nanog mailing list archives
Re: Russian Anal Probing + Malware
From: Filip Hruska <fhr () fhrnet eu>
Date: Sat, 22 Jun 2019 22:04:01 +0000
On 6/22/19 2:13 AM, Ronald F. Guilmette wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248 Friday Questionaire: Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses? 80.82.64.21 scanner29.openportstats.com 80.82.70.2 scanner8.openportstats.com 80.82.70.198 scanner21.openportstats.com 80.82.70.216 scanner13.openportstats.com 80.82.78.104 scanner151.openportstats.com 89.248.160.132 scanner15.openportstats.com 89.248.162.168 scanner5.openportstats.com 89.248.168.62 scanner1.openportstats.com 89.248.168.63 scanner2.openportstats.com 89.248.168.73 scanner3.openportstats.com 89.248.168.74 scanner4.openportstats.com 89.248.168.170 scanner17.openportstats.com 89.248.168.196 scanner16.openportstats.com 89.248.171.38 scanner7.openportstats.com 89.248.171.57 scanner20.openportstats.com 89.248.172.18 scanner25.openportstats.com 89.248.172.23 scanner27.openportstats.com 93.174.91.31 scanner10.openportstats.com 93.174.91.34 scanner11.openportstats.com 93.174.91.35 scanner12.openportstats.com 93.174.93.98 scanner18.openportstats.com 93.174.93.149 scanner6.openportstats.com 93.174.93.241 scanner14.openportstats.com 93.174.95.37 scanner19.openportstats.com 93.174.95.42 scanner8.openportstats.com 94.102.51.31 scanner31.openportstats.com 94.102.51.98 scanner55.openportstats.com 94.102.52.245 scanner9.openportstats.com NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days: https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168 And the Dshield rating is *just* based on the probing. The addition of malware slinging also puts this whole mess over the top entirely. Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
It's just a port/vulnerability scanner, I really don't see anything special about this particular case.
"IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers are in a Dutch datacenter.
What does that have to do with the vulnerability scanner? Also: You know it doesn't make any sense, right?P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this... https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6 (Not that anybody can really blame them for THAT.)
-- Filip Hruska Linux System Administrator
Current thread:
- Russian Anal Probing + Malware Ronald F. Guilmette (Jun 21)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Troy Mursch (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 22)
- Re: Russian Anal Probing + Malware Ronald F. Guilmette (Jun 22)
- Re: Russian Anal Probing + Malware Filip Hruska (Jun 22)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Randy Bush (Jun 23)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Hank Nussbacher (Jun 23)
- Re: Russian Anal Probing + Malware Tom Beecher (Jun 24)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 23)