On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschiv...@gmail.com> wrote:
> > There's away to do a reverse IP lookup on the IP address and see if > there's a DNS entry for it. That's how I was able to successfully figure > out who the senders were (Berkeley) originally. I used dig I believe. I > don't have access to my Linux box right now, otherwise I'd check to see if > the IP addresses are actually from Berkeley. There's always a chance that > they're using more than one server / IP now to conduct the scanning. I > believe they were originally trying to scan the whole internet. > > based on the IP of 169.229.3.91 given by Mitchell: 91.3.229.169.in-addr.arpa. 9787 IN PTR researchscan1.EECS.Berkeley.EDU. University of California - Office of the President UCSD-NET-169-228 (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255 University of California at Berkeley ISTDATA (NET-169-229-0-0-2) 169.229.0.0 - 169.229.255.255 -Tony They had said it's a very specific type of malware that only affects IIS to > their knowledge. If you're not running a Windows server running IIS, you > should be good to go. > > On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan < > rainer.cana...@sevenval.com> wrote: > >> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmul...@arccorp.com> wrote: >> > From the looks of it I would say it is targeting servers running SSL. >> Are >> > you serving up HTTP or HTTPS ? >> >> I don't think that that is valid SSL, unless your httpd discards the >> first few bytes. >> There was a SANS handler diary entry just yesterday about this: >> >> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT >> P+Servers/21551/ >> >> if I try `openssl s_client -connect localhost:14020`, I get the below >> entry in my access.log, >> which matches the description in the diary: >> >> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - >> "\x16\x03\x01\x01,\x01" 400 226 "-" "-" >> >> this, however, is something completely different. I'd also guess it's >> some kind >> of vulnerability scan: >> >> > IP >> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] >> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 >> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] >> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\ >> xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" >> > 200 48605 >> >> Rainer >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >