation of India Ltd (ASN: 24186)

Campaign Narrative

The plot's as thick as grandma's stew—various actors squatted on a mix of half-respectable cloud hosts and questionable backstreets of the internet. While most folks were worrying about stuffing turkeys, this crowd was more into stuffing admin creds and POST requests into unsuspecting devices. The activity smells distinctly of opportunism, the kind you wouldn't clap for in a sitcom.

Infrastructure Details

Oh, hosting providers, the Robin Hoods of our story—if Robin Hood decided to rob the rich and give to... malware-spewing botnets. This month, DigitalOcean and Hurricane Electric were headliners, hosting malware that makes your average crimeware look downright pedestrian. Contabo and RailTel weren't far behind, supporting a delightful array of scanning hosts channelling their inner Mirai.

Bulletproof hosts were rolling out the digital red carpet, laced with late-night IOT downloader traffic. Meanwhile, Datacamp Limited made a cameo appearance, potentially catering to the more "research-oriented" neighbours, bless their proactive hearts.

Malware and Behaviour

Meet the cast: a medley of vulnerabilities and dubious JavaScript antics, from VXWORKS Urgent11 championship exploits to the ever-so-stylish CVE-2020-11900. It's all about forcing admin privileges through the window while legitimate configs take the front door. These actors love nothing more than IoT malware slathered in POST request sauce—a favourite recipe of the so-helpfully-detailed crimeware cookbook.

Detection and Mitigation

• Firewall Efficacy: Consider putting the screws on those pesky ports like 8080 and 49152. If it sounds unfamiliar and feels a tad Mirai-esque, lock it up.

• Intelligent Log Focus: Time to stop relying on wishful thinking. Glance over the logs for anomalies, particularly attempted privilege escalations and unexpected device chatter.

• Prioritise Patch Management: Patch. Everything. Yesterday. Those CVEs won't fix themselves, and nothing ruins a hacker's day more than fully updated firmware.

• Quarantine Measures: Isolate infected IoT devices faster than you’d dive for the last slice of cake at a party. Trust me, your network will thank you.

Closing Thoughts

As we head into December, let's hope the gift of knowledge and mitigation keeps the malware bah-humbug down. Yes, it's another campaign from the depths of the internet's less charming neighbourhoods, but chin up. With the right mix of monitoring, patching, and slightly paranoid vigilance, you can tell these malefactors to “do one” until the new year and beyond.

Stay watchful, be grumpy, and may your networks remain unbreached!