nanog mailing list archives
Re: Russian Anal Probing + Malware
From: Andy Smith <andy () strugglers net>
Date: Sun, 23 Jun 2019 22:03:26 +0000
Hi Brad, On Sun, Jun 23, 2019 at 09:43:00PM +0000, Brad via NANOG wrote:
On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg () tristatelogic com> wrote:https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.
Earlier I posted one example of an attempt to exploit CVE-2019-10149 to execute commands as root on one of my machines. I have 17 other examples from the same IP that try to do similar things via the same exploit, though there are differences which suggest to me that multiple users or groups are using openportstats for this purpose. Would you like to see them? I think that trying to actively exploit a bug to execute arbitrary commands is a lot different to mere port scanning. They aren't all harmless commands either; some of them install rootkits and remote shells. Cheers, Andy
Current thread:
- Re: Russian Anal Probing + Malware, (continued)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 22)
- Re: Russian Anal Probing + Malware Ronald F. Guilmette (Jun 22)
- Re: Russian Anal Probing + Malware Filip Hruska (Jun 22)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Randy Bush (Jun 23)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Hank Nussbacher (Jun 23)
- Re: Russian Anal Probing + Malware Tom Beecher (Jun 24)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 23)