Hi Brad, On Sun, Jun 23, 2019 at 09:43:00PM +0000, Brad via NANOG wrote:
On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.
Earlier I posted one example of an attempt to exploit CVE-2019-10149 to execute commands as root on one of my machines. I have 17 other examples from the same IP that try to do similar things via the same exploit, though there are differences which suggest to me that multiple users or groups are using openportstats for this purpose. Would you like to see them? I think that trying to actively exploit a bug to execute arbitrary commands is a lot different to mere port scanning. They aren't all harmless commands either; some of them install rootkits and remote shells. Cheers, Andy