<div dir="ltr">A ma to nejaky realny smysl? Port scanning a hledani napadnutelnych sluzeb je proste bezna vec, ktere se deje a dit bude a to neustale. To by asi clovek nemusel delat nic jineho, nez porad pridavat nove rozsahy techto zaskodniku a pak co opusti nejaky prideleny rozsah to schyta nekdo legitmni po jeho znovu-uziti... Zejmena u AWS.<div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"> <br>S pozdravem<br><br>Jan Pleva</div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">st 30. 10. 2019 v 10:02 odesílatel Pavel Snajdr <<a href="mailto:snajpa@snajpa.net">snajpa@snajpa.net</a>> napsal:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="ltr"></div><div dir="ltr">Nejlip bude to na Internet nevystavovat v takovym pripade vubec ;)</div><div dir="ltr"><br></div><div dir="ltr">Nebo jaky je toho duvod? Ja to nechapu. Je smyslem zamezit jakemukoliv dalsimu vyhledavaci, co neni Google, aby vubec vzniknul?</div><div dir="ltr"><br></div><div dir="ltr">Nebo proc proboha?</div><div dir="ltr"><br></div><div dir="ltr">Vzdyt byt videt je podstatou toho byt na Internetu...</div><div dir="ltr"><br></div><div dir="ltr">/snajpa</div><div dir="ltr"><br>On 30 Oct 2019, at 09:59, V.K. <<a href="mailto:vencour@gmail.com" target="_blank">vencour@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr">
  
    
  
  
    <p>Je něco proti něčemu dropovat obecně celý provoz z AS patřícího k
      oné IP adrese? Plus nějaké porty povoluju.</p>
    <p>To podle toho, jak se to u mne vyskytuje v logu a podle četnosti.</p>
    <p><br>
    </p>
    <p>Vencour</p>
    <p><br>
    </p>
    <div>On 30. 10. 19 9:52, zd nex wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">
        <div dir="ltr">
          <div>Tak jsem to trochu prozkoumal více, vypadá to že je to
            nějaký scanner. Nyní je neaktivní (na žádném serveru to
            není)  a vypadá to, že přistupuje z  více obdobných adres
            např.  - každá z nich je z jiné části Amazonu (routing,
            compute) apod.. Vše je ale AWS Soul.<br>
          </div>
          <div>
            <span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr">54.180.139.105<br>
              54.180.138.177<br>
              54.180.163.44<br>
              54.180.139.105</span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr"><br>
            </span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr">
            </span>
            <div id="gmail-m_7872581193719459088gmail-:4k.ma"><span id="gmail-m_7872581193719459088gmail-:4k.co" style="text-align:left" dir="ltr">13.124.8.54</span></div>
            <div id="gmail-m_7872581193719459088gmail-:4l.ma"><span id="gmail-m_7872581193719459088gmail-:4l.co" style="text-align:left" dir="ltr">13.125.235.121</span></div>
            <div><span id="gmail-m_7872581193719459088gmail-:4l.co" style="text-align:left" dir="ltr">
                <span id="gmail-m_7872581193719459088gmail-:4m.co" style="text-align:left" dir="ltr">13.125.197.34
                  - tato dokonce je živá a jede tam nějaký mail server</span>
              </span></div>
          </div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr"><br>
            </span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr"><a href="https://www.abuseipdb.com/check/54.180.139.105" target="_blank">https://www.abuseipdb.com/check/54.180.139.105</a></span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr">
              <span id="gmail-m_7872581193719459088gmail-:4m.co" style="text-align:left" dir="ltr"><a rel="nofollow
                  noreferrer noopener" href="https://www.google.com/url?q=https://www.abuseipdb.com/check/13.125.197.34&sa=D&source=hangouts&ust=1572511680416000&usg=AFQjCNEOOO_7Kqh0hzDL5cQBvLnegK-rWA" dir="ltr" target="_blank">https://www.abuseipdb.com/check/13.125.197.34</a></span><br>
            </span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr"><br>
            </span></div>
          <div><span id="gmail-m_7872581193719459088gmail-:34.co" style="text-align:left" dir="ltr">podle komentářů to
              opravdu vypadá na nějaký scanner / SYN flood?<br>
            </span></div>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">st 30. 10. 2019 v 9:26
            odesílatel Pavel Snajdr <<a href="mailto:snajpa@snajpa.net" target="_blank">snajpa@snajpa.net</a>>
            napsal:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div dir="auto">
              <div dir="ltr">... tak to prozkoumej, kdyz to rikas ;)</div>
              <div dir="ltr"><br>
              </div>
              <div dir="ltr">/snajpa</div>
              <div dir="ltr"><br>
                On 30 Oct 2019, at 07:04, zd nex <<a href="mailto:zdnexnet@gmail.com" target="_blank">zdnexnet@gmail.com</a>>
                wrote:<br>
                <br>
              </div>
              <blockquote type="cite">
                <div dir="ltr">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div>Ahojte,</div>
                      <div><br>
                      </div>
                      <div>popravdě jsem si toho také všiml, je to >
                        vše na 443 nebo 80 portu. Většina adress je
                        Amazon south asia (seoul) + nějaký provider
                        Leaseweb NL, je to na všech serverech.  Trochu
                        by to asi stálo za prozkoumání. Není toho moc
                        cca 50 -200. V minulosti to bylo víc, pak to
                        ustálo a asi se to oživuje?<br>
                      </div>
                    </div>
                    <div><br>
                    </div>
                    <div>Zdenek<br>
                    </div>
                    <div class="gmail_quote">
                      <div dir="ltr" class="gmail_attr">út 29. 10 2019
                        v 19:48 odesílatel Pavel Snajdr <<a href="mailto:snajpa@snajpa.net" target="_blank">snajpa@snajpa.net</a>>
                        napsal:<br>
                      </div>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ahoj,<br>
                        <br>
                        co myslis tim resit na infrastrukture? My Ti do
                        trafficu sahat nebudeme, <br>
                        pokud to nebude prusvih velikosti, jako byl ten
                        prusvih s memcached udp <br>
                        amplification utokama - nic takovyho
                        nepozorujeme; kazdopadne je mozny, <br>
                        ze se zase neco rozmaha (ale podle toho, ze se
                        zatim nezvedla vlna abuse <br>
                        notices, to nevypada).<br>
                        <br>
                        Kazdopadne se ujisti, ze mas vsechno aktualni -
                        z poslednich dni hlavne <br>
                        napr. PHP-FPM, ktere ma remote code execution
                        diru v urcitych setupech <br>
                        uz od PHP5... a na PHP7 je venku proof of
                        concept exploit.<br>
                        <br>
                        /snajpa<br>
                        <br>
                        On 2019-10-29 15:28, Petr Parolek wrote:<br>
                        > Ahoj,<br>
                        > <br>
                        > už několik dnů na mé VPS pozoruju mnoho
                        spojení se stavem SYN_RECV<br>
                        > <br>
                        > viz: netstat -anp |grep 'SYN_RECV' | awk
                        '{print $5}' | cut -d: -f1 |<br>
                        > sort | uniq -c | sort -n<br>
                        >      23 xxx.xxx.xxx.xxx<br>
                        >      23 xxx.xxx.xxx.xxx<br>
                        > ...<br>
                        > <br>
                        > okolo 20 IP adres.<br>
                        > <br>
                        > Mám se tím znepokojovat nebo je vše ok a
                        vše by se mělo řešit na <br>
                        > infrastruktuře?<br>
                        > <br>
                        > Díky moc za postřehy a rady<br>
                        > <br>
                        > <br>
                        > Petr<br>
                        >
                        _______________________________________________<br>
                        > Community-list mailing list<br>
                        > <a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br>
                        > <a href="http://lists.vpsfree.cz/listinfo/community-list" rel="noreferrer" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
                        _______________________________________________<br>
                        Community-list mailing list<br>
                        <a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br>
                        <a href="http://lists.vpsfree.cz/listinfo/community-list" rel="noreferrer" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </blockquote>
              <blockquote type="cite">
                <div dir="ltr"><span>_______________________________________________</span><br>
                  <span>Community-list mailing list</span><br>
                  <span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a></span><br>
                  <span><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a></span><br>
                </div>
              </blockquote>
            </div>
            _______________________________________________<br>
            Community-list mailing list<br>
            <a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br>
            <a href="http://lists.vpsfree.cz/listinfo/community-list" rel="noreferrer" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
Community-list mailing list
<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a>
<a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a>
</pre>
    </blockquote>
  

</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Community-list mailing list</span><br><span><a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a></span><br><span><a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a></span><br></div></blockquote></div>_______________________________________________<br>
Community-list mailing list<br>
<a href="mailto:Community-list@lists.vpsfree.cz" target="_blank">Community-list@lists.vpsfree.cz</a><br>
<a href="http://lists.vpsfree.cz/listinfo/community-list" rel="noreferrer" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
</blockquote></div>