(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

160.1.30.97: Multi-protocol scanning activity from Amazon GovCloud

Posted September 15, 2019 by shaun

In early September, I noticed a new web robot performing a number of rudimentary scans from 160.1.30.97. While hundreds of different bots are making the rounds on any given day, this one was unusual in that the IP is part of Amazon GovCloud's 160.1/16 allocation. GovCloud is an AWS product that's segmented from the public Amazon cloud, and, as its name suggests, is reserved for use by US government entities.

The HTTP traffic from 160.1.30.97 was clearly automated; the User-Agent header was left empty, and the robot requested only index pages with no supplemental content. The timing of observed activity suggests the bot was spidering a predefined list of domains in alphabetical order. Here, for example, is the robot's first visit to this site:

160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET / HTTP/1.1" 301 227 - "-" "-"
160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET / HTTP/1.1" 302 - on "-" "-"
160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET /blog/ HTTP/1.1" 200 30146 on "-" "-"

A couple of days (almost exactly 48 hours) later, on September 6th, the same IP had moved on to scanning a new protocol. 160.1.30.97 made two successive connections to my mail server prior to tripping the firewall:

Sep  6 15:24:05 mailman postfix/smtpd[20781]: connect from ec2-160-1-30-97.us-gov-west-1.compute.amazonaws.com[160.1.30.97]
Sep  6 15:24:05 mailman postfix/smtpd[20781]: lost connection after UNKNOWN from ec2-160-1-30-97.us-gov-west-1.compute.amazonaws.com[160.1.30.97]
Sep  6 15:24:05 mailman postfix/smtpd[20781]: connect from ec2-160-1-30-97.us-gov-west-1.compute.amazonaws.com[160.1.30.97]
Sep  6 15:24:06 mailman postfix/smtpd[20781]: lost connection after UNKNOWN from ec2-160-1-30-97.us-gov-west-1.compute.amazonaws.com[160.1.30.97]

The content of the incoming probes wasn't captured, but whatever was sent wasn't comprised of valid SMTP commands. Postfix issued a command not recognized response to both connections.

Similar SMTP probes appear to have continued across the internet for several days, but at some point they shifted from innocuous port scans to malicious activity. According to one report on AbuseIPDB, by September 8th, the mystery GovCloud bot had escalated to performing SMTP login attempts:

Sep 8 06:57:39 delaware postfix/smtpd[48018]: warning: em3-160-1-30-97.us-gov-west-1.compute.amazonaws.com[160.1.30.97]: SASL LOGIN authentication failed: authentication failure

In contrast to web spidering and port scans, which are relatively benign, attempts to access accounts without authorization are abusive and hostile activity. It's not clear whether the probes originating from 160.1.30.97 were part of an authorized US government project or the result of a compromised GovCloud instance, but neither scenario is particularly reassuring...



Recent articles

📰 chrony improves client stats output for easier abuse detection

📰 Resolving PHP error "Fatal error: strict_types declaration must not use block mode"

📰 Resolving "Not using downloaded repomd.xml because it is older than what we have" yum error

📰 Resolving subversion error E125001: Couldn't determine absolute path of '.'

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 160.1.30.97: Multi-protocol scanning activity from Amazon GovCloud

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Resolving "x_tables: ip_tables: udp match: only valid for protocol 17" iptables error

▲ Back to top | Permalink to this page