A Russian botnet will not stop downloading my homoerotic story about Edward Snowden and Julian Assange. It was the middle of election season, I had recently broken up with my girlfriend, and half a bottle of Bombay Sapphire later I crapped out this break-up scene where Assange is emotionally abusive to Snowden.
If you haven’t already left to read that trainwreck out of morbid curiosity instead, let’s investigate this. This is just the blog of a sysadmin who occasionally does stand-up as a hobby. My readers are mostly friends and family, so I was surprised to see that my data transfer thus far this month was 3GB. When I decided to review my nginx access logs, I saw a lot of this:
126.96.36.199 - - [28/Feb/2019:18:06:21 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" 188.8.131.52 - - [28/Feb/2019:18:16:22 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 184.108.40.206 - - [28/Feb/2019:18:31:29 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" 220.127.116.11 - - [28/Feb/2019:18:50:59 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
At the time I am currently writing this, that last entry is less than 10 minutes old. This log file only goes back to December 29th when I migrated to a new FreeBSD 12 host, so I don’t know how long it’s been going on, but at least that long.
I did a quick traceroute on a random one and saw it hopping through Stockholm. Uh oh. Let’s look closer.
% Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' inetnum: 126.96.36.199 - 188.8.131.52 netname: AlkonavtNetwork descr: Dedicated Servers & Hosting remarks: abuse contact: email@example.com  country: RU admin-c: BJA12-RIPE org: ORG-BJA2-RIPE tech-c: BJA12-RIPE status: SUB-ALLOCATED PA mnt-by: MNT-PINSUPPORT created: 2018-07-22T18:47:38Z last-modified: 2018-07-22T18:47:38Z source: RIPE organisation: ORG-BJA2-RIPE org-name: Bashilov Jurij Alekseevich org-type: OTHER address: Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin) abuse-c: BJA13-RIPE mnt-ref: MNT-PINSUPPORT mnt-by: MNT-PINSUPPORT created: 2015-12-17T21:42:47Z last-modified: 2018-07-22T18:50:42Z source: RIPE # Filtered person: Bashilov Jurij Alekseevich address: 111398, Russia, Moscow, Plehanova str. 29/1-90 phone: +79778635845 nic-hdl: BJA12-RIPE mnt-by: MNT-PINSUPPORT created: 2015-12-16T04:19:25Z last-modified: 2018-07-22T18:58:31Z source: RIPE % Information related to '184.108.40.206/24AS44050' route: 220.127.116.11/24 descr: AlkonavtNetwork origin: AS44050 mnt-by: MNT-PINSUPPORT created: 2016-12-22T14:39:55Z last-modified: 2018-07-22T18:52:24Z source: RIPE
Well, that includes all of the IP addresses in my last snippet. Hello, St Petersberg. Interesting that a hosting company would have a gmail address to report abuse to. Googling around, I see various blogs reporting spam coming from this IP address range. I’m not sure if this is basic spam, though. The short story in question heavily discusses Edward Snowden and Julian Assange as being in conspiracy with Russia. Did I hit a cross section of keywords they’re scraping for? Did I accidentally tell a true story?
Let’s do some grepping around here. I’ll omit all entries of my own IP addresses for bias and look at a couple other posts. That stupid Dunkin Donuts coffee gag I did? As of right now, 167 GET requests. The sequel to that Assange story with Jill Stein? 110 GET requests.
THE ASSANGE/SNOWDEN ONE HAS 20,061 REQUESTS.
19,876 of those are from the aforementioned network, being only 9 unique IP addresses. 6,800 of those are actually attempts to POST…
18.104.22.168 - - [27/Feb/2019:13:11:31 -0500] "POST /wp-comments-post.php HTTP/1.0" 302 0 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"
Akismet was forwarding these into void, I’m not sure what the payload was. I don’t even want comments on this blog anyway, so I disabled that functionality. There hasn’t been a post request since. Great Scott, I think they’re learning…
Well, let’s poke the bear and port scan one.
PORT STATE SERVICE VERSION 25/tcp filtered smtp 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1580/tcp filtered tn-tl-r1 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2019-03-01T01:45:32+00:00; +3s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
RDP is open to the internet. That’s fucking awesome. I’m definitely not feeling up to trying to connect to that. Given that these IP addresses are mostly sequential, I don’t think this is the product of malware.
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
I’m really not sure why those 9 IP addresses are downloading the same article over and over, roughly 5 times an hour. Reversing the search, they are not attempting to get or post to any other entry on my site.
I could set my firewall to reject those, but I want to see if this post gets more hits.
This was probably a bad idea.