[anti-abuse-wg] .gov .ru or .ch ?

Den 2017-06-30 kl. 07:53, skrev ox:
> Hi All,
>
> Frequently I see new exploits, old exploits, plain old brute force and
> all scans from the same weird shell corporations.
> (of course I collect exploits, specially 0day, as they are very useful)
>
> Usually when I report hacking/security abuse (like a main bot, etc)
> most ISP's actually take a look and clean up, as it is bad for their
> network to have this there anyway....
>
> But there are 'bullet proof' hackers as complaints never do anything,
> no matter how much logs and evidence is submitted.
>
> These are your government hackers, USA, China, Russia, etc. 
>
> But, one of these bullet proof hackers is so k1dD13 that I have no
> clue what it could be (as the stuff they run, will never work, even on
> non patched servers/devices)  - Yet complaints also have no result and
> the modus operandi is always the same... They have distributed small
> delegations, like /29 /28 /27 and on rare occasions a /26 and always
> registered to Kansas, USA
>
> For example IP number 69.30.255.107

We've had our fare share of spam from them. The announcement spree seems
to have started more or less in 2017 although the earlier announcements
in 2005-2006 seems to have same pattern. Smaller prefixes also seems to
be way back. Check the json-file for that.

https://stat.ripe.net/widget/routing-history#w.resource=69.30.192.0/18

https://stat.ripe.net/data/routing-history/data.json?min_peers=0&resource=69.30.192.0%2F18


>
> Has anyone experienced anything similar and does anyone know what type
> of silly operation this is or what their goals could possibly be?
>
> Is it some AI learning thing? or a bit eater? or what?

Due to the price model https://www.wholesaleinternet.net/ has I see it
as just a heaven for spammers and black hats. Buy a virtual server for
$10/month no question asked.

Cheers,


-- 

Bengt Gördén
Resilans AB