Re: Russian Anal Probing + Malware
On 24/06/2019 00:23, Randy Bush wrote: e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month. hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are . Greynoise can be your friend: https://greynoise.io/about https://viz.greynoise.io/table -Hank randy ---
Re: Russian Anal Probing + Malware
Hi Brad, On Sun, Jun 23, 2019 at 09:43:00PM +, Brad via NANOG wrote: > On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette > wrote: > > > https://twitter.com/GreyNoiseIO/status/1129017971135995904 > > https://twitter.com/JayTHL/status/1128718224965685248 > > After forwarding these links to a sanitized client on another network, I saw > nothing on the "twitter reports" which suggest these subnets are doing > anything other than port scanning. Earlier I posted one example of an attempt to exploit CVE-2019-10149 to execute commands as root on one of my machines. I have 17 other examples from the same IP that try to do similar things via the same exploit, though there are differences which suggest to me that multiple users or groups are using openportstats for this purpose. Would you like to see them? I think that trying to actively exploit a bug to execute arbitrary commands is a lot different to mere port scanning. They aren't all harmless commands either; some of them install rootkits and remote shells. Cheers, Andy
Re: Russian Anal Probing + Malware
On Sun, 23 Jun 2019, Randy Bush wrote: It's just a port/vulnerability scanner, I really don't see anything special about this particular case. they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files. this goes way beyond scanner and into criminal trespass and destruction of property. https://twitter.com/JayTHL/status/1128700101675954176 having trouble following the attribution. yes, of course there are folk trying to exploit. but missing the link that *these* folk are. https://pbs.twimg.com/media/D6oBGYPUwAECG09.png you're trying to defend them? -Dan
Re: Russian Anal Probing + Malware
See inline responses... ‐‐‐ Original Message ‐‐‐ On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette wrote: > https://twitter.com/GreyNoiseIO/status/1129017971135995904 > https://twitter.com/JayTHL/status/1128718224965685248 After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning. For those who refuse to follow Twitter links (I'm with ya): There is one cropped screen shot of a pcap with some incomplete information for a entirely different subnet and zero useful intel. Am I missing something, or do you have any actual log files to support your claims of malware slinging from these guys? and I do not want "popularity contest" results of the twitter-verse - to protect our networks. Real data is needed. We need to know what we are looking for specifically. As for the network probing - this is why those activities are blocked and other techniques are implemented to obscure the usefulness of the data they collect. The way I see it... If people go poking their hands in the honey jars without permission, they may just get something they do not want or expect (I hear non-consensual probing can infect the violator with certain diseases, and that would be a shame) > Friday Questionaire: > > Is there anybody on this list who keeps firewall logs and who > DOESN'T have numerous hits recorded therein from one or more > of the following IP addresses? > [snip] > > NOTE: Dshield has already assigned an 8 rating on their Badness Richter > Scale to the specific one of the above addresses that's been poking me > personally in recent days: > > https://www.dshield.org/ipinfo.html?ip=89.248.162.168 > https://www.dshield.org/ipdetails.html?ip=89.248.162.168 > > And the Dshield rating is just based on the probing. The addition of > malware slinging also puts this whole mess over the top entirely. What malware? > Oh! And I'll save you all the time looking it up 100% of the IPs > listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles > Islands, where the employees and management are no doubt enjoying their > luxurious and expansive new corporate headquarters... Sounds like a good deal. > > https://bit.ly/2ZBayc4 I do not follow external links generally, as a rule, without compelling need and additional measures taken. > > Regards, > rfg > > P.S. This is the kind of thing that everybody really should expect > when the U.S. Department of Defense takes it upon itself to start up > its own little private and unauthorized (cyber)war on Russia, wthout > first obtaining the consent of Congress... you know, kinda like that > ancient yellowed document that nobody in this country reads anymore > says they should. And apparently, the DoD was understandably not > anxious to brief even the President about all this... > > https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6 > > (Not that anybody can really blame them for THAT.) P.S - Lets try to keep politics off the list. We get enough of that everywhere else. Thanks, Brad
Re: Russian Anal Probing + Malware
>> It's just a port/vulnerability scanner, I really don't see anything >> special about this particular case. > > they are pushing exploits. trying to RCE, wget a binary, chmod 777 on > routers and rm -rf files. > > this goes way beyond scanner and into criminal trespass and > destruction of property. > > https://twitter.com/JayTHL/status/1128700101675954176 having trouble following the attribution. yes, of course there are folk trying to exploit. but missing the link that *these* folk are. e.g. i am aware of researchers scanning to see patching spread and trying to make a conext paper dreadline this week or infocom next month. hard to tell the sheep from the goats and the wolf from the sheep. i get the appended. sheep or wholf? i sure do not claim to be smart enough to know. but i sure am glad others are . randy --- Jun 20 18:53:23 winnti-scanner-victims-will-be-notified.threatsinkhole.com �V�Dz/� Jun 20 18:53:23 ran rsyslogd: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) winnti-scanner-victims-will-be-notified.threatsinkhole.com, (ip) winnti-scanner-victims-will-be-notified.threatsinkhole.com: delimiter is not SP but has ASCII value -51. [v8.32.0] Jun 20 18:53:55 winnti-scanner-victims-will-be-notified.threatsinkhole.com �t�C� #000F#000#000#000#000#000#000#000#000#000#001#004F#000#000#000#003#010�=)�#027�$�#000#000#000#000#000++#000#000#000#000(#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#001#001#000#000#000#000#026#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#004#000#000#000#000#000#000#000#000#000#004#000#000#000#000
Re: Russian Anal Probing + Malware
On Sat, 22 Jun 2019, Filip Hruska wrote: It's just a port/vulnerability scanner, I really don't see anything special about this particular case. they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files. this goes way beyond scanner and into criminal trespass and destruction of property. https://twitter.com/JayTHL/status/1128700101675954176 remain ignorant if you want. -Dan
Re: Russian Anal Probing + Malware
On Fri, Jun 21, 2019 at 05:13:35PM -0700, Ronald F. Guilmette wrote: > Is there anybody on this list who keeps firewall logs and who > DOESN'T have numerous hits recorded therein from one or more > of the following IP addresses? Well, I *did*, but having noticed their activities and grown tired of them, I now just drop their traffic on the floor (and log it). They are one of several operations that I've noticed who have taken it upon themselves to poke at open (and closed) ports without bothering to ask. Assuming for a moment the most charitable interpretation of their collective actions -- that they are earnest researching problems with the intention of helping to solve them -- this is still highly problematic for two reasons: 1. They didn't ask permission. 2. Whether they realize it or not, they're building a target. When, not if, their results database(s) are compromised, they will have furnished the attackers with a comprehensive target list, painstakingly gathered at no cost to them and thoughtfully annotated with whatever metadata has been collected. ---rsk