Re: [44net] VPNFilter Router Malware

Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' -- Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/23… for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's 73, Ruben - ON3RVH -----Original Message----- From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Brian Kantor Sent: vrijdag 25 mei 2018 10:22 To: AMPRNet working group <44net(a)mailman.ampr.org> Subject: Re: [44net] VPNFilter Router Malware I'm not at all sure that Shodan is blocked on amprgw. There are more than 2,000 IP addresses that are blocked, with more being added from time to time, plus there are a number of tcp and udp destination ports that are blocked from all IP addresses, but there's no way to be sure that these lists include all Shodan and other scanners. I have found that most opt-out forms are a waste of time, if indeed they don't have the opposite effect of inviting additional scanning. - Brian On Fri, May 25, 2018 at 09:38:07AM +0200, Rob Janssen wrote: _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net