Hackers, PCs of infected users, or researchers ?

Posted on December 3, 2019 by mark

There is an annoying amount of rubbish traffic to my website and below is a selected (grep’ed) portion of it.

The documentation URL logged describes the masscan tool as similar to nmap, its purpose is to find open ports on internet sites. 

[root@vosprey3 httpd]# grep masscan access_log
163.172.47.200 - - [01/Dec/2019:06:16:45 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
80.241.221.67 - - [01/Dec/2019:07:12:01 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
159.65.11.106 - - [01/Dec/2019:08:08:35 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
149.129.243.159 - - [01/Dec/2019:11:40:56 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
173.249.49.151 - - [01/Dec/2019:13:54:12 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
79.143.188.161 - - [01/Dec/2019:17:58:22 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
146.196.55.181 - - [01/Dec/2019:20:09:34 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
159.65.187.159 - - [01/Dec/2019:21:18:40 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
202.168.64.24 - - [02/Dec/2019:00:35:20 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
206.189.237.232 - - [02/Dec/2019:01:26:36 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
173.249.51.194 - - [02/Dec/2019:09:43:41 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
52.6.12.150 - - [02/Dec/2019:11:34:08 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
167.99.40.21 - - [02/Dec/2019:12:29:29 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
167.99.40.21 - - [02/Dec/2019:12:29:35 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
138.68.247.104 - - [02/Dec/2019:18:51:55 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
207.180.220.8 - - [02/Dec/2019:22:26:47 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
142.93.187.70 - - [02/Dec/2019:22:35:14 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
5.189.188.207 - - [02/Dec/2019:23:57:36 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
5.189.134.236 - - [03/Dec/2019:05:25:31 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
165.227.4.106 - - [03/Dec/2019:06:22:25 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
167.99.130.208 - - [03/Dec/2019:06:24:38 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
207.180.224.136 - - [03/Dec/2019:08:07:02 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
5.189.162.164 - - [03/Dec/2019:09:43:27 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
207.180.213.201 - - [03/Dec/2019:11:50:21 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
51.38.239.33 - - [03/Dec/2019:12:14:56 +1300] "GET / HTTP/1.0" 200 4418 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

Simply because the requests are coming from so many different ip-addresses it can be assumed they are from infected PCs or a hacker toolkit. Some may be requests from semi-legitimate port mapping sites like shodan, but I don’t want my ports mapped.

Interestingly my firewall rules are logging these but for different reasons, of the last three addresses looks like timeout-outbound/incomplete-handshake-inbound/timeout-outbound. All incomplete requests anyway, and all to port 80 (none to the other http port 443 or any other open ports) so a rather selective scan.

Dec  3 09:43:34 vosprey3 kernel: DROPPED IN= OUT=ens3 SRC=192.168.1.193 DST=5.189.162.164 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13052 DF PROTO=TCP SPT=80 DPT=61000 SEQ=1082931877 ACK=1097398385 WINDOW=29200 RES=0x00 ACK PSH FIN URGP=0
Dec  3 11:50:51 [localhost] kernel: ABORTED IN=ens3 OUT= MAC=52:54:00:38:ef:48:9c:d6:43:ab:90:a3:08:00 SRC=207.180.213.201 DST=192.168.1.193 LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=6478 PROTO=TCP SPT=61000 DPT=80 SEQ=2892097713 ACK=467644449 WINDOW=1200 RES=0x00 RST URGP=0
Dec  3 12:15:02 [localhost] kernel: DROPPED IN= OUT=ens3 SRC=192.168.1.193 DST=51.38.239.33 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=62338 DF PROTO=TCP SPT=80 DPT=61000 SEQ=2386804186 ACK=3821347452 WINDOW=29200 RES=0x00 ACK PSH FIN URGP=0

They are just port scanning requests, definately not web-crawlers as they never request more than the head / url. And as they only request the / url I cannot use apache rewrite rules to blacklist the ip-addresses in real-time.

I have added a check for those requests into my daily batch job that scans the access logs so the ip-addresses performing those scans will still be added automatically into my drop rules for misbehaving source-ips, if a little slower than real-time.

About mark

At work, been working on Tandems for around 30yrs (programming + sysadmin), plus AIX and Solaris sysadmin also thrown in during the last 20yrs; also about 5yrs on MVS (mainly operations and automation but also smp/e work). At home I have been using linux for decades. Programming background is commercially in TAL/COBOL/SCOBOL/C(Tandem); 370 assembler(MVS); C, perl and shell scripting in *nix; and Microsoft Macro Assembler(windows).
This entry was posted in Uncategorized. Bookmark the permalink.