AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
Sorry, don't twitter ... Too much malicious JavaScript there.
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com
I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses.
Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet?
Do you (or your endpoints) not have a firewall to block such things?
sqlite> select * from hosts where name like '%openports%'; id address name description asn lastupdate ---------- ------------- ---------------------------- ----------- ---------- ---------- 3662 93.174.93.241 scanner14.openportstats.com. 202425 1561209704 5061 93.174.95.42 scanner8.openportstats.com. 202425 1560718494 11894 93.174.93.149 scanner6.openportstats.com. 202425 1560732443 17720 93.174.93.98 scanner18.openportstats.com. 202425 1560640554 54208 80.82.70.2 scanner8.openportstats.com. 202425 1560774033 54790 89.248.160.13 scanner15.openportstats.com. 202425 1560682732 55081 89.248.168.19 scanner16.openportstats.com. 202425 1561158220 55629 89.248.168.17 scanner17.openportstats.com. 202425 1560817976 59858 89.248.171.57 scanner20.openportstats.com. 202425 1560800216 64626 89.248.171.38 scanner7.openportstats.com. 202425 1560841829 70081 93.174.95.37 scanner19.openportstats.com. 202425 1560802023 72978 80.82.70.216 scanner13.openportstats.com. 202425 1560709312 74711 94.102.52.245 scanner9.openportstats.com. 202425 1560589038 80358 89.248.162.16 scanner5.openportstats.com. 202425 1561217966 86148 89.248.172.18 scanner25.openportstats.com. 202425 1560884061 89484 94.102.51.31 scanner31.openportstats.com. 202425 1561199715 90131 80.82.70.198 scanner21.openportstats.com. 202425 1560776777 90531 80.82.78.104 scanner151.openportstats.com 202425 1561150052 91641 80.82.64.21 scanner29.openportstats.com. 202425 1561184548 104810 94.102.51.98 scanner55.openportstats.com. 202425 1561138118
sqlite> select * from asns where asn=202425; asn country rir allocated description lastupdate ---------- ---------- ---------- ---------- --------------- ---------- 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966
sqlite> select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress; srcaddress count(*) min(localtime) max(localtime) ----------- ---------- ------------------------------ ------------------------------ 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00 80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 19:27:58.113 -06:00 80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 15:27:05.791 -06:00 89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 05:02:00.866 -06:00 89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 09:39:26.809 -06:00 89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 06:57:15.269 -06:00 89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 01:46:26.558 -06:00 89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 14:16:40.212 -07:00 89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 13:36:56.062 -06:00 89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 16:47:31.949 -06:00 93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 03:24:06.896 -06:00 93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 01:34:27.308 -06:00 93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 07:21:44.239 -06:00 93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 02:30:39.109 -07:00 93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 19:04:48.709 -07:00 94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 04:35:15.886 -06:00 94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 11:22:16.166 -06:00 94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 07:30:03.547 -07:00
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
What malware slinging? I see none of that. Merely unsolicited incoming connection attempts. I note that neither the ASN in question nor the addresses are on the DROP list.
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
Good for them. Everyone should have luxurious and expansive corporate headquarters.
Malicious link detected.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.