robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.78k stars 3.08k forks source link

sysscan #293

Open mitchellkrogza opened 7 years ago

mitchellkrogza commented 7 years ago

Someone using your tool and modified the name.

- - [25/Sep/2017:19:10:13 +0200] "GET / HTTP/1.0" 444 1069 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"
- - [27/Sep/2017:05:50:29 +0200] "GET / HTTP/1.0" 444 0 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"
gyje commented 7 years ago

address:https://github.com/win-design/sysscan

mitchellkrogza commented 7 years ago

They've obviously fiddled with it to point their scan attempts back to @robertdavidgraham

Baskerville42 commented 7 years ago

155.94.88.58 - - [01/Oct/2017:07:02:29 +0300] "GET / HTTP/1.0" 200 867 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

mitchellkrogza commented 7 years ago

155.94.88.58 - - [08/Sep/2017:00:31:25 +0200] "GET / HTTP/1.0" 200 1069 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)" same IP on my servers too

donnykurnia commented 7 years ago

Just got this in docker logs

wordpress_1 | 155.94.88.58 - - [03/Oct/2017:14:25:10 +0700] "GET / HTTP/1.0" 401 683 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

fr33l commented 7 years ago

Same here 155.94.88.58 - - [05/Oct/2017:08:07:08 +0000] - "GET / HTTP/1.0" 404 14 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

lilmnm-kamikaze- commented 7 years ago

same as i.

155.94.88.58 - - [28/Sep/2017:19:09:27 -0400] "GET / HTTP/1.0" 200 99 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"
ninjachen commented 7 years ago

Same ip 155.94.88.58

155.94.88.58 - - [17/Oct/2017:13:16:02 +0800] "GET / HTTP/1.0" 200 11595 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"
mitchellkrogza commented 7 years ago

I've just perma-banned that IP on all my servers.

lebagvondouche commented 7 years ago

Same issue here,

155.94.88.58 - - [02/Nov/2017:11:36:18 +0100] "GET / HTTP/1.0" 200 612 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

droberson commented 7 years ago

155.94.88.58 - - [05/Nov/2017:05:59:00 +0100] "GET / HTTP/1.0" 200 12 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

bringha1 commented 7 years ago

Same here 155.94.88.58 - - [05/Nov/2017:12:42:22 +0100] "GET / HTTP/1.0" 200 612 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

timvdalen commented 7 years ago

155.94.88.58 - - [10/Nov/2017:12:23:17 +0000] "GET / HTTP/1.0" 301 194 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

vcollette commented 7 years ago

155.94.88.58 - - [10/Nov/2017:12:18:21 +0100] "GET / HTTP/1.0" 401 195 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

JuanFontes commented 7 years ago

155.94.88.58 - - [09/Nov/2017:05:31:30 +0000] "GET / HTTP/1.0" 404 104 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)" "-"

chmelevskij commented 7 years ago

Guess what.... 155.94.88.58 - - [12/Nov/2017:08:13:51 +0000] "GET / HTTP/1.0" 503 213 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

mzpqnxow commented 7 years ago

What is the expected resolution of this issue? Why was it entered in the first place? Please withdraw it.

On Sun, Nov 12, 2017 at 03:19 Tomas Chmelevskij notifications@github.com wrote:

Guess what.... 155.94.88.58 - - [12/Nov/2017:08:13:51 +0000] "GET / HTTP/1.0" 503 213 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/robertdavidgraham/masscan/issues/293#issuecomment-343720933, or mute the thread https://github.com/notifications/unsubscribe-auth/AHpRZLL7gZltEu_krKOwg3fBYVrpPGVkks5s1qokgaJpZM4Pldr2 .

tknr commented 7 years ago

maybe better to

1) block 155.94.96.0/20, 155.94.64.0/19 with iptables, router, etc.

2) send mail or tel to Nodes Direct about it.

155.94.88.58 - - [23/Nov/2017:21:12:48 +0900] "GET / HTTP/1.0" 200 439 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"
$ whois 155.94.88.58

...

NetRange:       155.94.64.0 - 155.94.111.255
CIDR:           155.94.96.0/20, 155.94.64.0/19
NetName:        NODESDIRECT
NetHandle:      NET-155-94-64-0-1
Parent:         NET155 (NET-155-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19531
Organization:   Nodes Direct (SERVE-57)
RegDate:        2014-06-18
Updated:        2016-01-13
Comment:        ***************************************************
Comment:        Addresses in this block are statically assigned.
Comment:        Please send all abuse to abuse@nodesdirect.com
Comment:        ***************************************************
Ref:            https://whois.arin.net/rest/net/NET-155-94-64-0-1

OrgName:        Nodes Direct
OrgId:          SERVE-57
Address:        421 W Church St.
Address:        Suite 429
City:           Jacksonville
StateProv:      FL
PostalCode:     32202
Country:        US
RegDate:        2009-08-11
Updated:        2017-01-28
Comment:        Please send all abuse complaints to abuse@nodesdirect.com
Ref:            https://whois.arin.net/rest/org/SERVE-57

OrgTechHandle: NOC11057-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-904-999-1180 
OrgTechEmail:  noc@nodesdirect.com
OrgTechRef:    https://whois.arin.net/rest/poc/NOC11057-ARIN

OrgAbuseHandle: ABUSE2332-ARIN
OrgAbuseName:   Abuse Department
OrgAbusePhone:  +1-904-999-1180 
OrgAbuseEmail:  abuse@nodesdirect.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2332-ARIN
b1naryxx commented 7 years ago

image same ip here, barely started the server for a couple of mins and got scanned by that tool

ki4rbc commented 6 years ago

155.94.88.18 - - [18/Dec/2017:16:41:32 -0500] "GET / HTTP/1.0" 200 8100 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

damned script kiddies

ghost commented 6 years ago

December 19, 2017, 12:01 pm 155.94.88.18 sysscan/1.0 (https://github.com/robertdavidgraham/sysscan) December 20, 2017, 4:19 pm 155.94.88.18 sysscan/1.0 (https://github.com/robertdavidgraham/sysscan) December 20, 2017, 8:14 pm 155.94.88.18 sysscan/1.0 (https://github.com/robertdavidgraham/sysscan) December 21, 2017, 1:51 am 155.94.88.18 sysscan/1.0 (https://github.com/robertdavidgraham/sysscan) December 21, 2017, 6:09 pm 155.94.88.18 sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)

Sosukodo commented 6 years ago

You could do a lot more good by reporting things like this to AbuseIPDB.

MicroSDA commented 6 years ago

Same 155.94.88.138 Had tried to connect to my local machine