Re: Russian Anal Probing + Malware

[Filip Hruska <fhr () fhrnet eu>]

On 6/22/19 2:13 AM, Ronald F. Guilmette wrote:

>      https://twitter.com/GreyNoiseIO/status/1129017971135995904
>      https://twitter.com/JayTHL/status/1128718224965685248
>
> Friday Questionaire:
>
> Is there anybody on this list who keeps firewall logs and who
> DOESN'T have numerous hits recorded therein from one or more
> of the following IP addresses?
>
> 80.82.64.21 scanner29.openportstats.com
> 80.82.70.2 scanner8.openportstats.com
> 80.82.70.198 scanner21.openportstats.com
> 80.82.70.216 scanner13.openportstats.com
> 80.82.78.104 scanner151.openportstats.com
> 89.248.160.132 scanner15.openportstats.com
> 89.248.162.168 scanner5.openportstats.com
> 89.248.168.62 scanner1.openportstats.com
> 89.248.168.63 scanner2.openportstats.com
> 89.248.168.73 scanner3.openportstats.com
> 89.248.168.74 scanner4.openportstats.com
> 89.248.168.170 scanner17.openportstats.com
> 89.248.168.196 scanner16.openportstats.com
> 89.248.171.38 scanner7.openportstats.com
> 89.248.171.57 scanner20.openportstats.com
> 89.248.172.18 scanner25.openportstats.com
> 89.248.172.23 scanner27.openportstats.com
> 93.174.91.31 scanner10.openportstats.com
> 93.174.91.34 scanner11.openportstats.com
> 93.174.91.35 scanner12.openportstats.com
> 93.174.93.98 scanner18.openportstats.com
> 93.174.93.149 scanner6.openportstats.com
> 93.174.93.241 scanner14.openportstats.com
> 93.174.95.37 scanner19.openportstats.com
> 93.174.95.42 scanner8.openportstats.com
> 94.102.51.31 scanner31.openportstats.com
> 94.102.51.98 scanner55.openportstats.com
> 94.102.52.245 scanner9.openportstats.com
>
>
> NOTE:  Dshield has already assigned an 8 rating on their Badness Richter
> Scale to the specific one of the above addresses that's been poking me
> personally in recent days:
>
>      https://www.dshield.org/ipinfo.html?ip=89.248.162.168
>      https://www.dshield.org/ipdetails.html?ip=89.248.162.168
>
> And the Dshield rating is *just* based on the probing.  The addition of
> malware slinging also puts this whole mess over the top entirely.
>
> Oh!  And I'll save you all the time looking it up.... 100% of the IPs
> listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
> Islands, where the employees and management are no doubt enjoying their
> luxurious and expansive new corporate headquarters...

It's just a port/vulnerability scanner, I really don't see anything 
special about this particular case.

"IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers 
are in a Dutch datacenter.

> P.S.  This is the kind of thing that everybody really should expect
> when the U.S. Department of Defense takes it upon itself to start up
> its own little private and unauthorized (cyber)war on Russia, wthout
> first obtaining the consent of Congress... you know, kinda like that
> ancient yellowed document that nobody in this country reads anymore
> says they should.  And apparently, the DoD was understandably not
> anxious to brief even the President about all this...
>
> https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6
>
> (Not that anybody can really blame them for THAT.)
What does that have to do with the vulnerability scanner? Also: You know 
it doesn't make any sense, right?

--
Filip Hruska
Linux System Administrator