Re: Russian Anal Probing + Malware

[Randy Bush <randy () psg com>]

> > It's just a port/vulnerability scanner, I really don't see anything
> > special about this particular case.
>
> they are pushing exploits. trying to RCE, wget a binary, chmod 777 on
> routers and rm -rf files.
>
> this goes way beyond scanner and into criminal trespass and
> destruction of property.
>
> https://twitter.com/JayTHL/status/1128700101675954176

having trouble following the attribution.  yes, of course there are folk
trying to exploit.  but missing the link that *these* folk are.

e.g. i am aware of researchers scanning to see patching spread and
trying to make a conext paper dreadline this week or infocom next month.

hard to tell the sheep from the goats and the wolf from the sheep.  i
get the appended.  sheep or wholf?  i sure do not claim to be smart
enough to know.  but i sure am glad others are </snark>.

randy

---

Jun 20 18:53:23 winnti-scanner-victims-will-be-notified.threatsinkhole.com �V�&#022Dz/� 
Jun 20 18:53:23 ran rsyslogd: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) 
winnti-scanner-victims-will-be-notified.threatsinkhole.com, (ip) 
winnti-scanner-victims-will-be-notified.threatsinkhole.com: delimiter is not SP but has ASCII value -51. [v8.32.0]
Jun 20 18:53:55 winnti-scanner-victims-will-be-notified.threatsinkhole.com �t�C� 
#000F#000#000#000#000#000����#000#000#000#000#001#004F#000#000#000#003#010�=)�#027�$��#000#000#000#000#000++#000#000#000#000(#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#001#001#000#000#000#000#026#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#004#000#000#000#000#000#000#000#000#000#004#000#000#000#000