hack |ip

The Fixed Line Mystery...

riversiderocks

RiversideRocks

Posted on November 6, 2020

The Fixed Line Mystery...

A few days ago I deiced to open up my SSH to the internet. Possibly not the greatest idea, but I have a service set up to block brute force attempts and report unauthorized connections to AbuseIPDB. After a few days I started noticing some odd patterns.

Over the last few days, I have gotten a ton of break in attempts from "Fixed Line" ISPs (IPs being used by people's homes and possibly businesses). A good deal of these requests appear to be coming from smaller ISPs (to this date no requests have come from one of the biggest ISPs in the United States, Comcast), mostly from CenturyLink Communications LLC.

At first I thought that most of these attacks were from exploited hosts - IPs that have been hacked. A bot (possibly a person) brute forced a login page that was on the internet, and uploaded malware that lets the IP scan for more login pages, and the cycle continues creating a botnet. While some of the requests were likely just this, I noticed something odd. Most of the IPs had only 1 or 2 reports (one of them being mine). I was a bit confused at why I was one of the only reports, but then I came up with an interesting idea.

The Theory

Likely the malware inserted on to these IPs wasn't scanning the entire internet, instead it was scanning only residential CIDR blocks. My server's IP, which is a Comcast IP likely fell under one of the CIDR blocks. Most people choose to use web hosts instead of self hosting which would explain the few reports.

The Lesson

If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP.

For example:
nmap -sS 0.0.0.0

Stay safe!

AbuseIPDB - Riverside Rocks

My Website

💖 💪 🙅 🚩
riversiderocks
RiversideRocks

Posted on November 6, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related