I've been seeing a lot of rejections in my logs for 2323/tcp. According to the Storm Center, this is what the Mirai botnet scanner uses to look for other target devices. Is it worthwhile to report sightings to the appropriate abuse addresses? (That assumes there *is* an abuse address associated with the IPv4 address that is the source.) Would administrations receiving these notices do anything with them? Alternatively, is there anyone collecting this information from people like me to expose the IP addresses of possible infections? I am toying with the idea of setting up a honey-pot, but I'm so far behind with $DAYJOB that such a project will have to wait a bit. I want to be a good net citizen. I also want to make sure I'm not wasting my time. Today's crop:
1.34.169.183 12.221.236.2 14.138.22.12 14.169.142.30 14.174.71.158 14.177.197.101 31.168.146.33 31.168.212.174 36.71.224.179 36.72.253.206 37.106.18.86 42.115.187.189 42.117.254.248 42.119.228.222 43.225.195.180 46.59.6.249 49.114.192.91 58.11.238.146 58.186.231.59 59.8.136.21 59.49.191.4 59.57.68.56 59.126.35.47 59.126.242.70 59.127.104.67 59.127.242.8 60.251.125.125 61.219.165.38 73.84.152.194 78.179.113.148 78.186.61.30 78.189.169.142 78.226.222.234 79.119.74.255 81.16.8.193 81.101.233.14 81.214.121.43 81.214.134.133 81.214.137.197 82.77.68.189 83.233.40.141 85.96.202.199 85.99.121.41 85.238.103.111 86.121.225.48 87.251.252.22 88.249.224.167 89.122.87.239 89.151.128.198 90.177.91.201 92.53.52.235 92.55.231.90 94.31.239.178 94.254.41.152 94.255.162.90 95.78.245.54 95.106.34.92 95.161.236.182 96.57.103.19 101.0.43.13 108.203.68.245 110.55.108.215 110.136.233.10 112.133.69.176 112.165.93.130 112.186.42.216 113.5.224.110 113.161.64.11 113.169.18.153 113.171.98.158 113.172.4.204 113.183.204.112 113.188.44.246 114.32.28.219 114.32.87.32 114.32.189.5 114.34.29.167 114.34.170.10 114.35.153.123 114.226.53.133 115.76.127.118 116.73.65.248 116.100.170.92 117.0.7.77 117.1.26.234 117.195.254.3 118.32.44.99 118.42.15.21 118.43.112.120 118.100.64.159 118.163.191.208 119.199.160.207 119.202.78.47 120.71.215.81 121.129.203.22 121.178.104.129 121.180.53.143 122.117.245.28 123.9.72.86 123.16.78.77 123.23.49.149 123.24.108.10 123.24.250.187 123.25.74.209 123.27.159.13 123.240.245.72 124.66.99.251 124.131.28.38 125.166.193.206 125.227.138.132 138.204.203.66 171.97.245.221 171.224.7.147 171.226.20.220 171.232.118.93 171.248.210.120 171.249.223.213 171.250.26.209 173.56.21.67 175.138.81.130 175.203.202.232 175.207.137.139 175.211.251.156 177.207.49.108 177.207.67.170 177.223.52.193 178.222.246.96 179.4.140.63 179.235.55.39 179.253.163.107 180.73.117.62 180.254.224.10 182.37.156.98 182.180.80.75 182.180.123.43 183.46.49.216 183.144.245.235 186.19.48.158 186.69.170.130 186.219.1.156 187.104.248.17 187.211.63.51 188.209.153.15 189.101.220.244 189.234.9.147 191.103.35.250 191.180.198.31 191.249.21.41 196.207.83.23 197.224.37.108 201.243.225.103 210.178.250.121 211.7.146.51 211.216.202.191 213.5.216.213 213.14.195.100 213.170.76.149 217.129.243.48 218.161.121.178 218.186.43.224 220.85.169.133 220.132.111.124 220.133.24.142 220.133.198.71 220.133.234.229 220.134.132.200 220.134.193.133 220.135.64.43 221.145.147.78 221.159.105.17 221.167.64.53 222.254.238.188 223.154.223.159
It's pretty much part of the IBR now. And what can a provider do, really? It's not likely he will expend much effort blocking customers. Maybe we should all start filtering 2323? -mel via cell
On Nov 16, 2016, at 11:53 AM, Stephen Satchell <list@satchell.net> wrote:
I've been seeing a lot of rejections in my logs for 2323/tcp. According to the Storm Center, this is what the Mirai botnet scanner uses to look for other target devices.
Is it worthwhile to report sightings to the appropriate abuse addresses? (That assumes there *is* an abuse address associated with the IPv4 address that is the source.) Would administrations receiving these notices do anything with them?
Alternatively, is there anyone collecting this information from people like me to expose the IP addresses of possible infections?
I am toying with the idea of setting up a honey-pot, but I'm so far behind with $DAYJOB that such a project will have to wait a bit.
I want to be a good net citizen. I also want to make sure I'm not wasting my time.
Today's crop:
1.34.169.183 12.221.236.2 14.138.22.12 14.169.142.30 14.174.71.158 14.177.197.101 31.168.146.33 31.168.212.174 36.71.224.179 36.72.253.206 37.106.18.86 42.115.187.189 42.117.254.248 42.119.228.222 43.225.195.180 46.59.6.249 49.114.192.91 58.11.238.146 58.186.231.59 59.8.136.21 59.49.191.4 59.57.68.56 59.126.35.47 59.126.242.70 59.127.104.67 59.127.242.8 60.251.125.125 61.219.165.38 73.84.152.194 78.179.113.148 78.186.61.30 78.189.169.142 78.226.222.234 79.119.74.255 81.16.8.193 81.101.233.14 81.214.121.43 81.214.134.133 81.214.137.197 82.77.68.189 83.233.40.141 85.96.202.199 85.99.121.41 85.238.103.111 86.121.225.48 87.251.252.22 88.249.224.167 89.122.87.239 89.151.128.198 90.177.91.201 92.53.52.235 92.55.231.90 94.31.239.178 94.254.41.152 94.255.162.90 95.78.245.54 95.106.34.92 95.161.236.182 96.57.103.19 101.0.43.13 108.203.68.245 110.55.108.215 110.136.233.10 112.133.69.176 112.165.93.130 112.186.42.216 113.5.224.110 113.161.64.11 113.169.18.153 113.171.98.158 113.172.4.204 113.183.204.112 113.188.44.246 114.32.28.219 114.32.87.32 114.32.189.5 114.34.29.167 114.34.170.10 114.35.153.123 114.226.53.133 115.76.127.118 116.73.65.248 116.100.170.92 117.0.7.77 117.1.26.234 117.195.254.3 118.32.44.99 118.42.15.21 118.43.112.120 118.100.64.159 118.163.191.208 119.199.160.207 119.202.78.47 120.71.215.81 121.129.203.22 121.178.104.129 121.180.53.143 122.117.245.28 123.9.72.86 123.16.78.77 123.23.49.149 123.24.108.10 123.24.250.187 123.25.74.209 123.27.159.13 123.240.245.72 124.66.99.251 124.131.28.38 125.166.193.206 125.227.138.132 138.204.203.66 171.97.245.221 171.224.7.147 171.226.20.220 171.232.118.93 171.248.210.120 171.249.223.213 171.250.26.209 173.56.21.67 175.138.81.130 175.203.202.232 175.207.137.139 175.211.251.156 177.207.49.108 177.207.67.170 177.223.52.193 178.222.246.96 179.4.140.63 179.235.55.39 179.253.163.107 180.73.117.62 180.254.224.10 182.37.156.98 182.180.80.75 182.180.123.43 183.46.49.216 183.144.245.235 186.19.48.158 186.69.170.130 186.219.1.156 187.104.248.17 187.211.63.51 188.209.153.15 189.101.220.244 189.234.9.147 191.103.35.250 191.180.198.31 191.249.21.41 196.207.83.23 197.224.37.108 201.243.225.103 210.178.250.121 211.7.146.51 211.216.202.191 213.5.216.213 213.14.195.100 213.170.76.149 217.129.243.48 218.161.121.178 218.186.43.224 220.85.169.133 220.132.111.124 220.133.24.142 220.133.198.71 220.133.234.229 220.134.132.200 220.134.193.133 220.135.64.43 221.145.147.78 221.159.105.17 221.167.64.53 222.254.238.188 223.154.223.159
Probably best to go with A) what we could do in the best of situations and B) what the rest will do. Some of us are last mile networks and *DO* care. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Mel Beckman" <mel@beckman.org> To: list@satchell.net Cc: nanog@nanog.org Sent: Wednesday, November 16, 2016 11:25:34 AM Subject: Re: Port 2323/tcp It's pretty much part of the IBR now. And what can a provider do, really? It's not likely he will expend much effort blocking customers. Maybe we should all start filtering 2323? -mel via cell
On Nov 16, 2016, at 11:53 AM, Stephen Satchell <list@satchell.net> wrote:
I've been seeing a lot of rejections in my logs for 2323/tcp. According to the Storm Center, this is what the Mirai botnet scanner uses to look for other target devices.
Is it worthwhile to report sightings to the appropriate abuse addresses? (That assumes there *is* an abuse address associated with the IPv4 address that is the source.) Would administrations receiving these notices do anything with them?
Alternatively, is there anyone collecting this information from people like me to expose the IP addresses of possible infections?
I am toying with the idea of setting up a honey-pot, but I'm so far behind with $DAYJOB that such a project will have to wait a bit.
I want to be a good net citizen. I also want to make sure I'm not wasting my time.
Today's crop:
1.34.169.183 12.221.236.2 14.138.22.12 14.169.142.30 14.174.71.158 14.177.197.101 31.168.146.33 31.168.212.174 36.71.224.179 36.72.253.206 37.106.18.86 42.115.187.189 42.117.254.248 42.119.228.222 43.225.195.180 46.59.6.249 49.114.192.91 58.11.238.146 58.186.231.59 59.8.136.21 59.49.191.4 59.57.68.56 59.126.35.47 59.126.242.70 59.127.104.67 59.127.242.8 60.251.125.125 61.219.165.38 73.84.152.194 78.179.113.148 78.186.61.30 78.189.169.142 78.226.222.234 79.119.74.255 81.16.8.193 81.101.233.14 81.214.121.43 81.214.134.133 81.214.137.197 82.77.68.189 83.233.40.141 85.96.202.199 85.99.121.41 85.238.103.111 86.121.225.48 87.251.252.22 88.249.224.167 89.122.87.239 89.151.128.198 90.177.91.201 92.53.52.235 92.55.231.90 94.31.239.178 94.254.41.152 94.255.162.90 95.78.245.54 95.106.34.92 95.161.236.182 96.57.103.19 101.0.43.13 108.203.68.245 110.55.108.215 110.136.233.10 112.133.69.176 112.165.93.130 112.186.42.216 113.5.224.110 113.161.64.11 113.169.18.153 113.171.98.158 113.172.4.204 113.183.204.112 113.188.44.246 114.32.28.219 114.32.87.32 114.32.189.5 114.34.29.167 114.34.170.10 114.35.153.123 114.226.53.133 115.76.127.118 116.73.65.248 116.100.170.92 117.0.7.77 117.1.26.234 117.195.254.3 118.32.44.99 118.42.15.21 118.43.112.120 118.100.64.159 118.163.191.208 119.199.160.207 119.202.78.47 120.71.215.81 121.129.203.22 121.178.104.129 121.180.53.143 122.117.245.28 123.9.72.86 123.16.78.77 123.23.49.149 123.24.108.10 123.24.250.187 123.25.74.209 123.27.159.13 123.240.245.72 124.66.99.251 124.131.28.38 125.166.193.206 125.227.138.132 138.204.203.66 171.97.245.221 171.224.7.147 171.226.20.220 171.232.118.93 171.248.210.120 171.249.223.213 171.250.26.209 173.56.21.67 175.138.81.130 175.203.202.232 175.207.137.139 175.211.251.156 177.207.49.108 177.207.67.170 177.223.52.193 178.222.246.96 179.4.140.63 179.235.55.39 179.253.163.107 180.73.117.62 180.254.224.10 182.37.156.98 182.180.80.75 182.180.123.43 183.46.49.216 183.144.245.235 186.19.48.158 186.69.170.130 186.219.1.156 187.104.248.17 187.211.63.51 188.209.153.15 189.101.220.244 189.234.9.147 191.103.35.250 191.180.198.31 191.249.21.41 196.207.83.23 197.224.37.108 201.243.225.103 210.178.250.121 211.7.146.51 211.216.202.191 213.5.216.213 213.14.195.100 213.170.76.149 217.129.243.48 218.161.121.178 218.186.43.224 220.85.169.133 220.132.111.124 220.133.24.142 220.133.198.71 220.133.234.229 220.134.132.200 220.134.193.133 220.135.64.43 221.145.147.78 221.159.105.17 221.167.64.53 222.254.238.188 223.154.223.159
We’ve been monitoring/logging/blocking ports 23 and 2323 at our site for the past several weeks, after remediating a 60-75 Mbps attack on a 100 Mbps fiber feed. On port 23, we have accumulated 377,319 different IP addresses hitting our systems. For port 2323, 42,913 different IP addresses. The addresses are widely distributed, making aggregation nearly impossible. Below is a list of offending subnets, ranked by number of offenders (powers of 2), sorry for the length. 14.0.0.0/8 16384 78.0.0.0/8 8192 113.0.0.0/8 8192 117.0.0.0/8 8192 122.0.0.0/8 8192 177.0.0.0/8 8192 179.0.0.0/8 8192 186.0.0.0/8 8192 187.0.0.0/8 8192 189.0.0.0/8 8192 190.0.0.0/8 8192 201.0.0.0/8 8192 1.0.0.0/8 4096 5.0.0.0/8 4096 27.0.0.0/8 4096 36.0.0.0/8 4096 37.0.0.0/8 4096 41.0.0.0/8 4096 42.0.0.0/8 4096 46.0.0.0/8 4096 49.0.0.0/8 4096 59.0.0.0/8 4096 79.0.0.0/8 4096 82.0.0.0/8 4096 88.0.0.0/8 4096 89.0.0.0/8 4096 95.0.0.0/8 4096 109.0.0.0/8 4096 110.0.0.0/8 4096 112.0.0.0/8 4096 114.0.0.0/8 4096 116.0.0.0/8 4096 118.0.0.0/8 4096 119.0.0.0/8 4096 121.0.0.0/8 4096 123.0.0.0/8 4096 124.0.0.0/8 4096 171.0.0.0/8 4096 175.0.0.0/8 4096 176.0.0.0/8 4096 178.0.0.0/8 4096 180.0.0.0/8 4096 181.0.0.0/8 4096 182.0.0.0/8 4096 183.0.0.0/8 4096 191.0.0.0/8 4096 200.0.0.0/8 4096 220.0.0.0/8 4096 31.0.0.0/8 2048 58.0.0.0/8 2048 60.0.0.0/8 2048 61.0.0.0/8 2048 77.0.0.0/8 2048 80.0.0.0/8 2048 81.0.0.0/8 2048 83.0.0.0/8 2048 85.0.0.0/8 2048 86.0.0.0/8 2048 87.0.0.0/8 2048 91.0.0.0/8 2048 92.0.0.0/8 2048 93.0.0.0/8 2048 94.0.0.0/8 2048 103.0.0.0/8 2048 111.0.0.0/8 2048 115.0.0.0/8 2048 120.0.0.0/8 2048 125.0.0.0/8 2048 151.0.0.0/8 2048 188.0.0.0/8 2048 213.0.0.0/8 2048 218.0.0.0/8 2048 222.0.0.0/8 2048 223.0.0.0/8 2048 3.0.0.0/8 1024 6.0.0.0/8 1024 7.0.0.0/8 1024 9.0.0.0/8 1024 11.0.0.0/8 1024 15.0.0.0/8 1024 16.0.0.0/8 1024 17.0.0.0/8 1024 19.0.0.0/8 1024 20.0.0.0/8 1024 21.0.0.0/8 1024 22.0.0.0/8 1024 24.0.0.0/8 1024 25.0.0.0/8 1024 26.0.0.0/8 1024 28.0.0.0/8 1024 29.0.0.0/8 1024 30.0.0.0/8 1024 33.0.0.0/8 1024 34.0.0.0/8 1024 39.0.0.0/8 1024 44.0.0.0/8 1024 48.0.0.0/8 1024 53.0.0.0/8 1024 55.0.0.0/8 1024 56.0.0.0/8 1024 57.0.0.0/8 1024 62.0.0.0/8 1024 84.0.0.0/8 1024 101.0.0.0/8 1024 102.0.0.0/8 1024 106.0.0.0/8 1024 185.0.0.0/8 1024 193.0.0.0/8 1024 194.0.0.0/8 1024 195.0.0.0/8 1024 197.0.0.0/8 1024 202.0.0.0/8 1024 203.0.0.0/8 1024 210.0.0.0/8 1024 211.0.0.0/8 1024 212.0.0.0/8 1024 214.0.0.0/8 1024 215.0.0.0/8 1024 217.0.0.0/8 1024 219.0.0.0/8 1024 221.0.0.0/8 1024 2.0.0.0/8 512 43.0.0.0/8 512 45.0.0.0/8 512 47.0.0.0/8 512 50.0.0.0/8 512 70.0.0.0/8 512 71.0.0.0/8 512 72.0.0.0/8 512 73.0.0.0/8 512 90.0.0.0/8 512 96.0.0.0/8 512 105.0.0.0/8 512 108.0.0.0/8 512 134.0.0.0/8 512 138.0.0.0/8 512 139.0.0.0/8 512 152.0.0.0/8 512 167.0.0.0/8 512 173.0.0.0/8 512 64.0.0.0/8 256 66.0.0.0/8 256 67.0.0.0/8 256 68.0.0.0/8 256 69.0.0.0/8 256 74.0.0.0/8 256 75.0.0.0/8 256 76.0.0.0/8 256 98.0.0.0/8 256 104.0.0.0/8 256 150.0.0.0/8 256 159.0.0.0/8 256 168.0.0.0/8 256 174.0.0.0/8 256 192.0.0.0/8 256 196.0.0.0/8 256 216.0.0.0/8 256 23.0.0.0/8 128 65.0.0.0/8 128 97.0.0.0/8 128 100.0.0.0/8 128 107.0.0.0/8 128 128.0.0.0/8 128 130.0.0.0/8 128 131.0.0.0/8 128 140.0.0.0/8 128 141.0.0.0/8 128 149.0.0.0/8 128 153.0.0.0/8 128 154.0.0.0/8 128 160.0.0.0/8 128 161.0.0.0/8 128 162.0.0.0/8 128 163.0.0.0/8 128 170.0.0.0/8 128 172.0.0.0/8 128 184.0.0.0/8 128 198.0.0.0/8 128 207.0.0.0/8 128 208.0.0.0/8 128 209.0.0.0/8 128 4.0.0.0/8 64 8.0.0.0/8 64 12.0.0.0/8 64 13.0.0.0/8 64 18.0.0.0/8 64 32.0.0.0/8 64 35.0.0.0/8 64 38.0.0.0/8 64 40.0.0.0/8 64 51.0.0.0/8 64 52.0.0.0/8 64 54.0.0.0/8 64 63.0.0.0/8 64 99.0.0.0/8 64 10122.0.0.0/8 64 11122.0.0.0/8 64 114122.0.0.0/8 64 126.0.0.0/8 64 129.0.0.0/8 64 132.0.0.0/8 64 133.0.0.0/8 64 135.0.0.0/8 64 136.0.0.0/8 64 137.0.0.0/8 64 142.0.0.0/8 64 143.0.0.0/8 64 144.0.0.0/8 64 145.0.0.0/8 64 146.0.0.0/8 64 147.0.0.0/8 64 148.0.0.0/8 64 155.0.0.0/8 64 156.0.0.0/8 64 157.0.0.0/8 64 158.0.0.0/8 64 164.0.0.0/8 64 165.0.0.0/8 64 166.0.0.0/8 64 169.0.0.0/8 64 199.0.0.0/8 64 204.0.0.0/8 64 205.0.0.0/8 64 206.0.0.0/8 64 Total 375232 -- Otto Monnig omonnig@gmail.com
On Nov 16, 2016, at 10:52 AM, Stephen Satchell <list@satchell.net> wrote:
I've been seeing a lot of rejections in my logs for 2323/tcp. According to the Storm Center, this is what the Mirai botnet scanner uses to look for other target devices.
Is it worthwhile to report sightings to the appropriate abuse addresses? (That assumes there *is* an abuse address associated with the IPv4 address that is the source.) Would administrations receiving these notices do anything with them?
Alternatively, is there anyone collecting this information from people like me to expose the IP addresses of possible infections?
I am toying with the idea of setting up a honey-pot, but I'm so far behind with $DAYJOB that such a project will have to wait a bit.
I want to be a good net citizen. I also want to make sure I'm not wasting my time.
Today's crop:
1.34.169.183 12.221.236.2 14.138.22.12 14.169.142.30 14.174.71.158 14.177.197.101 31.168.146.33 31.168.212.174 36.71.224.179 36.72.253.206 37.106.18.86 42.115.187.189 42.117.254.248 42.119.228.222 43.225.195.180 46.59.6.249 49.114.192.91 58.11.238.146 58.186.231.59 59.8.136.21 59.49.191.4 59.57.68.56 59.126.35.47 59.126.242.70 59.127.104.67 59.127.242.8 60.251.125.125 61.219.165.38 73.84.152.194 78.179.113.148 78.186.61.30 78.189.169.142 78.226.222.234 79.119.74.255 81.16.8.193 81.101.233.14 81.214.121.43 81.214.134.133 81.214.137.197 82.77.68.189 83.233.40.141 85.96.202.199 85.99.121.41 85.238.103.111 86.121.225.48 87.251.252.22 88.249.224.167 89.122.87.239 89.151.128.198 90.177.91.201 92.53.52.235 92.55.231.90 94.31.239.178 94.254.41.152 94.255.162.90 95.78.245.54 95.106.34.92 95.161.236.182 96.57.103.19 101.0.43.13 108.203.68.245 110.55.108.215 110.136.233.10 112.133.69.176 112.165.93.130 112.186.42.216 113.5.224.110 113.161.64.11 113.169.18.153 113.171.98.158 113.172.4.204 113.183.204.112 113.188.44.246 114.32.28.219 114.32.87.32 114.32.189.5 114.34.29.167 114.34.170.10 114.35.153.123 114.226.53.133 115.76.127.118 116.73.65.248 116.100.170.92 117.0.7.77 117.1.26.234 117.195.254.3 118.32.44.99 118.42.15.21 118.43.112.120 118.100.64.159 118.163.191.208 119.199.160.207 119.202.78.47 120.71.215.81 121.129.203.22 121.178.104.129 121.180.53.143 122.117.245.28 123.9.72.86 123.16.78.77 123.23.49.149 123.24.108.10 123.24.250.187 123.25.74.209 123.27.159.13 123.240.245.72 124.66.99.251 124.131.28.38 125.166.193.206 125.227.138.132 138.204.203.66 171.97.245.221 171.224.7.147 171.226.20.220 171.232.118.93 171.248.210.120 171.249.223.213 171.250.26.209 173.56.21.67 175.138.81.130 175.203.202.232 175.207.137.139 175.211.251.156 177.207.49.108 177.207.67.170 177.223.52.193 178.222.246.96 179.4.140.63 179.235.55.39 179.253.163.107 180.73.117.62 180.254.224.10 182.37.156.98 182.180.80.75 182.180.123.43 183.46.49.216 183.144.245.235 186.19.48.158 186.69.170.130 186.219.1.156 187.104.248.17 187.211.63.51 188.209.153.15 189.101.220.244 189.234.9.147 191.103.35.250 191.180.198.31 191.249.21.41 196.207.83.23 197.224.37.108 201.243.225.103 210.178.250.121 211.7.146.51 211.216.202.191 213.5.216.213 213.14.195.100 213.170.76.149 217.129.243.48 218.161.121.178 218.186.43.224 220.85.169.133 220.132.111.124 220.133.24.142 220.133.198.71 220.133.234.229 220.134.132.200 220.134.193.133 220.135.64.43 221.145.147.78 221.159.105.17 221.167.64.53 222.254.238.188 223.154.223.159
We have actively started to block 23/tcp to our customer's CPEs.... Huge amounts of connection attempts / scans over our prefixes. All IPv4, zero on IPv6 (not yet at least). On Wed, Nov 16, 2016 at 8:12 PM, Otto Monnig <omonnig@gmail.com> wrote:
We’ve been monitoring/logging/blocking ports 23 and 2323 at our site for the past several weeks, after remediating a 60-75 Mbps attack on a 100 Mbps fiber feed.
On port 23, we have accumulated 377,319 different IP addresses hitting our systems. For port 2323, 42,913 different IP addresses.
The addresses are widely distributed, making aggregation nearly impossible.
Below is a list of offending subnets, ranked by number of offenders (powers of 2), sorry for the length.
14.0.0.0/8 16384 78.0.0.0/8 8192 113.0.0.0/8 8192 117.0.0.0/8 8192 122.0.0.0/8 8192 177.0.0.0/8 8192 179.0.0.0/8 8192 186.0.0.0/8 8192 187.0.0.0/8 8192 189.0.0.0/8 8192 190.0.0.0/8 8192 201.0.0.0/8 8192 1.0.0.0/8 4096 5.0.0.0/8 4096 27.0.0.0/8 4096 36.0.0.0/8 4096 37.0.0.0/8 4096 41.0.0.0/8 4096 42.0.0.0/8 4096 46.0.0.0/8 4096 49.0.0.0/8 4096 59.0.0.0/8 4096 79.0.0.0/8 4096 82.0.0.0/8 4096 88.0.0.0/8 4096 89.0.0.0/8 4096 95.0.0.0/8 4096 109.0.0.0/8 4096 110.0.0.0/8 4096 112.0.0.0/8 4096 114.0.0.0/8 4096 116.0.0.0/8 4096 118.0.0.0/8 4096 119.0.0.0/8 4096 121.0.0.0/8 4096 123.0.0.0/8 4096 124.0.0.0/8 4096 171.0.0.0/8 4096 175.0.0.0/8 4096 176.0.0.0/8 4096 178.0.0.0/8 4096 180.0.0.0/8 4096 181.0.0.0/8 4096 182.0.0.0/8 4096 183.0.0.0/8 4096 191.0.0.0/8 4096 200.0.0.0/8 4096 220.0.0.0/8 4096 31.0.0.0/8 2048 58.0.0.0/8 2048 60.0.0.0/8 2048 61.0.0.0/8 2048 77.0.0.0/8 2048 80.0.0.0/8 2048 81.0.0.0/8 2048 83.0.0.0/8 2048 85.0.0.0/8 2048 86.0.0.0/8 2048 87.0.0.0/8 2048 91.0.0.0/8 2048 92.0.0.0/8 2048 93.0.0.0/8 2048 94.0.0.0/8 2048 103.0.0.0/8 2048 111.0.0.0/8 2048 115.0.0.0/8 2048 120.0.0.0/8 2048 125.0.0.0/8 2048 151.0.0.0/8 2048 188.0.0.0/8 2048 213.0.0.0/8 2048 218.0.0.0/8 2048 222.0.0.0/8 2048 223.0.0.0/8 2048 3.0.0.0/8 1024 6.0.0.0/8 1024 7.0.0.0/8 1024 9.0.0.0/8 1024 11.0.0.0/8 1024 15.0.0.0/8 1024 16.0.0.0/8 1024 17.0.0.0/8 1024 19.0.0.0/8 1024 20.0.0.0/8 1024 21.0.0.0/8 1024 22.0.0.0/8 1024 24.0.0.0/8 1024 25.0.0.0/8 1024 26.0.0.0/8 1024 28.0.0.0/8 1024 29.0.0.0/8 1024 30.0.0.0/8 1024 33.0.0.0/8 1024 34.0.0.0/8 1024 39.0.0.0/8 1024 44.0.0.0/8 1024 48.0.0.0/8 1024 53.0.0.0/8 1024 55.0.0.0/8 1024 56.0.0.0/8 1024 57.0.0.0/8 1024 62.0.0.0/8 1024 84.0.0.0/8 1024 101.0.0.0/8 1024 102.0.0.0/8 1024 106.0.0.0/8 1024 185.0.0.0/8 1024 193.0.0.0/8 1024 194.0.0.0/8 1024 195.0.0.0/8 1024 197.0.0.0/8 1024 202.0.0.0/8 1024 203.0.0.0/8 1024 210.0.0.0/8 1024 211.0.0.0/8 1024 212.0.0.0/8 1024 214.0.0.0/8 1024 215.0.0.0/8 1024 217.0.0.0/8 1024 219.0.0.0/8 1024 221.0.0.0/8 1024 2.0.0.0/8 512 43.0.0.0/8 512 45.0.0.0/8 512 47.0.0.0/8 512 50.0.0.0/8 512 70.0.0.0/8 512 71.0.0.0/8 512 72.0.0.0/8 512 73.0.0.0/8 512 90.0.0.0/8 512 96.0.0.0/8 512 105.0.0.0/8 512 108.0.0.0/8 512 134.0.0.0/8 512 138.0.0.0/8 512 139.0.0.0/8 512 152.0.0.0/8 512 167.0.0.0/8 512 173.0.0.0/8 512 64.0.0.0/8 256 66.0.0.0/8 256 67.0.0.0/8 256 68.0.0.0/8 256 69.0.0.0/8 256 74.0.0.0/8 256 75.0.0.0/8 256 76.0.0.0/8 256 98.0.0.0/8 256 104.0.0.0/8 256 150.0.0.0/8 256 159.0.0.0/8 256 168.0.0.0/8 256 174.0.0.0/8 256 192.0.0.0/8 256 196.0.0.0/8 256 216.0.0.0/8 256 23.0.0.0/8 128 65.0.0.0/8 128 97.0.0.0/8 128 100.0.0.0/8 128 107.0.0.0/8 128 128.0.0.0/8 128 130.0.0.0/8 128 131.0.0.0/8 128 140.0.0.0/8 128 141.0.0.0/8 128 149.0.0.0/8 128 153.0.0.0/8 128 154.0.0.0/8 128 160.0.0.0/8 128 161.0.0.0/8 128 162.0.0.0/8 128 163.0.0.0/8 128 170.0.0.0/8 128 172.0.0.0/8 128 184.0.0.0/8 128 198.0.0.0/8 128 207.0.0.0/8 128 208.0.0.0/8 128 209.0.0.0/8 128 4.0.0.0/8 64 8.0.0.0/8 64 12.0.0.0/8 64 13.0.0.0/8 64 18.0.0.0/8 64 32.0.0.0/8 64 35.0.0.0/8 64 38.0.0.0/8 64 40.0.0.0/8 64 51.0.0.0/8 64 52.0.0.0/8 64 54.0.0.0/8 64 63.0.0.0/8 64 99.0.0.0/8 64 10122.0.0.0/8 64 11122.0.0.0/8 64 114122.0.0.0/8 64 126.0.0.0/8 64 129.0.0.0/8 64 132.0.0.0/8 64 133.0.0.0/8 64 135.0.0.0/8 64 136.0.0.0/8 64 137.0.0.0/8 64 142.0.0.0/8 64 143.0.0.0/8 64 144.0.0.0/8 64 145.0.0.0/8 64 146.0.0.0/8 64 147.0.0.0/8 64 148.0.0.0/8 64 155.0.0.0/8 64 156.0.0.0/8 64 157.0.0.0/8 64 158.0.0.0/8 64 164.0.0.0/8 64 165.0.0.0/8 64 166.0.0.0/8 64 169.0.0.0/8 64 199.0.0.0/8 64 204.0.0.0/8 64 205.0.0.0/8 64 206.0.0.0/8 64
Total 375232
-- Otto Monnig omonnig@gmail.com
On Nov 16, 2016, at 10:52 AM, Stephen Satchell <list@satchell.net> wrote:
I've been seeing a lot of rejections in my logs for 2323/tcp. According to the Storm Center, this is what the Mirai botnet scanner uses to look for other target devices.
Is it worthwhile to report sightings to the appropriate abuse addresses? (That assumes there *is* an abuse address associated with the IPv4 address that is the source.) Would administrations receiving these notices do anything with them?
Alternatively, is there anyone collecting this information from people like me to expose the IP addresses of possible infections?
I am toying with the idea of setting up a honey-pot, but I'm so far behind with $DAYJOB that such a project will have to wait a bit.
I want to be a good net citizen. I also want to make sure I'm not wasting my time.
Today's crop:
1.34.169.183 12.221.236.2 14.138.22.12 14.169.142.30 14.174.71.158 14.177.197.101 31.168.146.33 31.168.212.174 36.71.224.179 36.72.253.206 37.106.18.86 42.115.187.189 42.117.254.248 42.119.228.222 43.225.195.180 46.59.6.249 49.114.192.91 58.11.238.146 58.186.231.59 59.8.136.21 59.49.191.4 59.57.68.56 59.126.35.47 59.126.242.70 59.127.104.67 59.127.242.8 60.251.125.125 61.219.165.38 73.84.152.194 78.179.113.148 78.186.61.30 78.189.169.142 78.226.222.234 79.119.74.255 81.16.8.193 81.101.233.14 81.214.121.43 81.214.134.133 81.214.137.197 82.77.68.189 83.233.40.141 85.96.202.199 85.99.121.41 85.238.103.111 86.121.225.48 87.251.252.22 88.249.224.167 89.122.87.239 89.151.128.198 90.177.91.201 92.53.52.235 92.55.231.90 94.31.239.178 94.254.41.152 94.255.162.90 95.78.245.54 95.106.34.92 95.161.236.182 96.57.103.19 101.0.43.13 108.203.68.245 110.55.108.215 110.136.233.10 112.133.69.176 112.165.93.130 112.186.42.216 113.5.224.110 113.161.64.11 113.169.18.153 113.171.98.158 113.172.4.204 113.183.204.112 113.188.44.246 114.32.28.219 114.32.87.32 114.32.189.5 114.34.29.167 114.34.170.10 114.35.153.123 114.226.53.133 115.76.127.118 116.73.65.248 116.100.170.92 117.0.7.77 117.1.26.234 117.195.254.3 118.32.44.99 118.42.15.21 118.43.112.120 118.100.64.159 118.163.191.208 119.199.160.207 119.202.78.47 120.71.215.81 121.129.203.22 121.178.104.129 121.180.53.143 122.117.245.28 123.9.72.86 123.16.78.77 123.23.49.149 123.24.108.10 123.24.250.187 123.25.74.209 123.27.159.13 123.240.245.72 124.66.99.251 124.131.28.38 125.166.193.206 125.227.138.132 138.204.203.66 171.97.245.221 171.224.7.147 171.226.20.220 171.232.118.93 171.248.210.120 171.249.223.213 171.250.26.209 173.56.21.67 175.138.81.130 175.203.202.232 175.207.137.139 175.211.251.156 177.207.49.108 177.207.67.170 177.223.52.193 178.222.246.96 179.4.140.63 179.235.55.39 179.253.163.107 180.73.117.62 180.254.224.10 182.37.156.98 182.180.80.75 182.180.123.43 183.46.49.216 183.144.245.235 186.19.48.158 186.69.170.130 186.219.1.156 187.104.248.17 187.211.63.51 188.209.153.15 189.101.220.244 189.234.9.147 191.103.35.250 191.180.198.31 191.249.21.41 196.207.83.23 197.224.37.108 201.243.225.103 210.178.250.121 211.7.146.51 211.216.202.191 213.5.216.213 213.14.195.100 213.170.76.149 217.129.243.48 218.161.121.178 218.186.43.224 220.85.169.133 220.132.111.124 220.133.24.142 220.133.198.71 220.133.234.229 220.134.132.200 220.134.193.133 220.135.64.43 221.145.147.78 221.159.105.17 221.167.64.53 222.254.238.188 223.154.223.159
-- Regards, Chris Knipe
participants (5)
-
Chris Knipe
-
Mel Beckman
-
Mike Hammett
-
Otto Monnig
-
Stephen Satchell