Hmm
Not so long back I was gifted a (captured in the wild) bot script, so
could have a rummage through it to see how it worked.
It seemed to not only use a v fast scatter/gather ping method to detect
live hosts but also had a section of code that looked for another botnet
and did a takeover, using a passphrase that was written into the script.
Kinda looks like bot herders are also into bot rustling. Either that or
it was a botnet they had but lost the C&C for, after a take down action.
Not sure, it is not really my thing.
I am wondering if you were pestered by a small number of hosts from
stanford that were infected with something similar. The primary route to
infection would have been through a web exploit (Hence 80 and 443) and
its secondary route was to take over another botnet that usually listens
for C&C on 7777. If it is a common windows malware C&C port then it
follows that the hosts pestering you were most likely (but not
guaranteed to be) windows.
Is your web server a windows OS ??
Why it fixated on your services I have no idea. Except for as you have
suggested that your services looked like there were more of them than
there were due to DNS aliasing. Hence why you saw more of it than anyone
else's fair share of pestering.
Cheers
Kirbs
On 09/04/2019 14:30, Keith wrote:
>
> I had no idea what 7777 port was for. I had to google it. It is
> apparently used by certain malware for communicating with ground control.
>
> I have looked up the IPs on various databases today, they are all
> listed for nefarious activities. I also emailed abuse a few hours ago
> but not had the courtesy of a reply as yet. The Stanford University
> sysadmins seem to be too arrogant to care about their reputation. Had
> they been Bitfolk IPs their net access would have been cut off by now,
> I'm sure. And, may I add, quite rightly too
>
> Keith
>
>
> On 2019-04-09 20:36, admins wrote:
>
>> I wish all the pesterees I have been monitoring came from one block.
>>
>> We had a run of being targeted by a botnet herder. The IP's were far
>> too many, and far too globally diverse to summarize into a handy block.
>>
>> I did ensure it cost them a couple of bots though by forwarding on a
>> size-able sample to the relevant abuse emails, looking them up via
>> whois. For what good this does. (Very little). Wish there was a
>> streamlined script/tool to do this. If everyone reported those that
>> try it on, and ISP's did something about it, there would be a
>> fraction at it.
>>
>> If I had more time and inclination (which I had neither) I would
>> probably looked at the fact that they would have all been a
>> consistent bot to see if I could reverse a bot and then take down the
>> net, from what I had learned form the one.
>>
>> As my ssh was not a general use I could whitelist the ranges that
>> would reasonably have access to it, and port knock a disable to the
>> whitelist to allow initial connections to be made from the wider net
>> if we needed. Thereafter con-track allowed the session to continue.
>>
>> 80 and 443 I get, but what was on 7777, would that have been your ssh
>> port by any chance ??
>>
>> BTW it is difficult not to take it personally when it is something we
>> have built and nurtured. Your feelings are fully understood. Noe
>> where did I stash that minigun.... LOL
>>
>>
>> Cheers
>>
>> Kirbs
>>
>>
>>
>>
>> On 09/04/2019 04:44, Keith Williams wrote:
>>> No questions, just a bit of spleen venting.
>>> Having been on a little break to deepest province where internet is
>>> very poor, I came back to find my vps under a lot of attacks.
>>> Firstly once or twice a day a website was going down for upto 5
>>> minutes a day. Sorted that. Fail2ban was not running for some reason
>>> (again sorted by reinstalling from Debian backports) Found that
>>> known spamming IPs were hitting it hard but also were hitting at
>>> virtual hosts that no longer exist - Apache then redirects to the
>>> default virtual host. All sorts of thing then happening including
>>> SSL timeouts etc.. Fail2ban, adding a daily updated set of addresses
>>> from a content spammer blacklist to the firewall and removing A and
>>> AAAA records where possible from Bind for those old domains. ( I had
>>> to leave some like weirdname.exmple.com
>>> <http://weirdname.exmple.com> as they are used by other systems such
>>> as honeytraps etc) all seemed to bring that very much under control.
>>> Some were looking for URLs that have not existed for a long long time.
>>> Hours of perusing debug logs and tracking IPs via Google persuaded
>>> me to reinstall something I have not used in a while.
>>> My SSH is quite safe, I use a different port, don't allow password
>>> sign on etc. So there is nothing listening on port 22.
>>> So set up that any attempt there, the IP gets added to a naughtyboy
>>> set then is logged and dropped. Any future visits by that IP to any
>>> port, logged and dropped. Bit like F2B but this is more of a permaban.
>>> Within seconds there were half a dozen IPs in the set. All in the
>>> same /21 CIDR block. The logs show them coming back up to twice a
>>> second each for at least 24 hours now. They go for ports 22.23.53,
>>> 80, 443 and 7777. That last one is particularly nasty. They have
>>> each done a couple of pings (blocked of course) The group of 3 IPs
>>> all are registered to Stanford University, So probably some students
>>> Keith
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@???
>>> https://lists.bitfolk.com/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users@??? <mailto:users@lists.bitfolk.com>
>> https://lists.bitfolk.com/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
