On Wed, 15 Nov 2023, 23:25 Michael Peddemors, <michael@linuxmagic.com> wrote:
There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, <michael@linuxmagic.com> wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an
eye
out for traffic from this company...
Might want to make up your own mind, or maybe someone has more
information, but enough of a red flag, that thought it warranted
posting
on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are
attempting
to break, but using a variety of SSL/TLS methods and connections...They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Academy of Internet Research Limited Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://rdap.arin.net/registry/entity/AIRLL
--See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon