ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SSH Chinese Bots

    IT Discussion
    security it security
    3
    5
    548
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • StuartJordanS
      StuartJordan
      last edited by StuartJordan

      honeypots maybe? that these Chinese IP Addresses have these ports open, they have been blocked by fail2ban trying to hit my ssh port, find it interesting with the ports they have open.

      nmap 112.85.42.89
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:43 GMT
Nmap scan report for 112.85.42.89
Host is up (0.22s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds
stuart@stu-desktop:~$ nmap 112.85.42.128
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:46 GMT
Nmap scan report for 112.85.42.128
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http
      DashrenderD 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @StuartJordan
        last edited by

        @stuartjordan said in SSH Chinese Bots:

        honeypots maybe? that these Chinese IP Addresses have these ports open, they have been blocked by fail2ban trying to hit my ssh port, find it interesting with the ports they have open.

        nmap 112.85.42.89
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:43 GMT
Nmap scan report for 112.85.42.89
Host is up (0.22s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds
stuart@stu-desktop:~$ nmap 112.85.42.128
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-12 19:46 GMT
Nmap scan report for 112.85.42.128
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5679/tcp open     activesync
8008/tcp open     http

        I think there were some attacks if you could get a client to attempt to connect to a server (presumably on one of those ports) you could compromise the client.

        StuartJordanS 1 Reply Last reply Reply Quote 0
        • StuartJordanS
          StuartJordan @Dashrender
          last edited by

          @dashrender That's what I was thinking.

          dafyreD 1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @StuartJordan
            last edited by

            @stuartjordan said in SSH Chinese Bots:

            @dashrender That's what I was thinking.

            From a throwaway VM:

            telnet <ip address> 8008
GET /

            and see what comes back, lol.

            StuartJordanS 1 Reply Last reply Reply Quote 0
            • StuartJordanS
              StuartJordan @dafyre
              last edited by

              @dafyre Connection closed by foreign host after a couple seconds lol

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post