Russian Anal Probing + Malware

• Previous message (by thread): Russian Anal Probing + Malware
• Next message (by thread): Cellular backup connections
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Brad,

On Sun, Jun 23, 2019 at 09:43:00PM +0000, Brad via NANOG wrote:
> On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> 
> > https://twitter.com/GreyNoiseIO/status/1129017971135995904
> > https://twitter.com/JayTHL/status/1128718224965685248
> 
> After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.

Earlier I posted one example of an attempt to exploit CVE-2019-10149 to
execute commands as root on one of my machines. I have 17 other
examples from the same IP that try to do similar things via the same
exploit, though there are differences which suggest to me that multiple users or groups
are using openportstats for this purpose.

Would you like to see them?

I think that trying to actively exploit a bug to execute arbitrary commands is
a lot different to mere port scanning. They aren't all harmless commands
either; some of them install rootkits and remote shells.

Cheers,
Andy

• Previous message (by thread): Russian Anal Probing + Malware
• Next message (by thread): Cellular backup connections
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]