Is IP testing Access to, (Sat, Dec 5th)

Scanning by IP (first reported in DShield end September) began early this morning which appears to be testing access to site [2] and currently there is little information available for this host. The scan is alternating between ports TCP/81 and TCP/8088. Domaintools [7] shows the root domain was last updated yesterday.

The only information currently available for this site is “Welcome to nginx!”

Log Examples

20201204-225750: data ‘GET HTTP/1.1rnHost: Go-http-client/1.1rnAccept-Encoding: gziprnConnection: closernrn’
20201204-235739: data ‘GET HTTP/1.1rnHost: Go-http-client/1.1rnAccept-Encoding: gziprnConnection: closernrn’
20201205-023633: data ‘CONNECT HTTP/1.1rnHost: Go-http-client/1.1rnrn’
20201205-033442: data ‘CONNECT HTTP/1.1rnHost: Go-http-client/1.1rnrn’
20201205-095707: data ‘CONNECT HTTP/1.1rnHost: Go-http-client/1.1rnrn’
20201205-105705: data ‘CONNECT HTTP/1.1rnHost: Go-http-client/1.1rnrn’

Indicators with ASN
2606:4700:3031::6812:35a7 -> AS13335
2606:4700:3037::ac43:b70a -> AS13335
2606:4700:3036::6812:34a7 -> AS13335 -> AS42861 -> AS13335 -> AS62240


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.