9 Apr
2019
9 Apr
'19
3:44 a.m.
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is very
poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5 minutes a
day. Sorted that. Fail2ban was not running for some reason (again sorted by
reinstalling from Debian backports) Found that known spamming IPs were
hitting it hard but also were hitting at virtual hosts that no longer exist
- Apache then redirects to the default virtual host. All sorts of thing
then happening including SSL timeouts etc.. Fail2ban, adding a daily
updated set of addresses from a content spammer blacklist to the firewall
and removing A and AAAA records where possible from Bind for those old
domains. ( I had to leave some like weirdname.exmple.com as they are used
by other systems such as honeytraps etc) all seemed to bring that very much
under control. Some were looking for URLs that have not existed for a long
long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me to
reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password sign on
etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy set
then is logged and dropped. Any future visits by that IP to any port,
logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same /21
CIDR block. The logs show them coming back up to twice a second each for at
least 24 hours now. They go for ports 22.23.53, 80, 443 and 7777. That last
one is particularly nasty. They have each done a couple of pings (blocked
of course) The group of 3 IPs all are registered to Stanford University, So
probably some students
Keith
9 Apr
9 Apr
6:55 a.m.
Hi Keith
Stanford University you say?
At work I had some suspicious traffic from some Stanford University
addresses. I contacted there abuse contact and it turned out they host a
commercial vulnerability scanning service. In my case they had a legitimate
contract to do this, but the message had not reached me.
It's possible that in your case it's the same tool rather than students, so
it may be worth contacting them to find out why they are scanning your
services.
Best wishes
Ryan
On Tue, 9 Apr 2019, 04:45 Keith Williams, <keithwilliamsnp(a)gmail.com> wrote:
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is very
poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5 minutes a
day. Sorted that. Fail2ban was not running for some reason (again sorted by
reinstalling from Debian backports) Found that known spamming IPs were
hitting it hard but also were hitting at virtual hosts that no longer exist
- Apache then redirects to the default virtual host. All sorts of thing
then happening including SSL timeouts etc.. Fail2ban, adding a daily
updated set of addresses from a content spammer blacklist to the firewall
and removing A and AAAA records where possible from Bind for those old
domains. ( I had to leave some like weirdname.exmple.com as they are used
by other systems such as honeytraps etc) all seemed to bring that very much
under control. Some were looking for URLs that have not existed for a long
long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me to
reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password sign on
etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy set
then is logged and dropped. Any future visits by that IP to any port,
logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same /21
CIDR block. The logs show them coming back up to twice a second each for at
least 24 hours now. They go for ports 22.23.53, 80, 443 and 7777. That last
one is particularly nasty. They have each done a couple of pings (blocked
of course) The group of 3 IPs all are registered to Stanford University, So
probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
8 a.m.
Thanks, I'll check it out. 6 hits a second over more than 24 hours is well
over the top, what ever their excuse
On Tue, 9 Apr 2019 at 14:55, Ryan Bibby <r.bibby(a)gmail.com> wrote:
Hi Keith
Stanford University you say?
At work I had some suspicious traffic from some Stanford University
addresses. I contacted there abuse contact and it turned out they host a
commercial vulnerability scanning service. In my case they had a legitimate
contract to do this, but the message had not reached me.
It's possible that in your case it's the same tool rather than students,
so it may be worth contacting them to find out why they are scanning your
services.
Best wishes
Ryan
On Tue, 9 Apr 2019, 04:45 Keith Williams, <keithwilliamsnp(a)gmail.com>
wrote:
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is very
poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5 minutes a
day. Sorted that. Fail2ban was not running for some reason (again sorted by
reinstalling from Debian backports) Found that known spamming IPs were
hitting it hard but also were hitting at virtual hosts that no longer exist
- Apache then redirects to the default virtual host. All sorts of thing
then happening including SSL timeouts etc.. Fail2ban, adding a daily
updated set of addresses from a content spammer blacklist to the firewall
and removing A and AAAA records where possible from Bind for those old
domains. ( I had to leave some like weirdname.exmple.com as they are
used by other systems such as honeytraps etc) all seemed to bring that very
much under control. Some were looking for URLs that have not existed for a
long long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me to
reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password sign
on etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy set
then is logged and dropped. Any future visits by that IP to any port,
logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same
/21 CIDR block. The logs show them coming back up to twice a second each
for at least 24 hours now. They go for ports 22.23.53, 80, 443 and 7777.
That last one is particularly nasty. They have each done a couple of pings
(blocked of course) The group of 3 IPs all are registered to Stanford
University, So probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
9:59 a.m.
It does concern me for a number of reasons. 1. Why would they need to keep
probing many thousands of times and so rapidly? 2. No one except for me has
a legitimate reason to attempt to connect on my SSH port, or the telnet
port unless invited to do so by me. On seeing it was closed, if they had
done by error, then they should have stopped. 3. Same with the Bind port,
more or less. The 7777 port is only used, as far as I am aware, for
communications with certain malware. On finding it closed, why persist
unless their motives were nefarious.
I am protected on all those ports so it is possible to say it is no worry
to me, except it is illicit use of my resources, regardless of how little.
But looking from a wider perspective, here we have the resources of a
public institution, a university, being used for seemingly illicit
purposes. The story about it being a legit operation holds no water. We are
talking thousands upon thousands of attempts being made rapidly over a
sustained period. Someone is likely to get hit by them who does have
sufficient guards in place, what then. So yes it does concern me
On Tue, 9 Apr 2019 at 17:38, Dom Latter <bitfolk-users(a)latter.org> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
for at least 24 hours now. They go for ports
22.23.53, 80, 443 and 7777.
That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by Windows malware.
Why would that concern you?
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2:27 p.m.
On 09/04/2019 10:59, Keith Williams wrote:
On Tue, 9 Apr 2019 at 17:38, Dom Latter <bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
for at least 24 hours now. They go for ports
22.23.53, 80, 443
and 7777.
That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by Windows malware.
Why would that concern you? It does concern me for a number of reasons.
I was particularly referencing 7777 (hence the quoted context). You've
not got anything on that port, and even if you did, it wouldn't be
compatible.
I don't think I'd even notice an attempt to connect to 7777.
Because a connection is not made...
2:50 p.m.
Every packet that arrives from them is sent to a chain by the firewall
which logs them and then drops them. The log records the port they were
blocked on. That's how I found the 7777. I had no idea what it was. I
picked them up first because they hit on 22. that got them put in the set.
Others in the set made a couple of attempts then disappeared. There is one
oyher persistent pest, a well known comment spammer that keeps coming back
and having a go for a while then disappearing, then just the usual rubbish
On Tue, 9 Apr 2019 at 22:27, Dom Latter <bitfolk-users(a)latter.org> wrote:
On 09/04/2019 10:59, Keith Williams wrote:
On Tue, 9 Apr 2019 at 17:38, Dom Latter <bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
malware.
for at least 24 hours now. They go for ports
22.23.53, 80, 443
and 7777.
That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by Windows
Why would that concern you?
It does concern me for a number of reasons.
I was particularly referencing 7777 (hence the quoted context). You've
not got anything on that port, and even if you did, it wouldn't be
compatible.
I don't think I'd even notice an attempt to connect to 7777.
Because a connection is not made...
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
3:02 p.m.
Sounds sensible to me.
I also blanket ban anyone having a go at SSH simply as whilst it may
start there, it never ends there.
Sounds like a retarded infestation to me. Most bots are not that clever
in and of themselves, once you have had a rummage through their code.
There have been some clever tricks put into coding them though.
kirbs
On 09/04/2019 15:50, Keith Williams wrote:
Every packet that arrives from them is sent to a chain
by the firewall
which logs them and then drops them. The log records the port they
were blocked on. That's how I found the 7777. I had no idea what it
was. I picked them up first because they hit on 22. that got them put
in the set. Others in the set made a couple of attempts then
disappeared. There is one oyher persistent pest, a well known comment
spammer that keeps coming back and having a go for a while then
disappearing, then just the usual rubbish
On Tue, 9 Apr 2019 at 22:27, Dom Latter <bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>> wrote:
On 09/04/2019 10:59, Keith Williams wrote:
On Tue, 9 Apr 2019 at 17:38, Dom Latter
<bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>
<mailto:bitfolk-users@latter.org
<mailto:bitfolk-users@latter.org>>> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
> for at least 24 hours now. They go for ports 22.23.53,
80, 443
and 7777.
Windows
malware.
That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by
Why would that concern you?
It does concern me for a number of reasons.
I was particularly referencing 7777 (hence the quoted context).
You've
not got anything on that port, and even if you did, it wouldn't be
compatible.
I don't think I'd even notice an attempt to connect to 7777.
Because a connection is not made...
_______________________________________________
users mailing list
users(a)lists.bitfolk.com <mailto:users@lists.bitfolk.com>
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
4:44 p.m.
I was just going to say it had stopped, LOL, a 15 minute break, then a
burst, then a few minutes break. Seems to be slowing down but another is
giving port 80 a hammering. Because I give these blackholes different names
I can see the new contender is one of the content spammers. Oh well it's
past midnight here so I will let them get on with their games
On Tue, 9 Apr 2019 at 23:03, admins <admins(a)sheffieldhackspace.org.uk>
wrote:
Sounds sensible to me.
I also blanket ban anyone having a go at SSH simply as whilst it may start
there, it never ends there.
Sounds like a retarded infestation to me. Most bots are not that clever in
and of themselves, once you have had a rummage through their code. There
have been some clever tricks put into coding them though.
kirbs
On 09/04/2019 15:50, Keith Williams wrote:
Every packet that arrives from them is sent to a chain by the firewall
which logs them and then drops them. The log records the port they were
blocked on. That's how I found the 7777. I had no idea what it was. I
picked them up first because they hit on 22. that got them put in the set.
Others in the set made a couple of attempts then disappeared. There is one
oyher persistent pest, a well known comment spammer that keeps coming back
and having a go for a while then disappearing, then just the usual rubbish
On Tue, 9 Apr 2019 at 22:27, Dom Latter <bitfolk-users(a)latter.org> wrote:
On 09/04/2019 10:59, Keith Williams wrote:
_______________________________________________
users mailing
listusers@lists.bitfolk.comhttps://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
On Tue, 9 Apr 2019 at 17:38, Dom Latter <bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
malware.
for at least 24 hours now. They go for ports
22.23.53, 80, 443
and 7777.
That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by Windows
Why would that concern you?
It does concern me for a number of reasons.
I was particularly referencing 7777 (hence the quoted context). You've
not got anything on that port, and even if you did, it wouldn't be
compatible.
I don't think I'd even notice an attempt to connect to 7777.
Because a connection is not made...
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
10 Apr
10 Apr
12:50 a.m.
It still continues, but at a reduced rate. Still no response to my email to
the abuse mailbox. They have advertised a seminar on cybersecurity which is
going on round about now. That is ironic.
On Wed, 10 Apr 2019 at 00:44, Keith Williams <keithwilliamsnp(a)gmail.com>
wrote:
I was just going to say it had stopped, LOL, a 15
minute break, then a
burst, then a few minutes break. Seems to be slowing down but another is
giving port 80 a hammering. Because I give these blackholes different names
I can see the new contender is one of the content spammers. Oh well it's
past midnight here so I will let them get on with their games
On Tue, 9 Apr 2019 at 23:03, admins <admins(a)sheffieldhackspace.org.uk>
wrote:
Sounds sensible to me.
I also blanket ban anyone having a go at SSH simply as whilst it may
start there, it never ends there.
Sounds like a retarded infestation to me. Most bots are not that clever
in and of themselves, once you have had a rummage through their code. There
have been some clever tricks put into coding them though.
kirbs
On 09/04/2019 15:50, Keith Williams wrote:
Every packet that arrives from them is sent to a chain by the firewall
which logs them and then drops them. The log records the port they were
blocked on. That's how I found the 7777. I had no idea what it was. I
picked them up first because they hit on 22. that got them put in the set.
Others in the set made a couple of attempts then disappeared. There is one
oyher persistent pest, a well known comment spammer that keeps coming back
and having a go for a while then disappearing, then just the usual rubbish
On Tue, 9 Apr 2019 at 22:27, Dom Latter <bitfolk-users(a)latter.org> wrote:
On 09/04/2019 10:59, Keith Williams wrote:
_______________________________________________
users mailing
listusers@lists.bitfolk.comhttps://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
On Tue, 9 Apr 2019 at 17:38, Dom Latter <bitfolk-users(a)latter.org
<mailto:bitfolk-users@latter.org>> wrote:
On 09/04/2019 04:44, Keith Williams wrote:
> for at least 24 hours now. They go for ports 22.23.53, 80, 443
and 7777.
> That last one is particularly nasty.
They're (probably) looking for a backdoor opened up by Windows
malware.
Why would that concern you?
It does concern me for a number of reasons.
I was particularly referencing 7777 (hence the quoted context). You've
not got anything on that port, and even if you did, it wouldn't be
compatible.
I don't think I'd even notice an attempt to connect to 7777.
Because a connection is not made...
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
8:23 a.m.
Out of interest, I took a look at me "PERMABAN" ipset list. It now has
5,296 addresses in it, with the top 5 offenders all having exceeded
half a million hits each *since* having acted badly enough to end up in
that list. Total packets across the list amounts to > 17 million, which
means that the average offender continues trying > 3,000 times after
ending up on the list.
If anyone's interested, here's how I do it...
I have an iptables chain called LOGANDBLOCK at the end of my INPUT
chain. That does the usual log / tcp reset / drop sequence. But it also
has the following rules:
-m recent --rcheck --hitcount 20 --name LOGANDBLOCK --mask 255.255.255.255 --rsource -j
SET --add-set PERMABAN src
-m recent --set --name LOGANDBLOCK --mask 255.255.255.255 --rsource
-m recent --rcheck --seconds 86400 --reap --name LOGANDBLOCK --mask 255.255.255.255
--rsource
-m set --match-set PERMABAN src -m recent --remove --name LOGANDBLOCK --mask
255.255.255.255 --rsource
Those say that any IP which has hit LOGANDBLOCK more than 20 times in
the past day will get added to the PERMABAN ipset and removed from the
LOGANDBLOCK recent list. They stay on the PERMABAN set forever, unless
manually removed.
My INPUT chain also contains, near the start:
-m set --match-set PERMABAN src -j LOGANDBLOCK
-m recent --rcheck --hitcount 5 --name LOGANDBLOCK --mask 255.255.255.255 --rsource -j
LOGANDBLOCK
So anyone who's in PERMABAN or who has hit LOGANDBLOCK 5 times in the past
day will continue to do so. (i.e. you get blocked temporarily after 5 hits
in 1 day, permanently after 20).
Finally, I have a simple python script which watches my logs for
dubious ssh attempts (like fail2ban does) and, when spotted, increments
the LOGANDBLOCk xt_recent counter manually. So, hitting ssh 5 times
dubiously gets you onto the firewall block list, same as hitting
closed ports 5 times. Continuing to do so gets you onto the permaban
list.
Maybe banning after 20 hits/day is a bit aggressive, but nobody's
complained to me yet!
Cheers,
Alun.
9 Apr
9 Apr
12:36 p.m.
I wish all the pesterees I have been monitoring came from one block.
We had a run of being targeted by a botnet herder. The IP's were far too
many, and far too globally diverse to summarize into a handy block.
I did ensure it cost them a couple of bots though by forwarding on a
size-able sample to the relevant abuse emails, looking them up via
whois. For what good this does. (Very little). Wish there was a
streamlined script/tool to do this. If everyone reported those that try
it on, and ISP's did something about it, there would be a fraction at it.
If I had more time and inclination (which I had neither) I would
probably looked at the fact that they would have all been a consistent
bot to see if I could reverse a bot and then take down the net, from
what I had learned form the one.
As my ssh was not a general use I could whitelist the ranges that would
reasonably have access to it, and port knock a disable to the whitelist
to allow initial connections to be made from the wider net if we needed.
Thereafter con-track allowed the session to continue.
80 and 443 I get, but what was on 7777, would that have been your ssh
port by any chance ??
BTW it is difficult not to take it personally when it is something we
have built and nurtured. Your feelings are fully understood. Noe where
did I stash that minigun.... LOL
Cheers
Kirbs
On 09/04/2019 04:44, Keith Williams wrote:
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is
very poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5
minutes a day. Sorted that. Fail2ban was not running for some reason
(again sorted by reinstalling from Debian backports) Found that known
spamming IPs were hitting it hard but also were hitting at virtual
hosts that no longer exist - Apache then redirects to the default
virtual host. All sorts of thing then happening including SSL timeouts
etc.. Fail2ban, adding a daily updated set of addresses from a content
spammer blacklist to the firewall and removing A and AAAA records
where possible from Bind for those old domains. ( I had to leave some
like weirdname.exmple.com <http://weirdname.exmple.com> as they are
used by other systems such as honeytraps etc) all seemed to bring that
very much under control. Some were looking for URLs that have not
existed for a long long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me
to reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password
sign on etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy
set then is logged and dropped. Any future visits by that IP to any
port, logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same
/21 CIDR block. The logs show them coming back up to twice a second
each for at least 24 hours now. They go for ports 22.23.53, 80, 443
and 7777. That last one is particularly nasty. They have each done a
couple of pings (blocked of course) The group of 3 IPs all are
registered to Stanford University, So probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
1:30 p.m.
I had no idea what 7777 port was for. I had to google it. It is
apparently used by certain malware for communicating with ground
control.
I have looked up the IPs on various databases today, they are all listed
for nefarious activities. I also emailed abuse a few hours ago but not
had the courtesy of a reply as yet. The Stanford University sysadmins
seem to be too arrogant to care about their reputation. Had they been
Bitfolk IPs their net access would have been cut off by now, I'm sure.
And, may I add, quite rightly too
Keith
On 2019-04-09 20:36, admins wrote:
I wish all the pesterees I have been monitoring came
from one block.
We had a run of being targeted by a botnet herder. The IP's were far too many, and
far too globally diverse to summarize into a handy block.
I did ensure it cost them a couple of bots though by forwarding on a size-able sample to
the relevant abuse emails, looking them up via whois. For what good this does. (Very
little). Wish there was a streamlined script/tool to do this. If everyone reported those
that try it on, and ISP's did something about it, there would be a fraction at it.
If I had more time and inclination (which I had neither) I would probably looked at the
fact that they would have all been a consistent bot to see if I could reverse a bot and
then take down the net, from what I had learned form the one.
As my ssh was not a general use I could whitelist the ranges that would reasonably have
access to it, and port knock a disable to the whitelist to allow initial connections to
be made from the wider net if we needed. Thereafter con-track allowed the session to
continue.
80 and 443 I get, but what was on 7777, would that have been your ssh port by any chance
??
BTW it is difficult not to take it personally when it is something we have built and
nurtured. Your feelings are fully understood. Noe where did I stash that minigun.... LOL
Cheers
Kirbs
On 09/04/2019 04:44, Keith Williams wrote:
Links:
------
[1] http://weirdname.exmple.com
No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is very poor, I came
back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5 minutes a day. Sorted
that. Fail2ban was not running for some reason (again sorted by reinstalling from Debian
backports) Found that known spamming IPs were hitting it hard but also were hitting at
virtual hosts that no longer exist - Apache then redirects to the default virtual host.
All sorts of thing then happening including SSL timeouts etc.. Fail2ban, adding a daily
updated set of addresses from a content spammer blacklist to the firewall and removing A
and AAAA records where possible from Bind for those old domains. ( I had to leave some
like weirdname.exmple.com [1] as they are used by other systems such as honeytraps etc)
all seemed to bring that very much under control. Some were looking for URLs that have not
existed for a long long time.
Hours of perusing debug logs and tracking IPs via Google persuaded me to reinstall
something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password sign on etc. So
there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy set then is logged
and dropped. Any future visits by that IP to any port, logged and dropped. Bit like F2B
but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the same /21 CIDR block.
The logs show them coming back up to twice a second each for at least 24 hours now. They
go for ports 22.23.53, 80, 443 and 7777. That last one is particularly nasty. They have
each done a couple of pings (blocked of course) The group of 3 IPs all are registered to
Stanford University, So probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
1:50 p.m.
Hmm
Not so long back I was gifted a (captured in the wild) bot script, so
could have a rummage through it to see how it worked.
It seemed to not only use a v fast scatter/gather ping method to detect
live hosts but also had a section of code that looked for another botnet
and did a takeover, using a passphrase that was written into the script.
Kinda looks like bot herders are also into bot rustling. Either that or
it was a botnet they had but lost the C&C for, after a take down action.
Not sure, it is not really my thing.
I am wondering if you were pestered by a small number of hosts from
stanford that were infected with something similar. The primary route to
infection would have been through a web exploit (Hence 80 and 443) and
its secondary route was to take over another botnet that usually listens
for C&C on 7777. If it is a common windows malware C&C port then it
follows that the hosts pestering you were most likely (but not
guaranteed to be) windows.
Is your web server a windows OS ??
Why it fixated on your services I have no idea. Except for as you have
suggested that your services looked like there were more of them than
there were due to DNS aliasing. Hence why you saw more of it than anyone
else's fair share of pestering.
Cheers
Kirbs
On 09/04/2019 14:30, Keith wrote:
I had no idea what 7777 port was for. I had to google it. It is
apparently used by certain malware for communicating with ground control.
I have looked up the IPs on various databases today, they are all
listed for nefarious activities. I also emailed abuse a few hours ago
but not had the courtesy of a reply as yet. The Stanford University
sysadmins seem to be too arrogant to care about their reputation. Had
they been Bitfolk IPs their net access would have been cut off by now,
I'm sure. And, may I add, quite rightly too
Keith
On 2019-04-09 20:36, admins wrote:
I wish all the pesterees I have been monitoring
came from one block.
We had a run of being targeted by a botnet herder. The IP's were far
too many, and far too globally diverse to summarize into a handy block.
I did ensure it cost them a couple of bots though by forwarding on a
size-able sample to the relevant abuse emails, looking them up via
whois. For what good this does. (Very little). Wish there was a
streamlined script/tool to do this. If everyone reported those that
try it on, and ISP's did something about it, there would be a
fraction at it.
If I had more time and inclination (which I had neither) I would
probably looked at the fact that they would have all been a
consistent bot to see if I could reverse a bot and then take down the
net, from what I had learned form the one.
As my ssh was not a general use I could whitelist the ranges that
would reasonably have access to it, and port knock a disable to the
whitelist to allow initial connections to be made from the wider net
if we needed. Thereafter con-track allowed the session to continue.
80 and 443 I get, but what was on 7777, would that have been your ssh
port by any chance ??
BTW it is difficult not to take it personally when it is something we
have built and nurtured. Your feelings are fully understood. Noe
where did I stash that minigun.... LOL
Cheers
Kirbs
On 09/04/2019 04:44, Keith Williams wrote:
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users No questions, just a bit of spleen venting.
Having been on a little break to deepest province where internet is
very poor, I came back to find my vps under a lot of attacks.
Firstly once or twice a day a website was going down for upto 5
minutes a day. Sorted that. Fail2ban was not running for some reason
(again sorted by reinstalling from Debian backports) Found that
known spamming IPs were hitting it hard but also were hitting at
virtual hosts that no longer exist - Apache then redirects to the
default virtual host. All sorts of thing then happening including
SSL timeouts etc.. Fail2ban, adding a daily updated set of addresses
from a content spammer blacklist to the firewall and removing A and
AAAA records where possible from Bind for those old domains. ( I had
to leave some like weirdname.exmple.com
<http://weirdname.exmple.com> as they are used by other systems such
as honeytraps etc) all seemed to bring that very much under control.
Some were looking for URLs that have not existed for a long long time.
Hours of perusing debug logs and tracking IPs via Google persuaded
me to reinstall something I have not used in a while.
My SSH is quite safe, I use a different port, don't allow password
sign on etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets added to a naughtyboy
set then is logged and dropped. Any future visits by that IP to any
port, logged and dropped. Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in the set. All in the
same /21 CIDR block. The logs show them coming back up to twice a
second each for at least 24 hours now. They go for ports 22.23.53,
80, 443 and 7777. That last one is particularly nasty. They have
each done a couple of pings (blocked of course) The group of 3 IPs
all are registered to Stanford University, So probably some students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com <mailto:users@lists.bitfolk.com>
https://lists.bitfolk.com/mailman/listinfo/users
2:03 p.m.
Hosted on Debian.
On 2019-04-09 21:50, admins wrote:
Hmm
Not so long back I was gifted a (captured in the wild) bot script, so could have a
rummage through it to see how it worked.
It seemed to not only use a v fast scatter/gather ping method to detect live hosts but
also had a section of code that looked for another botnet and did a takeover, using a
passphrase that was written into the script. Kinda looks like bot herders are also into
bot rustling. Either that or it was a botnet they had but lost the C&C for, after a
take down action. Not sure, it is not really my thing.
I am wondering if you were pestered by a small number of hosts from stanford that were
infected with something similar. The primary route to infection would have been through a
web exploit (Hence 80 and 443) and its secondary route was to take over another botnet
that usually listens for C&C on 7777. If it is a common windows malware C&C port
then it follows that the hosts pestering you were most likely (but not guaranteed to be)
windows.
Is your web server a windows OS ??
Why it fixated on your services I have no idea. Except for as you have suggested that
your services looked like there were more of them than there were due to DNS aliasing.
Hence why you saw more of it than anyone else's fair share of pestering.
Cheers
Kirbs
2:13 p.m.
Bang goes that part, of that theory then.
Kirbs
On 09/04/2019 15:03, Keith wrote:
Hosted on Debian.
On 2019-04-09 21:50, admins wrote:
Hmm
Not so long back I was gifted a (captured in the wild) bot script, so
could have a rummage through it to see how it worked.
It seemed to not only use a v fast scatter/gather ping method to
detect live hosts but also had a section of code that looked for
another botnet and did a takeover, using a passphrase that was
written into the script. Kinda looks like bot herders are also into
bot rustling. Either that or it was a botnet they had but lost the
C&C for, after a take down action. Not sure, it is not really my thing.
I am wondering if you were pestered by a small number of hosts from
stanford that were infected with something similar. The primary route
to infection would have been through a web exploit (Hence 80 and 443)
and its secondary route was to take over another botnet that usually
listens for C&C on 7777. If it is a common windows malware C&C port
then it follows that the hosts pestering you were most likely (but
not guaranteed to be) windows.
Is your web server a windows OS ??
Why it fixated on your services I have no idea. Except for as you
have suggested that your services looked like there were more of them
than there were due to DNS aliasing. Hence why you saw more of it
than anyone else's fair share of pestering.
Cheers
Kirbs
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2091
days inactive
2092
days old
15 comments
6 participants
participants (6)
-
admins -
Alun -
Dom Latter -
Keith -
Keith Williams -
Ryan Bibby