ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    SSH Chinese Bots

    IT Discussion
    security it security
    3
    5
    149
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • StuartJordan
      StuartJordan last edited by StuartJordan

      honeypots maybe? that these Chinese IP Addresses have these ports open, they have been blocked by fail2ban trying to hit my ssh port, find it interesting with the ports they have open.

      nmap 112.85.42.89
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:43 GMT
Nmap scan report for 112.85.42.89
Host is up (0.22s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds
[email protected]:~$ nmap 112.85.42.128
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:46 GMT
Nmap scan report for 112.85.42.128
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http
      Dashrender 1 Reply Last reply Reply Quote 0
      • Dashrender
        Dashrender @StuartJordan last edited by

        @stuartjordan said in SSH Chinese Bots:

        honeypots maybe? that these Chinese IP Addresses have these ports open, they have been blocked by fail2ban trying to hit my ssh port, find it interesting with the ports they have open.

        nmap 112.85.42.89
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:43 GMT
Nmap scan report for 112.85.42.89
Host is up (0.22s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds
[email protected]:~$ nmap 112.85.42.128
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:46 GMT
Nmap scan report for 112.85.42.128
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

        I think there were some attacks if you could get a client to attempt to connect to a server (presumably on one of those ports) you could compromise the client.

        StuartJordan 1 Reply Last reply Reply Quote 0
        • StuartJordan
          StuartJordan @Dashrender last edited by

          @dashrender That's what I was thinking.

          dafyre 1 Reply Last reply Reply Quote 0
          • dafyre
            dafyre @StuartJordan last edited by

            @stuartjordan said in SSH Chinese Bots:

            @dashrender That's what I was thinking.

            From a throwaway VM:

            telnet <ip address> 8008
GET /

            and see what comes back, lol.

            StuartJordan 1 Reply Last reply Reply Quote 0
            • StuartJordan
              StuartJordan @dafyre last edited by

              @dafyre Connection closed by foreign host after a couple seconds lol

              1 Reply Last reply Reply Quote 0
              • First post
                Last post