Hi all, I know this would belong in THNOG, but since their email turns out to be unroutable, and APNIC never replied to a ticket I filed a week ago, I hope some thai network operators are listening here as well. (True's IRT team contact has however been established already)
Since a week I've seen a lot of compromized connections on my personal IRC net from network ranges owned by asiasnet.co.th, 3bb.co.th, totbb.co.th and ais.co.th (and probably others). The issue seems to be limited to TH space at the moment. After investigating some of those bots ip sources, it turns out they all are from clients with routers that have the admin port open to everyone and the routers have the default login (BAD BAD BAD). ACS url's have been changed to http://255.255.255.255. New connections arrive in an estimate of 1 every 3 minutes at the moment. All connections found being affected will and have been added to my dnsbl (dronebl) as type 15 (compromized router/127.0.0.15), if you need a list, contact me off list with your AS number in order to get a dump. Kind regards, Alexander Maassen Maintainer DroneBL
pEpkey.asc
Description: application/pgp-keys
