My Assange/Snowden slash fic is big in Russia

A Russian botnet will not stop downloading my homoerotic story about Edward Snowden and Julian Assange. It was the middle of election season, I had recently broken up with my girlfriend, and half a bottle of Bombay Sapphire later I crapped out this break-up scene where Assange is emotionally abusive to Snowden.

If you haven’t already left to read that trainwreck out of morbid curiosity instead, let’s investigate this. This is just the blog of a sysadmin who occasionally does stand-up as a hobby. My readers are mostly friends and family, so I was surprised to see that my data transfer thus far this month was 3GB. When I decided to review my nginx access logs, I saw a lot of this:

5.188.210.60 - - [28/Feb/2019:18:06:21 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
5.188.210.69 - - [28/Feb/2019:18:16:22 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
5.188.210.70 - - [28/Feb/2019:18:31:29 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
5.188.210.66 - - [28/Feb/2019:18:50:59 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"

At the time I am currently writing this, that last entry is less than 10 minutes old. This log file only goes back to December 29th when I migrated to a new FreeBSD 12 host, so I don’t know how long it’s been going on, but at least that long.

I did a quick traceroute on a random one and saw it hopping through Stockholm. Uh oh. Let’s look closer.

% Abuse contact for '5.188.210.0 - 5.188.210.255' is 'alkonavtnetwork@gmail.com'

inetnum:        5.188.210.0 - 5.188.210.255
netname:        AlkonavtNetwork
descr:          Dedicated Servers & Hosting
remarks:        abuse contact: alkonavtnetwork@gmail.com [1]
country:        RU
admin-c:        BJA12-RIPE
org:            ORG-BJA2-RIPE
tech-c:         BJA12-RIPE
status:         SUB-ALLOCATED PA
mnt-by:         MNT-PINSUPPORT
created:        2018-07-22T18:47:38Z
last-modified:  2018-07-22T18:47:38Z
source:         RIPE

organisation:   ORG-BJA2-RIPE
org-name:       Bashilov Jurij Alekseevich
org-type:       OTHER
address:        Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin)
abuse-c:        BJA13-RIPE
mnt-ref:        MNT-PINSUPPORT
mnt-by:         MNT-PINSUPPORT
created:        2015-12-17T21:42:47Z
last-modified:  2018-07-22T18:50:42Z
source:         RIPE # Filtered

person:         Bashilov Jurij Alekseevich
address:        111398, Russia, Moscow, Plehanova str. 29/1-90
phone:          +79778635845
nic-hdl:        BJA12-RIPE
mnt-by:         MNT-PINSUPPORT
created:        2015-12-16T04:19:25Z
last-modified:  2018-07-22T18:58:31Z
source:         RIPE

% Information related to '5.188.210.0/24AS44050'

route:          5.188.210.0/24
descr:          AlkonavtNetwork
origin:         AS44050
mnt-by:         MNT-PINSUPPORT
created:        2016-12-22T14:39:55Z
last-modified:  2018-07-22T18:52:24Z
source:         RIPE

Well, that includes all of the IP addresses in my last snippet. Hello, St Petersberg. Interesting that a hosting company would have a gmail address to report abuse to. Googling around, I see various blogs reporting spam coming from this IP address range. I’m not sure if this is basic spam, though. The short story in question heavily discusses Edward Snowden and Julian Assange as being in conspiracy with Russia. Did I hit a cross section of keywords they’re scraping for? Did I accidentally tell a true story?

Let’s do some grepping around here. I’ll omit all entries of my own IP addresses for bias and look at a couple other posts. That stupid Dunkin Donuts coffee gag I did? As of right now, 167 GET requests. The sequel to that Assange story with Jill Stein? 110 GET requests.

THE ASSANGE/SNOWDEN ONE HAS 20,061 REQUESTS.

19,876 of those are from the aforementioned network, being only 9 unique IP addresses. 6,800 of those are actually attempts to POST…

5.188.210.68 - - [27/Feb/2019:13:11:31 -0500] "POST /wp-comments-post.php HTTP/1.0" 302 0 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

Akismet was forwarding these into void, I’m not sure what the payload was. I don’t even want comments on this blog anyway, so I disabled that functionality. There hasn’t been a post request since. Great Scott, I think they’re learning…

Well, let’s poke the bear and port scan one.

PORT      STATE    SERVICE            VERSION
25/tcp    filtered smtp
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1580/tcp  filtered tn-tl-r1
3389/tcp  open     ssl/ms-wbt-server?
|_ssl-date: 2019-03-01T01:45:32+00:00; +3s from scanner time.
49152/tcp open     msrpc              Microsoft Windows RPC
49153/tcp open     msrpc              Microsoft Windows RPC
49154/tcp open     msrpc              Microsoft Windows RPC
49155/tcp open     msrpc              Microsoft Windows RPC
49156/tcp open     msrpc              Microsoft Windows RPC
49158/tcp open     msrpc              Microsoft Windows RPC
49159/tcp open     msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

RDP is open to the internet. That’s fucking awesome. I’m definitely not feeling up to trying to connect to that. Given that these IP addresses are mostly sequential, I don’t think this is the product of malware.

5.188.210.60
5.188.210.62
5.188.210.64
5.188.210.66
5.188.210.67
5.188.210.68
5.188.210.69
5.188.210.70
5.188.210.71

I’m really not sure why those 9 IP addresses are downloading the same article over and over, roughly 5 times an hour. Reversing the search, they are not attempting to get or post to any other entry on my site.

I could set my firewall to reject those, but I want to see if this post gets more hits.

This was probably a bad idea.