Lots of compromized routers found in thailand
outsider at scarynet.org
Wed Oct 24 14:50:20 UTC 2018
I know this would belong in THNOG, but since their email turns out to be
unroutable, and APNIC never replied to a ticket I filed a week ago, I
hope some thai network operators are listening here as well. (True's IRT
team contact has however been established already)
Since a week I've seen a lot of compromized connections on my personal
IRC net from network ranges owned by asiasnet.co.th, 3bb.co.th,
totbb.co.th and ais.co.th (and probably others). The issue seems to be
limited to TH space at the moment.
After investigating some of those bots ip sources, it turns out they all
are from clients with routers that have the admin port open to everyone
and the routers have the default login (BAD BAD BAD). ACS url's have
been changed to http://255.255.255.255. New connections arrive in an
estimate of 1 every 3 minutes at the moment. All connections found being
affected will and have been added to my dnsbl (dronebl) as type 15
(compromized router/127.0.0.15), if you need a list, contact me off list
with your AS number in order to get a dump.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1774 bytes
Desc: not available
More information about the NANOG