Russian Anal Probing + Malware
Troy Mursch
troy at wolvtech.com
Sat Jun 22 20:58:31 UTC 2019
AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous
NANOG thread here:
https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html
On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <kmedcalf at dessus.com> wrote:
> On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg at tristatelogic.com>
> wrote:
>
> > https://twitter.com/GreyNoiseIO/status/1129017971135995904
> > https://twitter.com/JayTHL/status/1128718224965685248
>
> Sorry, don't twitter ... Too much malicious JavaScript there.
>
> >Friday Questionaire:
>
> >Is there anybody on this list who keeps firewall logs and who
> >DOESN'T have numerous hits recorded therein from one or more
> >of the following IP addresses?
>
> >80.82.64.21 scanner29.openportstats.com
> >80.82.70.2 scanner8.openportstats.com
> >80.82.70.198 scanner21.openportstats.com
> >80.82.70.216 scanner13.openportstats.com
> >80.82.78.104 scanner151.openportstats.com
> >89.248.160.132 scanner15.openportstats.com
> >89.248.162.168 scanner5.openportstats.com
> >89.248.168.62 scanner1.openportstats.com
> >89.248.168.63 scanner2.openportstats.com
> >89.248.168.73 scanner3.openportstats.com
> >89.248.168.74 scanner4.openportstats.com
> >89.248.168.170 scanner17.openportstats.com
> >89.248.168.196 scanner16.openportstats.com
> >89.248.171.38 scanner7.openportstats.com
> >89.248.171.57 scanner20.openportstats.com
> >89.248.172.18 scanner25.openportstats.com
> >89.248.172.23 scanner27.openportstats.com
> >93.174.91.31 scanner10.openportstats.com
> >93.174.91.34 scanner11.openportstats.com
> >93.174.91.35 scanner12.openportstats.com
> >93.174.93.98 scanner18.openportstats.com
> >93.174.93.149 scanner6.openportstats.com
> >93.174.93.241 scanner14.openportstats.com
> >93.174.95.37 scanner19.openportstats.com
> >93.174.95.42 scanner8.openportstats.com
> >94.102.51.31 scanner31.openportstats.com
> >94.102.51.98 scanner55.openportstats.com
> >94.102.52.245 scanner9.openportstats.com
>
> I have just a few. They have all been blocked. There have been no
> incoming sessions established, nor any outbound sessions to these addresses.
>
> Why do you think it is a problem and not just run-of-the-mill background
> radiation on the Internet?
>
> Do you (or your endpoints) not have a firewall to block such things?
>
> sqlite> select * from hosts where name like '%openports%';
> id address name description asn
> lastupdate
> ---------- ------------- ---------------------------- -----------
> ---------- ----------
> 3662 93.174.93.241 scanner14.openportstats.com.
> 202425 1561209704
> 5061 93.174.95.42 scanner8.openportstats.com.
> 202425 1560718494
> 11894 93.174.93.149 scanner6.openportstats.com.
> 202425 1560732443
> 17720 93.174.93.98 scanner18.openportstats.com.
> 202425 1560640554
> 54208 80.82.70.2 scanner8.openportstats.com.
> 202425 1560774033
> 54790 89.248.160.13 scanner15.openportstats.com.
> 202425 1560682732
> 55081 89.248.168.19 scanner16.openportstats.com.
> 202425 1561158220
> 55629 89.248.168.17 scanner17.openportstats.com.
> 202425 1560817976
> 59858 89.248.171.57 scanner20.openportstats.com.
> 202425 1560800216
> 64626 89.248.171.38 scanner7.openportstats.com.
> 202425 1560841829
> 70081 93.174.95.37 scanner19.openportstats.com.
> 202425 1560802023
> 72978 80.82.70.216 scanner13.openportstats.com.
> 202425 1560709312
> 74711 94.102.52.245 scanner9.openportstats.com.
> 202425 1560589038
> 80358 89.248.162.16 scanner5.openportstats.com.
> 202425 1561217966
> 86148 89.248.172.18 scanner25.openportstats.com.
> 202425 1560884061
> 89484 94.102.51.31 scanner31.openportstats.com.
> 202425 1561199715
> 90131 80.82.70.198 scanner21.openportstats.com.
> 202425 1560776777
> 90531 80.82.78.104 scanner151.openportstats.com
> 202425 1561150052
> 91641 80.82.64.21 scanner29.openportstats.com.
> 202425 1561184548
> 104810 94.102.51.98 scanner55.openportstats.com.
> 202425 1561138118
>
> sqlite> select * from asns where asn=202425;
> asn country rir allocated description lastupdate
> ---------- ---------- ---------- ---------- --------------- ----------
> 202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966
>
> sqlite> select srcaddress, count(*), min(localtime), max(localtime) from
> firewalllog where srcaddress in (select address from hosts where name like
> '%openportstats.com.') group by srcaddress;
> srcaddress count(*) min(localtime) max(localtime)
> ----------- ---------- ------------------------------
> ------------------------------
> 80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31
> 06:47:28.309 -06:00
> 80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02
> 06:37:43.125 -06:00
> 80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02
> 06:39:57.214 -06:00
> 80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24
> 19:27:58.113 -06:00
> 80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21
> 15:27:05.791 -06:00
> 89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13
> 05:02:00.866 -06:00
> 89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22
> 09:39:26.809 -06:00
> 89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28
> 06:57:15.269 -06:00
> 89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23
> 01:46:26.558 -06:00
> 89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12
> 14:16:40.212 -07:00
> 89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17
> 13:36:56.062 -06:00
> 89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23
> 16:47:31.949 -06:00
> 93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01
> 03:24:06.896 -06:00
> 93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07
> 01:34:27.308 -06:00
> 93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22
> 07:21:44.239 -06:00
> 93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28
> 02:30:39.109 -07:00
> 93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03
> 19:04:48.709 -07:00
> 94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22
> 04:35:15.886 -06:00
> 94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17
> 11:22:16.166 -06:00
> 94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07
> 07:30:03.547 -07:00
>
>
> >NOTE: Dshield has already assigned an 8 rating on their Badness
> >Richter Scale to the specific one of the above addresses that's
> >been poking me personally in recent days:
>
> > https://www.dshield.org/ipinfo.html?ip=89.248.162.168
> > https://www.dshield.org/ipdetails.html?ip=89.248.162.168
>
> >And the Dshield rating is *just* based on the probing. The addition
> >of malware slinging also puts this whole mess over the top entirely.
>
> What malware slinging? I see none of that. Merely unsolicited incoming
> connection attempts. I note that neither the ASN in question nor the
> addresses are on the DROP list.
>
> >Oh! And I'll save you all the time looking it up.... 100% of the IPs
> >listed above are on AS202425 "IP Volume, Inc. allegedly of the
> >Seychelles Islands, where the employees and management are no
> >doubt enjoying their luxurious and expansive new corporate headquarters...
>
> Good for them. Everyone should have luxurious and expansive corporate
> headquarters.
>
> > https://bit.ly/2ZBayc4
>
> Malicious link detected.
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190622/2e715eed/attachment.html>
More information about the NANOG
mailing list