Re: SSH bruteforce attempts from Verizon to "AS17452 Bitstop Inc"

Thu, 31 Oct 2024 19:07:49 -0700

Good to hear it's not just me. It seems spoofed TCP/IP headers are used on Tor relay IP addresses, hoping to get away with it as "tor traffic" even when they're non-exit relays. I mean running an exit relay from home is a can of worms if you don't have a static IP block and supportive ISP.
My brother has a Frontier account in the suburbs of NYC and I just hope he doesn't get the same complaint. But until Verizon finalizes the sale Frontier is dependent on Lumen/Cogent for transit which hopefully is more secure than Verizon/UUnet. 

-Neel

On 2024-10-31 14:45, Scott Q. wrote:


Hi Neel,


this might be an interesting read for you: 
https://delroth.net/posts/spoofed-mass-scan-abuse/


Scott

On Thursday, 31/10/2024 at 14:38 Neel Chauhan wrote:


Hi,

I am a customer of Verizon Fios in NYC and received a very interesting
abuse complaint today from ab...@verizon.com.

I got SSH bruteforce attempts between my IP address and this IPv4
prefix: 202.91.160.0/20

This is hosted on a network called "AS17452 Bitstop Inc".

My connection runs Tor relays, but not exit relays. I doubt it's Tor
since when I had Google Fiber or CenturyLink even when running Tor
relays I never got those complaints. I use a MikroTik core router so
maybe it got malware, although I recently updated it from 7.15.3 to
7.16.1. I decided to filter the prefix.


Maybe a Windows PC on our network is infected. Maybe it's my Rocky 
Linux

servers. Should I probably get a Supermicro/Deciso box and run an
OPNsense firewall instead? But I never got complaints from Frontier or

Optimum when I put MikroTik routers on both ISPs too, that for 
accounts

not in my name. Maybe it's a false positive and just TCP forgery
pretending to me be (I hope so).

Just letting you know.

-Neel

=== REDACTED COMPLAINT BELOW ===

Dear Verizon Online Customer,


On 10-30-2024, your account was reported to have been used in an 
attempt
to gain unauthorized access to another system, or to transmit 
malicious

traffic to another Internet user.

It is possible that a device connected to your network may have been
infected by a virus or a botnet that is causing this action.

Report and/or Logs:

To assist you in understanding the situation, we have provided the
relevant log data below, with timestamps adjusted to our GMT +8
timezone:

DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP
DestPort
0 30-Oct-2024 13:37:21 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.24 22
1 30-Oct-2024 13:49:38 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.24 22
2 30-Oct-2024 14:00:01 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.24 22
3 30-Oct-2024 14:10:12 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.24 22

4 30-Oct-2024 15:17:15 DENIED 108.30.XXX.XXX 32769 TCP 202.91.162.17 
22

5 30-Oct-2024 15:18:29 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.39 22

6 30-Oct-2024 15:23:08 DENIED 108.30.XXX.XXX 54688 TCP 202.91.163.179 
22

7 30-Oct-2024 15:30:22 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.47 22
8 30-Oct-2024 15:47:32 BLOCKED attempted-recon 108.30.XXX.XXX 0
202.91.162.24 22

9 30-Oct-2024 15:58:03 DENIED 108.30.XXX.XXX 50405 TCP 202.91.163.143 
22


Please immediately ensure your anti-virus and anti-malware software is
properly updated. Please perform full system scans on your device(s).
[Including - computers, tablets, cellular devices, network attached

storage, security camera recorders (DVR or NVR), and IOT devices, 
where

possible.]

Additional information and removal guidance of detected malware may be
found on the website of your scanner(s) manufacturer.

It is difficult to verify the presence of an exact virus or malware

infecting a device without a full system scan with up-to-date 
software.



Installing the most recent firmware and software updates can also 
assist

in securing your device(s). Please follow the device manufactures
processes for any updates.

If you are unable to take immediate action, it would be advisable to
remove the device(s), which may be infected, from your network and the
Internet connection until it has been properly cleaned. This may be

easily done by unplugging the network cable that connects the device 
to

the router. For wireless devices removing power from the device will
keep it off it the network.

Note: this information is being provided as a courtesy; you are solely
responsible for any changes you make to your device(s) or network.

Verizon Policy:


If you do not take steps to resolve this issue, we may be forced to 
take

further action. Actions could include the suspension or termination of

your service until the issue is resolved, in order to ensure the 
safety

of our network, and the safety of other Internet users.

Please carefully review these agreements, which can be viewed at:
http://www.verizon.com/about/terms/

Any future violation will result in further action being taken, up to,
and including, the termination of your service.

Sincerely,

Verizon Global IP Abuse
http://www.verizon.com/about/terms/
http://www.verizon.com/securityinfo
ab...@verizon.com





















					Reply via email to