search

wdes / security

https://security.wdes.eu
Mozilla Public License 2.0
20 stars 9 forks source link

New stretchoid.com IPs #239

Open RickTorresJr opened 1 month ago

RickTorresJr commented 1 month ago

My IPS got tripped today by 2 IPs. Upon further inspection these IPs resolved to stretchoid.com domains but are not on the stretchoid.com lists. Both IPs look to belong to Microsoft, 1 of them being recently transferred. Thanks.

# azpdse2.stretchoid.com
4.151.218.179

# azpdcs36.stretchoid.com
172.168.40.233
whois 4.151.218.179

NetRange:       4.144.0.0 - 4.159.255.255
CIDR:           4.144.0.0/12
NetName:        MSFT
NetHandle:      NET-4-144-0-0-2
Parent:         NET4 (NET-4-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Microsoft Corporation (MSFT)
RegDate:        2019-10-04
Updated:        2019-10-04
Ref:            https://rdap.arin.net/registry/ip/4.144.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2024-03-18
Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment:        * https://cert.microsoft.com.  
Comment:        
Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment:        * abuse@microsoft.com.  
Comment:        
Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
Comment:        * secure@microsoft.com.  
Comment:        
Comment:        For legal and law enforcement-related requests, please contact:
Comment:        * msndcc@microsoft.com
Comment:        
Comment:        For routing, peering or DNS issues, please 
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            https://rdap.arin.net/registry/entity/MSFT

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    https://rdap.arin.net/registry/entity/MRPD-ARIN
whois 172.168.40.233 

NetRange:       172.160.0.0 - 172.191.255.255
CIDR:           172.160.0.0/11
NetName:        RIPE
NetHandle:      NET-172-160-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Early Registrations, Transferred to RIPE NCC
OriginAS:       
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2022-06-22
Updated:        2022-06-22
Ref:            https://rdap.arin.net/registry/ip/172.160.0.0

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois://whois.ripe.net

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2013-07-29
Ref:            https://rdap.arin.net/registry/entity/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://rdap.arin.net/registry/entity/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444 
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3850-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '172.128.0.0 - 172.215.255.255'

% Abuse contact for '172.128.0.0 - 172.215.255.255' is 'abuse@microsoft.com'

inetnum:        172.128.0.0 - 172.215.255.255
netname:        UK-MICROSOFT-20000324
country:        GB
org:            ORG-MA42-RIPE
admin-c:        DH5439-RIPE
tech-c:         MRPA3-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MICROSOFT-MAINT
mnt-lower:      MICROSOFT-MAINT
mnt-domains:    MICROSOFT-MAINT
mnt-routes:     MICROSOFT-MAINT
created:        2024-05-16T09:38:13Z
last-modified:  2024-05-16T09:38:13Z
source:         RIPE

organisation:   ORG-MA42-RIPE
org-name:       Microsoft Limited
country:        GB
org-type:       LIR
descr:          Microsoft Corporation AS8075
descr:          To report suspected security issues specific to
descr:          traffic emanating from Microsoft online services,
descr:          including the distribution of malicious content
descr:          or other illicit or illegal material through a
descr:          Microsoft online service, please submit reports
descr:          to:
descr:          * https://cert.microsoft.com
descr:          For SPAM and other abuse issues, such as Microsoft
descr:          Accounts, please contact:
descr:          * abuse@microsoft.com
descr:          To report security vulnerabilities in Microsoft
descr:          products and services, please contact:
descr:          * secure@microsoft.com
descr:          For legal and law enforcement-related requests,
descr:          please contact:
descr:          * msndcc@microsoft.com
descr:          For routing, peering or DNS issues, please
descr:          contact:
descr:          * IOC@microsoft.com
address:        One Microsoft Way
address:        WA 98052
address:        Redmond
address:        UNITED STATES
phone:          +1 425 882 8080
fax-no:         +1 425 936 7329
abuse-c:        MAC274-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MICROSOFT-MAINT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MICROSOFT-MAINT
created:        2004-04-17T12:18:10Z
last-modified:  2022-03-08T18:20:31Z
source:         RIPE # Filtered

role:           Microsoft Routing, Peering, and DNS
address:        One Microsoft Way
address:        Redmond, WA 98052
nic-hdl:        MRPA3-RIPE
mnt-by:         MICROSOFT-MAINT
created:        2014-08-26T16:25:24Z
last-modified:  2014-08-26T16:25:24Z
source:         RIPE # Filtered

person:         Divya Quamara
address:        One Microsoft Way
address:        Redmond, WA 98052
phone:          +1-425-882-8080
nic-hdl:        DH5439-RIPE
mnt-by:         MICROSOFT-MAINT
created:        2014-08-26T16:24:14Z
last-modified:  2016-02-19T07:09:41Z
source:         RIPE

% Information related to '172.160.0.0/11AS8075'

route:          172.160.0.0/11
origin:         AS8075
descr:          Microsoft
mnt-by:         MICROSOFT-MAINT
created:        2022-07-08T19:10:28Z
last-modified:  2022-07-08T19:10:28Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.112 (DEXTER)
williamdes commented 3 weeks ago

One IP that hit me today azpdssb25.stretchoid.com[52.183.224.78]

More discussion on https://github.com/datacenters-network/security/discussions/228

karolyi commented 1 week ago

another stretchoid attack: https://www.abuseipdb.com/check/172.168.41.126

williamdes commented 1 week ago

I added a scan task for 172.160.0.0/11 on https://security.wdes.eu/scan/tasks

williamdes commented 1 week ago

And 4.144.0.0/12 for @RickTorresJr from the initial report