Replies: 9 comments 15 replies
-
|
@bretmac according to the guy at hackerfactor.com (Neil Krawetz I think?), stretchoid is probably a chinese operation, and I tend to agree with him. I also have an AbuseIPDB integration offering here (#223) , and endorse others to set up their own, working solutions. Btw from my daily repo updates, I saw some updates to stretchoid hosts, just not to the main stretchoid.txt file. This repo is subject to move anyways (#224), but I'd like to have a place where we can have all the necessary IP lists in a freely available manner, unlike crowdsec and/or abuseipdb does it. As suggested, a server where the generated artifacts (txt formatted ip lists) are available, would be nice. |
Beta Was this translation helpful? Give feedback.
-
|
Oh, forgot the link to the hackefactor article, it's here: https://www.hackerfactor.com/blog/index.php?archives/775-Scans-and-Attacks.html |
Beta Was this translation helpful? Give feedback.
-
|
That's an interesting project, I will check that out properly next week. The article is interesting and, yes, I like the double quotes around "researchers". Whoever they are Digital Ocean are complicit in their operation as they surely know what they are doing. The only "good" thing about stretchoid is they appear to be setting reverse DNS - not all "researchers" do. There are hundreds in Akamai/Linode as well - all faceless organisations that want your personal details should you dare to want to opt out. The stretchoid data is easy to produce - Digital Ocean has about 3 million IP addresses so I just did a bulk reverse DNS lookup on the lot of them. I'm also building a shodan list as well as they have been surveilling my machines as well. |
Beta Was this translation helpful? Give feedback.
-
|
I think the shodan addresses are freely available, this project even contains them. |
Beta Was this translation helpful? Give feedback.
-
|
You may all want to use https://github.com/wdes/dns-ptr-resolver for bulk DNS resolve |
Beta Was this translation helpful? Give feedback.
-
Yes, I have to purge old records. Thanks for noticing this |
Beta Was this translation helpful? Give feedback.
-
Thank you, I have to add some automations to better update the IPs that are scanned |
Beta Was this translation helpful? Give feedback.
-
|
These Stretchoid pests are now using Microsoft addresses azpdss35.stretchoid.com [20.118.71.186] They are two examples seen in the last 24 hours. Reverse lookup also suggests they have IPv6 addresses too, |
Beta Was this translation helpful? Give feedback.
-
|
AbuseIPDB finds these in their database with the ipv4 address, but not with the ipv6 address. they're actively scanning from there, wonder why MS allows this in their cloud. |
Beta Was this translation helpful? Give feedback.
-
|
Also, by manually testing, they have records from |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the ping, I will add more IPs to scan |
Beta Was this translation helpful? Give feedback.
-
|
There are numerous other stems to the hostnames as well: azpdcs36.stretchoid.com[172.168.40.233] Those are more seen in the last day or so. Another mass reverse DNS might need to be done for the Microsoft AS |
Beta Was this translation helpful? Give feedback.
-
|
Another MS offender today: 104.40.84.168 |
Beta Was this translation helpful? Give feedback.
-
|
There are over 1,100 MS addresses I've discovered (so far) 4.246.247.29 azpdeg1.stretchoid.com |
Beta Was this translation helpful? Give feedback.
-
|
Can you provide me a list of /cidr for each network to scan? |
Beta Was this translation helpful? Give feedback.
-
|
I'm not 100% sure what you mean. Of the 1,300 Microsoft addresses I've discovered so far they don't seem to be grouped into contiguous subnets, they are fragmented all over the place with gaps in the IP addresses. However, checking six IPs randomly from above they are all from AS8075, so that would be a good place to start. If I get time at the weekend I'll do a bulk reverse lookup on AS8075. Judging by the fact there are over 1,300 Microsoft addresses here I wonder if they've moved away from Digital Ocean, or they have decided to use another Cloud provider on top of DO? |
Beta Was this translation helpful? Give feedback.
-
|
Oh, it's not clear from my post about how I come about these. As and when my server is scanned I've been taking the "stem" from the reverse DNS and doing FOWARD lookups iteratively over the first 200. I'm seeing less and less stretchoid scans this week so I think my blocking is starting to cover most of their systems at this stage. Bare in mind DO was/is bigger I expect we will see more MS addresses over the coming days/weeks until I pre-empt this with a bulk reverse lookup over the whole AS. (Sorry, but not Sorry, Microsoft, but you are the one harbouring these veiled actors.) |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your list, I did some commands and here is the result: cut -d ' ' -f 1 ../temp-strechoid.txt | sort | cut -d . -f -3 | sort | uniq |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
https://security.wdes.eu/scan/tasks https://security.wdes.eu/scanners/stretchoid To be continued, work in progress |
Beta Was this translation helpful? Give feedback.
-
|
Hey, so I see files disappeared from the repo: Do you plan to re-add these somewhere else? I had to adjust my firewall config because it didn't load seeing the files disappeared. |
Beta Was this translation helpful? Give feedback.
-
|
I think they all got moved into the |
Beta Was this translation helpful? Give feedback.
-
|
oh, thanks. Using these files as artifacts is the better idea, I guess this is only for the meantime. |
Beta Was this translation helpful? Give feedback.
-
I am really sorry for this, yes they will end up on security.wdes.eu |
Beta Was this translation helpful? Give feedback.
-
I really love the work going on here, I found this resource today after my concerns.
There is something very smelly about stretchoid and a few other "security research" organisations. This is a faceless organisation that is scanning the internet on a massive scale. Totally anonymous with no research published, or commercial offering. I am treating them as a malicious actor and blocking them wherever possible. Possibly state funded, who knows?
Looking at your stretchoid.txt file do you concur that these machines move around? By my reckoning about 1700 reverse DNS entries exist in Digital Ocean today with *.stretchoid.com PTR records. Scans that hit my SMTP server appear to send "MGLNDD_{ip}_{port}" after they connect. Connections definitely hit both TCP port 25 and 587. (Possibly others, but I am not monitoring this since they are blocked upstream of my servers). Only IPv4 activity has been observed.
Seriously though, 1,700 machines and the organisation does not have a face?
Your stretchoid.txt file seems way out of date. About 1300 of those entries no longer resolve to stretchoid PTR records. 80 or so resolve to new PTR records that a clearly other customers and the rest don't return anything for a PTR.
Every entry that I have found today also exists in your stretchoid.txt file, apart from these few:
Also - your censys.txt is out of date - they have recently added more ranges.
I'll likely work on a custom solution for my systems but this is very nice work you are doing here.
Beta Was this translation helpful? Give feedback.
All reactions