Russian Anal Probing + Malware

Randy Bush randy at psg.com
Sun Jun 23 21:23:01 UTC 2019


>> It's just a port/vulnerability scanner, I really don't see anything
>> special about this particular case.
> 
> they are pushing exploits. trying to RCE, wget a binary, chmod 777 on
> routers and rm -rf files.
> 
> this goes way beyond scanner and into criminal trespass and
> destruction of property.
> 
> https://twitter.com/JayTHL/status/1128700101675954176

having trouble following the attribution.  yes, of course there are folk
trying to exploit.  but missing the link that *these* folk are.

e.g. i am aware of researchers scanning to see patching spread and
trying to make a conext paper dreadline this week or infocom next month.

hard to tell the sheep from the goats and the wolf from the sheep.  i
get the appended.  sheep or wholf?  i sure do not claim to be smart
enough to know.  but i sure am glad others are </snark>.

randy

---

Jun 20 18:53:23 winnti-scanner-victims-will-be-notified.threatsinkhole.com ÃVŒ&#022Dz/· 
Jun 20 18:53:23 ran rsyslogd: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) winnti-scanner-victims-will-be-notified.threatsinkhole.com, (ip) winnti-scanner-victims-will-be-notified.threatsinkhole.com: delimiter is not SP but has ASCII value -51. [v8.32.0]
Jun 20 18:53:55 winnti-scanner-victims-will-be-notified.threatsinkhole.com Àt–Câ #000F#000#000#000#000#000ºŒÁ«#000#000#000#000#001#004F#000#000#000#003#010»=)²#027Ä$íª#000#000#000#000#000++#000#000#000#000(#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#001#001#000#000#000#000#026#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#004#000#000#000#000#000#000#000#000#000#004#000#000#000#000



More information about the NANOG mailing list