AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html
On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <[email protected]> wrote: > On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <[email protected]> > wrote: > > > https://twitter.com/GreyNoiseIO/status/1129017971135995904 > > https://twitter.com/JayTHL/status/1128718224965685248 > > Sorry, don't twitter ... Too much malicious JavaScript there. > > >Friday Questionaire: > > >Is there anybody on this list who keeps firewall logs and who > >DOESN'T have numerous hits recorded therein from one or more > >of the following IP addresses? > > >80.82.64.21 scanner29.openportstats.com > >80.82.70.2 scanner8.openportstats.com > >80.82.70.198 scanner21.openportstats.com > >80.82.70.216 scanner13.openportstats.com > >80.82.78.104 scanner151.openportstats.com > >89.248.160.132 scanner15.openportstats.com > >89.248.162.168 scanner5.openportstats.com > >89.248.168.62 scanner1.openportstats.com > >89.248.168.63 scanner2.openportstats.com > >89.248.168.73 scanner3.openportstats.com > >89.248.168.74 scanner4.openportstats.com > >89.248.168.170 scanner17.openportstats.com > >89.248.168.196 scanner16.openportstats.com > >89.248.171.38 scanner7.openportstats.com > >89.248.171.57 scanner20.openportstats.com > >89.248.172.18 scanner25.openportstats.com > >89.248.172.23 scanner27.openportstats.com > >93.174.91.31 scanner10.openportstats.com > >93.174.91.34 scanner11.openportstats.com > >93.174.91.35 scanner12.openportstats.com > >93.174.93.98 scanner18.openportstats.com > >93.174.93.149 scanner6.openportstats.com > >93.174.93.241 scanner14.openportstats.com > >93.174.95.37 scanner19.openportstats.com > >93.174.95.42 scanner8.openportstats.com > >94.102.51.31 scanner31.openportstats.com > >94.102.51.98 scanner55.openportstats.com > >94.102.52.245 scanner9.openportstats.com > > I have just a few. They have all been blocked. There have been no > incoming sessions established, nor any outbound sessions to these addresses. > > Why do you think it is a problem and not just run-of-the-mill background > radiation on the Internet? > > Do you (or your endpoints) not have a firewall to block such things? > > sqlite> select * from hosts where name like '%openports%'; > id address name description asn > lastupdate > ---------- ------------- ---------------------------- ----------- > ---------- ---------- > 3662 93.174.93.241 scanner14.openportstats.com. > 202425 1561209704 > 5061 93.174.95.42 scanner8.openportstats.com. > 202425 1560718494 > 11894 93.174.93.149 scanner6.openportstats.com. > 202425 1560732443 > 17720 93.174.93.98 scanner18.openportstats.com. > 202425 1560640554 > 54208 80.82.70.2 scanner8.openportstats.com. > 202425 1560774033 > 54790 89.248.160.13 scanner15.openportstats.com. > 202425 1560682732 > 55081 89.248.168.19 scanner16.openportstats.com. > 202425 1561158220 > 55629 89.248.168.17 scanner17.openportstats.com. > 202425 1560817976 > 59858 89.248.171.57 scanner20.openportstats.com. > 202425 1560800216 > 64626 89.248.171.38 scanner7.openportstats.com. > 202425 1560841829 > 70081 93.174.95.37 scanner19.openportstats.com. > 202425 1560802023 > 72978 80.82.70.216 scanner13.openportstats.com. > 202425 1560709312 > 74711 94.102.52.245 scanner9.openportstats.com. > 202425 1560589038 > 80358 89.248.162.16 scanner5.openportstats.com. > 202425 1561217966 > 86148 89.248.172.18 scanner25.openportstats.com. > 202425 1560884061 > 89484 94.102.51.31 scanner31.openportstats.com. > 202425 1561199715 > 90131 80.82.70.198 scanner21.openportstats.com. > 202425 1560776777 > 90531 80.82.78.104 scanner151.openportstats.com > 202425 1561150052 > 91641 80.82.64.21 scanner29.openportstats.com. > 202425 1561184548 > 104810 94.102.51.98 scanner55.openportstats.com. > 202425 1561138118 > > sqlite> select * from asns where asn=202425; > asn country rir allocated description lastupdate > ---------- ---------- ---------- ---------- --------------- ---------- > 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966 > > sqlite> select srcaddress, count(*), min(localtime), max(localtime) from > firewalllog where srcaddress in (select address from hosts where name like > '%openportstats.com.') group by srcaddress; > srcaddress count(*) min(localtime) max(localtime) > ----------- ---------- ------------------------------ > ------------------------------ > 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 > 06:47:28.309 -06:00 > 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 > 06:37:43.125 -06:00 > 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 > 06:39:57.214 -06:00 > 80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 > 19:27:58.113 -06:00 > 80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 > 15:27:05.791 -06:00 > 89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 > 05:02:00.866 -06:00 > 89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 > 09:39:26.809 -06:00 > 89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 > 06:57:15.269 -06:00 > 89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 > 01:46:26.558 -06:00 > 89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 > 14:16:40.212 -07:00 > 89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 > 13:36:56.062 -06:00 > 89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 > 16:47:31.949 -06:00 > 93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 > 03:24:06.896 -06:00 > 93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 > 01:34:27.308 -06:00 > 93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 > 07:21:44.239 -06:00 > 93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 > 02:30:39.109 -07:00 > 93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 > 19:04:48.709 -07:00 > 94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 > 04:35:15.886 -06:00 > 94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 > 11:22:16.166 -06:00 > 94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 > 07:30:03.547 -07:00 > > > >NOTE: Dshield has already assigned an 8 rating on their Badness > >Richter Scale to the specific one of the above addresses that's > >been poking me personally in recent days: > > > https://www.dshield.org/ipinfo.html?ip=89.248.162.168 > > https://www.dshield.org/ipdetails.html?ip=89.248.162.168 > > >And the Dshield rating is *just* based on the probing. The addition > >of malware slinging also puts this whole mess over the top entirely. > > What malware slinging? I see none of that. Merely unsolicited incoming > connection attempts. I note that neither the ASN in question nor the > addresses are on the DROP list. > > >Oh! And I'll save you all the time looking it up.... 100% of the IPs > >listed above are on AS202425 "IP Volume, Inc. allegedly of the > >Seychelles Islands, where the employees and management are no > >doubt enjoying their luxurious and expansive new corporate headquarters... > > Good for them. Everyone should have luxurious and expansive corporate > headquarters. > > > https://bit.ly/2ZBayc4 > > Malicious link detected. > > -- > The fact that there's a Highway to Hell but only a Stairway to Heaven says > a lot about anticipated traffic volume. > > > > >
