Discussion:
92.51.2.78/24 (AS209588) from Russia with love ... for SQL injection attempts
(too old to reply)
Randolf Richardson 張文道
2024-07-11 18:04:23 UTC
Permalink
While only a few failed SMTP AUTH attempts came from
95.51.2.78/24, there are thousands of SQL Injection
attempts being submitted on web-based contact forms
on various web sites, which are all failing due to
sanitization or direct Postfix SMTP queue injection.

95.51.2.78 is in our block-and-forget list now.

I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.

Thanks.

WHOIS output for 95.51.2.78...

% Abuse contact for '92.51.2.0 - 92.51.2.255' is
'***@digi-cloud.net'

inetnum: 92.51.2.0 - 92.51.2.255
netname: DIGICLOUD-NET
org: ORG-AHL11-RIPE
country: EU
admin-c: IG2940-RIPE
admin-c: DCN26-RIPE
tech-c: DCN26-RIPE
status: ASSIGNED PA
mnt-routes: DIGI
mnt-domains: DIGI
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:01:35Z
last-modified: 2023-05-29T12:27:39Z
source: RIPE

organisation: ORG-AHL11-RIPE
org-name: Alviva Holding Limited
country: SC
org-type: OTHER
address: Suite 1, Second Floor,
Sound & Vision House,
Francis Rachel Str.,
Victoria, Mahe, Seychelles
abuse-c: DCN26-RIPE
mnt-ref: IVC-MNT
admin-c: DCN26-RIPE
tech-c: DCN26-RIPE
mnt-ref: mnt-ru-am-1
mnt-ref: ru-permtelecom-2-mnt
mnt-ref: DIGI
mnt-by: DIGI
created: 2019-02-20T20:32:02Z
last-modified: 2024-06-12T13:57:15Z
source: RIPE # Filtered

role: DIGI CLOUD NOC
abuse-mailbox: ***@digi-cloud.net
address: Suite 1, Second Floor,
Sound & Vision House,
Francis Rachel Str.,
Victoria, Mahe, Seychelles
nic-hdl: DCN26-RIPE
mnt-by: DIGI
created: 2019-02-20T20:29:47Z
last-modified: 2019-05-22T08:55:01Z
source: RIPE # Filtered

person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE

% Information related to '92.51.2.0/24AS209588'

route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE

% This query was served by the RIPE Database Query
Service version 1.113.2 (ABERDEEN)
--
Randolf Richardson 張文道, CNA - ***@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/
tjoen
2024-07-12 03:35:57 UTC
Permalink
On 7/11/24 20:04, Randolf Richardson 張文道 wrote:
...
Post by Randolf Richardson 張文道
person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE
% Information related to '92.51.2.0/24AS209588'
route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE
Reporting to NATO?
Sirius
2024-07-12 07:00:51 UTC
Permalink
Post by tjoen
...
Post by Randolf Richardson 張文道
person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE
% Information related to '92.51.2.0/24AS209588'
route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE
Reporting to NATO?
I am sure NATO is well aware. This is part of Russia's "Hybrid Warfare".
Do what you can to stay patched and secure. Aside from that, not a whole
lot we can do. Until their leadership changes, this will be happening with
increasing intensity.
--
Kind regards,

/S
D
2024-07-12 13:47:22 UTC
Permalink
Post by Sirius
...
I am sure NATO is well aware. This is part of Russia's "Hybrid Warfare".
Do what you can to stay patched and secure. Aside from that, not a whole
lot we can do. Until their leadership changes, this will be happening with
increasing intensity.
(using Tor Browser 13.5.1)
https://www.site24x7.com/tools/whois-lookup.html
Post by Sirius
Domain trudheim.com
Registrar Ascio Technologies, Inc
Registered On 2003-02-04T00:00:00Z
Expires On 2027-02-04T16:57:21Z
Updated On 2024-05-26T09:58:22Z
Status OK https://icann.org/epp#ok
Name Servers ds723.trudheim.com
ns1.loopia.se
ns2.loopia.se
# Copyright (c) 1997- The Swedish Internet Foundation.
[end quoted excerpt]

(using Tor Browser 13.5.1)
https://duckduckgo.com/?q=stand+for+the+flag+kneel+for+the+cross+meme
(substitute the american flag with any other national flag and viola!)
Marco Moock
2024-07-12 08:08:34 UTC
Permalink
Post by tjoen
...
Post by Randolf Richardson 張文道
person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE
% Information related to '92.51.2.0/24AS209588'
route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE
Reporting to NATO?
Feel free to do so, but computer operators know that attacks happen all
the time (it is normal internet noise) and the real origin can be
hidden rather easily to make evidence much harder, especially if ISPs
don't cooperate.
--
kind regards
Marco

Send spam to ***@cartoonies.org
Marco Moock
2024-07-12 07:53:10 UTC
Permalink
Post by Randolf Richardson 張文道
I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.
I assume this is just a hacked machine that is being part of a botnet.
It isn't even listed on uceprotect, spamhaus nor blocklist, so the
amount of attacks to a wide range of addresses isn't that much.

fail2ban should handle that.
--
kind regards
Marco

Send spam to ***@cartoonies.org
Randolf Richardson 張文道
2024-07-12 18:00:34 UTC
Permalink
On Fri, 12 Jul 2024 09:53:10 +0200
Post by Marco Moock
Post by Randolf Richardson 張文道
I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.
I assume this is just a hacked machine that is being part of a botnet.
It isn't even listed on uceprotect, spamhaus nor blocklist, so the
amount of attacks to a wide range of addresses isn't that much.
This fits with what I suspected. Thanks for taking a
look into it.
Post by Marco Moock
fail2ban should handle that.
Indeed. :)
--
Randolf Richardson 張文道, CNA - ***@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/
Loading...