Re: Russian Anal Probing + Malware

[Troy Mursch <troy () wolvtech com>]

AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous
NANOG thread here:
https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html


On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <kmedcalf () dessus com> wrote:

> On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <rfg () tristatelogic com>
> wrote:
>
> >    https://twitter.com/GreyNoiseIO/status/1129017971135995904
> >    https://twitter.com/JayTHL/status/1128718224965685248
>
> Sorry, don't twitter ...  Too much malicious JavaScript there.
>
> > Friday Questionaire:
>
> > Is there anybody on this list who keeps firewall logs and who
> > DOESN'T have numerous hits recorded therein from one or more
> > of the following IP addresses?
>
> > 80.82.64.21 scanner29.openportstats.com
> > 80.82.70.2 scanner8.openportstats.com
> > 80.82.70.198 scanner21.openportstats.com
> > 80.82.70.216 scanner13.openportstats.com
> > 80.82.78.104 scanner151.openportstats.com
> > 89.248.160.132 scanner15.openportstats.com
> > 89.248.162.168 scanner5.openportstats.com
> > 89.248.168.62 scanner1.openportstats.com
> > 89.248.168.63 scanner2.openportstats.com
> > 89.248.168.73 scanner3.openportstats.com
> > 89.248.168.74 scanner4.openportstats.com
> > 89.248.168.170 scanner17.openportstats.com
> > 89.248.168.196 scanner16.openportstats.com
> > 89.248.171.38 scanner7.openportstats.com
> > 89.248.171.57 scanner20.openportstats.com
> > 89.248.172.18 scanner25.openportstats.com
> > 89.248.172.23 scanner27.openportstats.com
> > 93.174.91.31 scanner10.openportstats.com
> > 93.174.91.34 scanner11.openportstats.com
> > 93.174.91.35 scanner12.openportstats.com
> > 93.174.93.98 scanner18.openportstats.com
> > 93.174.93.149 scanner6.openportstats.com
> > 93.174.93.241 scanner14.openportstats.com
> > 93.174.95.37 scanner19.openportstats.com
> > 93.174.95.42 scanner8.openportstats.com
> > 94.102.51.31 scanner31.openportstats.com
> > 94.102.51.98 scanner55.openportstats.com
> > 94.102.52.245 scanner9.openportstats.com
>
> I have just a few.  They have all been blocked.  There have been no
> incoming sessions established, nor any outbound sessions to these addresses.
>
> Why do you think it is a problem and not just run-of-the-mill background
> radiation on the Internet?
>
> Do you (or your endpoints) not have a firewall to block such things?
>
> sqlite> select * from hosts where name like '%openports%';
> id          address        name                          description  asn
>        lastupdate
> ----------  -------------  ----------------------------  -----------
> ----------  ----------
> 3662        93.174.93.241  scanner14.openportstats.com.
>  202425      1561209704
> 5061        93.174.95.42   scanner8.openportstats.com.
> 202425      1560718494
> 11894       93.174.93.149  scanner6.openportstats.com.
> 202425      1560732443
> 17720       93.174.93.98   scanner18.openportstats.com.
>  202425      1560640554
> 54208       80.82.70.2     scanner8.openportstats.com.
> 202425      1560774033
> 54790       89.248.160.13  scanner15.openportstats.com.
>  202425      1560682732
> 55081       89.248.168.19  scanner16.openportstats.com.
>  202425      1561158220
> 55629       89.248.168.17  scanner17.openportstats.com.
>  202425      1560817976
> 59858       89.248.171.57  scanner20.openportstats.com.
>  202425      1560800216
> 64626       89.248.171.38  scanner7.openportstats.com.
> 202425      1560841829
> 70081       93.174.95.37   scanner19.openportstats.com.
>  202425      1560802023
> 72978       80.82.70.216   scanner13.openportstats.com.
>  202425      1560709312
> 74711       94.102.52.245  scanner9.openportstats.com.
> 202425      1560589038
> 80358       89.248.162.16  scanner5.openportstats.com.
> 202425      1561217966
> 86148       89.248.172.18  scanner25.openportstats.com.
>  202425      1560884061
> 89484       94.102.51.31   scanner31.openportstats.com.
>  202425      1561199715
> 90131       80.82.70.198   scanner21.openportstats.com.
>  202425      1560776777
> 90531       80.82.78.104   scanner151.openportstats.com
>  202425      1561150052
> 91641       80.82.64.21    scanner29.openportstats.com.
>  202425      1561184548
> 104810      94.102.51.98   scanner55.openportstats.com.
>  202425      1561138118
>
> sqlite> select * from asns where asn=202425;
> asn         country     rir         allocated   description      lastupdate
> ----------  ----------  ----------  ----------  ---------------  ----------
> 202425      SC          ripencc     2018-05-17  INT-NETWORK, SC  1561217966
>
> sqlite> select srcaddress, count(*), min(localtime), max(localtime) from
> firewalllog where srcaddress in (select address from hosts where name like
> '%openportstats.com.') group by srcaddress;
> srcaddress   count(*)    min(localtime)                  max(localtime)
> -----------  ----------  ------------------------------
> ------------------------------
> 80.82.64.21  6           2019-03-28 05:21:13.919 -06:00  2019-03-31
> 06:47:28.309 -06:00
> 80.82.70.2   208         2019-01-23 12:58:02.557 -07:00  2019-04-02
> 06:37:43.125 -06:00
> 80.82.70.19  114         2019-03-25 14:13:17.058 -06:00  2019-04-02
> 06:39:57.214 -06:00
> 80.82.70.21  17970       2019-02-25 13:34:52.202 -07:00  2019-04-24
> 19:27:58.113 -06:00
> 80.82.78.10  767         2019-03-26 08:37:53.799 -06:00  2019-06-21
> 15:27:05.791 -06:00
> 89.248.160.  1754        2019-01-24 12:40:58.764 -07:00  2019-04-13
> 05:02:00.866 -06:00
> 89.248.162.  1384        2019-03-09 16:21:40.538 -07:00  2019-06-22
> 09:39:26.809 -06:00
> 89.248.168.  43          2019-01-25 18:52:41.512 -07:00  2019-03-28
> 06:57:15.269 -06:00
> 89.248.168.  1543        2019-01-24 23:03:14.052 -07:00  2019-04-23
> 01:46:26.558 -06:00
> 89.248.171.  22          2019-02-10 12:14:00.168 -07:00  2019-02-12
> 14:16:40.212 -07:00
> 89.248.171.  1850        2019-02-01 18:06:15.893 -07:00  2019-06-17
> 13:36:56.062 -06:00
> 89.248.172.  3           2019-03-18 20:33:50.209 -06:00  2019-03-23
> 16:47:31.949 -06:00
> 93.174.93.9  67          2018-12-08 17:42:28.122 -07:00  2019-04-01
> 03:24:06.896 -06:00
> 93.174.93.1  16          2018-12-04 03:34:47.534 -07:00  2019-05-07
> 01:34:27.308 -06:00
> 93.174.93.2  1661        2018-11-23 10:13:06.957 -07:00  2019-06-22
> 07:21:44.239 -06:00
> 93.174.95.3  144         2019-02-20 08:06:52.282 -07:00  2019-02-28
> 02:30:39.109 -07:00
> 93.174.95.4  252         2018-11-24 22:14:19.061 -07:00  2019-03-03
> 19:04:48.709 -07:00
> 94.102.51.3  262         2019-03-24 10:03:55.679 -06:00  2019-06-22
> 04:35:15.886 -06:00
> 94.102.51.9  32          2019-04-28 08:52:43.818 -06:00  2019-05-17
> 11:22:16.166 -06:00
> 94.102.52.2  38          2019-02-28 12:45:52.949 -07:00  2019-03-07
> 07:30:03.547 -07:00
>
>
> > NOTE:  Dshield has already assigned an 8 rating on their Badness
> > Richter Scale to the specific one of the above addresses that's
> > been poking me personally in recent days:
>
> >    https://www.dshield.org/ipinfo.html?ip=89.248.162.168
> >    https://www.dshield.org/ipdetails.html?ip=89.248.162.168
>
> > And the Dshield rating is *just* based on the probing.  The addition
> > of malware slinging also puts this whole mess over the top entirely.
>
> What malware slinging?  I see none of that.  Merely unsolicited incoming
> connection attempts.  I note that neither the ASN in question nor the
> addresses are on the DROP list.
>
> > Oh!  And I'll save you all the time looking it up.... 100% of the IPs
> > listed above are on AS202425 "IP Volume, Inc. allegedly of the
> > Seychelles Islands, where the employees and management are no
> > doubt enjoying their luxurious and expansive new corporate headquarters...
>
> Good for them.  Everyone should have luxurious and expansive corporate
> headquarters.
>
> >    https://bit.ly/2ZBayc4
>
> Malicious link detected.
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.