Compromized modems in Thai IP Space

Christopher Morrow morrowc.lists at gmail.com
Tue Aug 11 14:19:37 UTC 2020


On Tue, Aug 11, 2020 at 9:31 AM JORDI PALET MARTINEZ via NANOG
<nanog at nanog.org> wrote:
>
> I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.
>
> Have you tried the abuse contacts of the ISP?
>

For the Thai ISP space you might also get some traction just talking
to the thai cert org.
h  ttps://www.thaicert.or.th/about-en.html

perhaps even this path:
  https://www.thaicert.or.th/report-en.html

> If they fail, have you tried to escalate to escalation-abuse at apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?
>
>  You could also try the APNIC Talk mailing list.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es at nanog.org en nombre de outsider at scarynet.org> escribió:
>
>     Hello folks,
>
>     Before you shoot me with 'wrong mailing list' replies, believe me, I
>     tried, THNOG is dead, APNIC ain't responding either and the ISP's over
>     there don't seem to care much. And I've been looking at this situation for
>     over 2 years now since first incident. I simply hope that with the
>     contacts you folks have due to your professions to be able to help.
>
>     So, I came across this botnet which decided to pick my IRC network as
>     control center, and I have been digging into them. It turns out that in
>     Thailand, people can easily get cloned modems in order to internet for
>     'free', it simply boils down to mac cloning, so let me spare you the
>     details. The problem is that these modems also carry a digital STD in the
>     form of additional botnet code, allowing the controllers to do, well,
>     botnet stuff.
>
>     I disabled their ability to control by glining everything on join to the
>     control channel, and since I am maintainer of DroneBL, add them to the
>     blacklist. Doing that for 2+ years now. The amount of removal requests
>     because people no longer are able to play on cncnet is amazing.
>
>     My question here kinda is, how to permanently get rid of this evil in an
>     effective way, and who to contact? (yes, I tried to get through to NOC's
>     of the affected providers), or could perhaps someone be so nice to use one
>     of their contacts in Thailand to speed things up?
>
>     Kind regards,
>
>     Alexander Maassen
>     Maintainer DroneBL
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>



More information about the NANOG mailing list