Re: Russian Anal Probing + Malware

...

It's just a port/vulnerability scanner, I really don't see anything special about this particular case.

they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files.

this goes way beyond scanner and into criminal trespass and destruction of property.

https://twitter.com/JayTHL/status/1128700101675954176

having trouble following the attribution. yes, of course there are folk trying to exploit. but missing the link that *these* folk are. e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month. hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are </snark>. randy --- Jun 20 18:53:23 winnti-scanner-victims-will-be-notified.threatsinkhole.com �V�Dz/� Jun 20 18:53:23 ran rsyslogd: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) winnti-scanner-victims-will-be-notified.threatsinkhole.com, (ip) winnti-scanner-victims-will-be-notified.threatsinkhole.com: delimiter is not SP but has ASCII value -51. [v8.32.0] Jun 20 18:53:55 winnti-scanner-victims-will-be-notified.threatsinkhole.com �t�C� #000F#000#000#000#000#000����#000#000#000#000#001#004F#000#000#000#003#010�=)�#027�$��#000#000#000#000#000++#000#000#000#000(#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#001#001#000#000#000#000#026#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#004#000#000#000#000#000#000#000#000#000#004#000#000#000#000