search

wdes / security

https://security.wdes.eu
Mozilla Public License 2.0
23 stars 8 forks source link

New stretchoid.com IPs #239

Closed RickTorresJr closed 1 month ago

RickTorresJr commented 6 months ago

My IPS got tripped today by 2 IPs. Upon further inspection these IPs resolved to stretchoid.com domains but are not on the stretchoid.com lists. Both IPs look to belong to Microsoft, 1 of them being recently transferred. Thanks.

# azpdse2.stretchoid.com
4.151.218.179

# azpdcs36.stretchoid.com
172.168.40.233
whois 4.151.218.179

NetRange:       4.144.0.0 - 4.159.255.255
CIDR:           4.144.0.0/12
NetName:        MSFT
NetHandle:      NET-4-144-0-0-2
Parent:         NET4 (NET-4-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Microsoft Corporation (MSFT)
RegDate:        2019-10-04
Updated:        2019-10-04
Ref:            https://rdap.arin.net/registry/ip/4.144.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2024-03-18
Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment:        * https://cert.microsoft.com.  
Comment:        
Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment:        * abuse@microsoft.com.  
Comment:        
Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
Comment:        * secure@microsoft.com.  
Comment:        
Comment:        For legal and law enforcement-related requests, please contact:
Comment:        * msndcc@microsoft.com
Comment:        
Comment:        For routing, peering or DNS issues, please 
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            https://rdap.arin.net/registry/entity/MSFT

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    https://rdap.arin.net/registry/entity/MRPD-ARIN
whois 172.168.40.233 

NetRange:       172.160.0.0 - 172.191.255.255
CIDR:           172.160.0.0/11
NetName:        RIPE
NetHandle:      NET-172-160-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Early Registrations, Transferred to RIPE NCC
OriginAS:       
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2022-06-22
Updated:        2022-06-22
Ref:            https://rdap.arin.net/registry/ip/172.160.0.0

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois://whois.ripe.net

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2013-07-29
Ref:            https://rdap.arin.net/registry/entity/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://rdap.arin.net/registry/entity/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444 
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3850-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '172.128.0.0 - 172.215.255.255'

% Abuse contact for '172.128.0.0 - 172.215.255.255' is 'abuse@microsoft.com'

inetnum:        172.128.0.0 - 172.215.255.255
netname:        UK-MICROSOFT-20000324
country:        GB
org:            ORG-MA42-RIPE
admin-c:        DH5439-RIPE
tech-c:         MRPA3-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MICROSOFT-MAINT
mnt-lower:      MICROSOFT-MAINT
mnt-domains:    MICROSOFT-MAINT
mnt-routes:     MICROSOFT-MAINT
created:        2024-05-16T09:38:13Z
last-modified:  2024-05-16T09:38:13Z
source:         RIPE

organisation:   ORG-MA42-RIPE
org-name:       Microsoft Limited
country:        GB
org-type:       LIR
descr:          Microsoft Corporation AS8075
descr:          To report suspected security issues specific to
descr:          traffic emanating from Microsoft online services,
descr:          including the distribution of malicious content
descr:          or other illicit or illegal material through a
descr:          Microsoft online service, please submit reports
descr:          to:
descr:          * https://cert.microsoft.com
descr:          For SPAM and other abuse issues, such as Microsoft
descr:          Accounts, please contact:
descr:          * abuse@microsoft.com
descr:          To report security vulnerabilities in Microsoft
descr:          products and services, please contact:
descr:          * secure@microsoft.com
descr:          For legal and law enforcement-related requests,
descr:          please contact:
descr:          * msndcc@microsoft.com
descr:          For routing, peering or DNS issues, please
descr:          contact:
descr:          * IOC@microsoft.com
address:        One Microsoft Way
address:        WA 98052
address:        Redmond
address:        UNITED STATES
phone:          +1 425 882 8080
fax-no:         +1 425 936 7329
abuse-c:        MAC274-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MICROSOFT-MAINT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MICROSOFT-MAINT
created:        2004-04-17T12:18:10Z
last-modified:  2022-03-08T18:20:31Z
source:         RIPE # Filtered

role:           Microsoft Routing, Peering, and DNS
address:        One Microsoft Way
address:        Redmond, WA 98052
nic-hdl:        MRPA3-RIPE
mnt-by:         MICROSOFT-MAINT
created:        2014-08-26T16:25:24Z
last-modified:  2014-08-26T16:25:24Z
source:         RIPE # Filtered

person:         Divya Quamara
address:        One Microsoft Way
address:        Redmond, WA 98052
phone:          +1-425-882-8080
nic-hdl:        DH5439-RIPE
mnt-by:         MICROSOFT-MAINT
created:        2014-08-26T16:24:14Z
last-modified:  2016-02-19T07:09:41Z
source:         RIPE

% Information related to '172.160.0.0/11AS8075'

route:          172.160.0.0/11
origin:         AS8075
descr:          Microsoft
mnt-by:         MICROSOFT-MAINT
created:        2022-07-08T19:10:28Z
last-modified:  2022-07-08T19:10:28Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.112 (DEXTER)
williamdes commented 5 months ago

One IP that hit me today azpdssb25.stretchoid.com[52.183.224.78]

More discussion on https://github.com/datacenters-network/security/discussions/228

karolyi commented 5 months ago

another stretchoid attack: https://www.abuseipdb.com/check/172.168.41.126

williamdes commented 5 months ago

I added a scan task for 172.160.0.0/11 on https://security.wdes.eu/scan/tasks

williamdes commented 5 months ago

And 4.144.0.0/12 for @RickTorresJr from the initial report

Xorlent commented 3 months ago

They moved their scanning infrastructure so an all new approach was needed to compile the IP list for Stretchoid.

https://github.com/Xorlent/Stretchoid

karolyi commented 3 months ago

@Xorlent no offense, but instead of releasing an IP list stored in a repo (which is already discussed here as to why it is a bad idea), you could disclose the script you use to fetch the IPs, so @williamdes could add the script for updating his artifacts.

Xorlent commented 3 months ago

@Xorlent no offense, but instead of releasing an IP list stored in a repo (which is already discussed here as to why it is a bad idea), you could disclose the script you use to fetch the IPs, so @williamdes could add the script for updating his artifacts.

@karolyi - Absolutely I understand and agree, although I suspect publicly posting methods for generating these lists will make our jobs as defenders more difficult as they discover our methods and more easily develop circumventions. I would happily privately provide the information to someone I know will care for all the work I've put in to get the list to its current state.

williamdes commented 1 month ago

Hi everybody,

I have put countless days into refactoring my project, and I now announce that it works in a very basic mode for now. The worker is detached from the server and communicates via websocket.

The worker authenticates giving a username it decided about. And then will receive scan tasks. But if one knows better than the scan task, it can decide to do it's own scripts and only report back the results.

If there is some interest about this new worker mode, I will add documentation. Let me know

williamdes commented 1 month ago

Feel free to contribute to this repo and scanning methods. @Xorlent can I use your list to scan it's contents and update my results ?