25 May
2018
25 May
'18
4:33 a.m.
Hey Rob,
Sharing is caring? ;)
I would love to see that/those script(s) !
Digitalocean is indeed a cesspool, along with OVH and several others..
73,
Ruben - ON3RVH
-----Original Message-----
From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Rob
Janssen
Sent: vrijdag 25 mei 2018 11:07
To: 44net(a)mailman.ampr.org
Subject: Re: [44net] VPNFilter Router Malware
I'm not at all sure that Shodan is blocked on
amprgw. There are more
than 2,000 IP addresses that are blocked, with more being added from
time to time, plus there are a number of tcp and udp destination ports
that are blocked from all IP addresses, but there's no way to be sure
that these lists include all Shodan and other scanners.
I have blocked some known Shodan addresses and subnets, and indeed even a hoster that is
known to be a cesspool and accomodates Shodan and the likes:
66.240.192.138 # census8.shodan.io
66.240.205.34 # malware-hunter.census.shodan.io
66.240.219.146 # burger.census.shodan.io
66.240.236.119 # census6.shodan.io
71.6.128.0/17 # cesspool! (including shodan.io, project sonar)
80.82.64.0/20 # ECATEL/QUASI (including shodan.io 80.82.77.139)
82.221.105.6 # census10.shodan.io
82.221.105.7 # census11.shodan.io
89.248.160.0/20 # ECATEL/QUASI (incl shodan.io 89.248.167.131 89.248.172.16)
93.174.88.0/21 # ECATEL/QUASI (incl shodan.io 93.174.95.106)
94.102.48.0/20 # ECATEL/QUASI (incl shodan.io 94.102.49.190 94.102.49.193)
107.6.151.192 # security.census.shodan.io
107.6.151.193 # security.census.shodan.io
107.6.151.194 # security.census.shodan.io
107.6.151.195 # security.census.shodan.io
185.163.109.66 # goldfish.census.shodan.io
185.181.102.18 # turtle.census.shodan.io
198.20.69.72/29 # shodan.io
198.20.69.96/29 # shodan.io
198.20.70.112/29 # shodan.io
198.20.87.96/29 # shodan.io
198.20.99.128/29 # shodan.io
(of course many others, these are just the shodan.io entries)
I also have some iptables rules that capture TCP SYN to addresses that are not registered
in DNS and forwards them to an nflog socket to be picked up by some scripts that finds
those that are repeat offenders. Those are logged as candidates for blocking. But I
don't bother to block everything, I run reverse-DNS on them to see if it has some
signature patterns like "research", "scan" etc or one of the known
names like shodan.io stretchoid.com etc.
And irregularly I just sort the entire list and glance over it to see if there are
clusters of addresses and do a whois to see if they belong to some common network. Names
like DigitalOcean pop up quite regularly but of course they are just cloud hosters that
could also host bonafide services.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net