Skip to main content

Posts

Showing posts with the label malicious traffic

GoDaddy Has Hosted Malicious and Abusive Traffic for over a Year and Doesn't Care

A little over two weeks ago I attempted to contact GoDaddy's Abuse contact about malicious scanning coming from a GoDaddy IP. This post will describe how GoDaddy not only ignored my warnings about this criminal use of their IP space, but has allowed this same scammer to use this same IP to exploit legitimate users for years, ignoring numerous warnings from their own customers, industry security experts and even other hosting companies. I will also explore some possible reasons as to why GoDaddy has become a so-called "Bullet-Proof" host; an honor usually reserved for basement "data centers" from Southeast Asia and Eastern Europe. This IP tried to scan my server for Wordpress vulnerabilities, and then tried to scrape some content. The traffic was ham-fisted and amateurish; the kind of traffic that is obviously malicious. The attempt was logged, immediately blacklisted, and forwarded to me. This sort of thing happens all the time. And ordinarily, I am very sym...

RedIRIS Compromised?

For those not familiar with Spanish ISPs, RedIRIS is Spain's  National Research and Education Network . They are part of  Consorci de Serveis Universitaris de Catalunya and  Forum of Incident Response and Security Teams .  Essentially its an organization devoted to university networking projects and advanced R&D. They get their own nice big netblock to mess around with (in this case  193.144.0.0/14) . Similar projects in the US would be CalREN, Internet2 and LambdaRail.  I'm seeing what looks like malicious scanning from the RedIRIS netblock, like this: ** ** - - [08/Sep/2014:18:54:34 -0400] "GET /muieblackcat HTTP/1.1" 404 15 "-" "-" ** ** - - [08/Sep/2014:18:54:34 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-" ** ** - - [08/Sep/2014:18:54:34 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-" ** ** - - [08/Sep/2014:18:54:35 -0400] "G...