nanog mailing list archives

Re: Russian Anal Probing + Malware

From: Andy Smith <andy () strugglers net>
Date: Sun, 23 Jun 2019 22:03:26 +0000

Hi Brad,

On Sun, Jun 23, 2019 at 09:43:00PM +0000, Brad via NANOG wrote:

On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg () tristatelogic com> wrote:

https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248


After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which 
suggest these subnets are doing anything other than port scanning.


Earlier I posted one example of an attempt to exploit CVE-2019-10149 to
execute commands as root on one of my machines. I have 17 other
examples from the same IP that try to do similar things via the same
exploit, though there are differences which suggest to me that multiple users or groups
are using openportstats for this purpose.

Would you like to see them?

I think that trying to actively exploit a bug to execute arbitrary commands is
a lot different to mere port scanning. They aren't all harmless commands
either; some of them install rootkits and remote shells.

Cheers,
Andy

Current thread:

Re: Russian Anal Probing + Malware, (continued)
- - Re: Russian Anal Probing + Malware Andy Smith (Jun 22)
  - Re: Russian Anal Probing + Malware Ronald F. Guilmette (Jun 22)
- Re: Russian Anal Probing + Malware Filip Hruska (Jun 22)
  - Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
    - Re: Russian Anal Probing + Malware Randy Bush (Jun 23)
    - Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
    - Re: Russian Anal Probing + Malware Hank Nussbacher (Jun 23)
    - Re: Russian Anal Probing + Malware Tom Beecher (Jun 24)
- Re: Russian Anal Probing + Malware Rich Kulawiec (Jun 23)
- Re: Russian Anal Probing + Malware Brad via NANOG (Jun 23)
  - Re: Russian Anal Probing + Malware Andy Smith (Jun 23)