Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: "Internet scanning project" scans - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Internet scanning project" scans

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:


"Hello! You've reached the Internet Scanning Project.

We're computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blacklist."

It does not provide any information or assurances that this is a legitimate research project and I wouldn't be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn't reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a "legitimate" scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
The same landing page can be found on http://extranet.cwdriver.com/

C.W. Driver is a building company in the U.S. and nothing on their website suggests that they have branched out into internet security.
Anonymous
We have not seen on our network yet but will try to dig deeper and will update here.
makflwana

17 Posts
Been tracking this issue for three months. Finally reached out to provider and requested the process be discontinued. In the past it was background noise. Now lots of noise. Reviewing logs to verify activity has been stopped. Anyone else?
Butcher

2 Posts
Captured on honeybot this activity has been increasing since mid July.

GET / HTTP/1.0
User-Agent: research-scanner/1.0 (www.internetscanningproject.org)
Accept: */*

Also have payloads from same sources on TCP 8443 referring to syndication.twimg.com
Butcher
1 Posts
It appears this domain was purchased mid-July:

$> whois internetscanningproject.org
Domain Name:INTERNETSCANNINGPROJECT.ORG
Domain ID: D173360519-LROR
Creation Date: 2014-07-19T23:06:53Z
Updated Date: 2014-07-19T23:20:08Z
Registry Expiry Date: 2015-07-19T23:06:53Z
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Sponsoring Registrar IANA ID: 146
Butcher
1 Posts
There might be more IP's associated with it, but these are the ones that reverse resolve.

ip | hostname | last_seen
-----------------+-------------------------------------------------------+-------------------------------
173.230.155.62 | research-scanner-24bbbd14.internetscanningproject.org | 2014-07-28 19:55:01.818701-05
173.230.156.31 | research-scanner-142c5a17.internetscanningproject.org | 2014-07-25 15:42:02.798173-05
173.230.157.41 | research-scanner-72293de2.internetscanningproject.org | 2014-07-28 20:52:00.845565-05
173.255.212.158 | research-scanner-42ed2812.internetscanningproject.org | 2014-07-28 20:58:00.699605-05
173.255.215.249 | research-scanner-781aa1b3.internetscanningproject.org | 2014-07-28 20:36:01.872817-05
173.255.216.111 | research-scanner-32a2f717.internetscanningproject.org | 2014-07-28 16:54:01.422038-05
173.255.218.186 | research-scanner-eebf1d7e.internetscanningproject.org | 2014-07-25 14:45:02.054302-05
173.255.223.118 | research-scanner-792f48cb.internetscanningproject.org | 2014-07-25 02:46:01.643971-05
173.255.244.30 | research-scanner-7b15a479.internetscanningproject.org | 2014-07-28 20:50:01.842861-05
173.255.246.52 | research-scanner-32fbd1ba.internetscanningproject.org | 2014-07-28 18:18:01.603766-05
173.255.254.115 | research-scanner-7cbfba81.internetscanningproject.org | 2014-07-28 20:30:01.948203-05
192.155.82.223 | research-scanner-4f0a6fc8.internetscanningproject.org | 2014-07-28 19:19:01.908154-05
192.155.84.120 | research-scanner-56e70800.internetscanningproject.org | 2014-07-28 20:56:01.175267-05
192.81.130.219 | research-scanner-12117663.internetscanningproject.org | 2014-07-28 19:49:01.428791-05
192.81.130.26 | research-scanner-3f821e5c.internetscanningproject.org | 2014-07-27 19:04:03.510175-05
192.81.131.15 | research-scanner-388c8368.internetscanningproject.org | 2014-07-25 15:04:02.606994-05
198.74.51.88 | research-scanner-4751ac6f.internetscanningproject.org | 2014-07-28 18:41:01.880492-05
23.239.7.135 | research-scanner-115c30bb.internetscanningproject.org | 2014-07-28 19:50:01.895319-05
50.116.1.32 | research-scanner-5fd0afaf.internetscanningproject.org | 2014-07-26 12:40:02.273331-05
50.116.10.162 | research-scanner-626a7484.internetscanningproject.org | 2014-07-25 13:28:54.776485-05
50.116.11.215 | research-scanner-4faed9b5.internetscanningproject.org | 2014-07-28 20:31:02.160961-05
50.116.12.175 | research-scanner-5af5641d.internetscanningproject.org | 2014-07-28 15:45:01.588531-05
50.116.15.188 | research-scanner-5661c4ee.internetscanningproject.org | 2014-07-28 20:10:01.500932-05
50.116.3.246 | research-scanner-794ef2a0.internetscanningproject.org | 2014-07-25 14:10:03.116174-05
66.175.218.106 | research-scanner-5b861793.internetscanningproject.org | 2014-07-28 19:58:01.669066-05
74.207.244.187 | research-scanner-16886a88.internetscanningproject.org | 2014-07-28 16:02:01.824553-05
74.207.246.143 | research-scanner-c81e151d.internetscanningproject.org | 2014-07-28 18:25:01.351594-05
74.207.252.212 | research-scanner-48139945.internetscanningproject.org | 2014-07-25 18:27:02.424728-05
96.126.102.57 | research-scanner-72ccbf15.internetscanningproject.org | 2014-07-25 14:10:03.119172-05
96.126.103.181 | research-scanner-573be186.internetscanningproject.org | 2014-07-28 18:24:01.376803-05
96.126.96.249 | research-scanner-68b27fa1.internetscanningproject.org | 2014-07-28 20:36:01.881438-05
Frank

24 Posts
Was able to find that it has a mail server also - internetscanningproject.org.mail.protection.outlook.com and IP is 65.19.178.10

It uses IPv6 and IPv4.
2600:3c01::f03c:91ff:fe73:54bc
50.116.1.197
50.116.1.0/24
50.116.0.0/16
50.0.0.0/8
makflwana

17 Posts
Dear internet scanning project, please blacklist my IP CIDR ranges 0.0.0.0/1 and 128.0.0.0/1
Mysid

146 Posts
We requested that they stop scanning us yesterday. Will post if we see any new scans.
Mysid
1 Posts
CWDriver is a legit construction company. They had a stale DNS entry from awhile ago. It's been removed. They've nothing to do with 'internetscanningproject.com'.
Mysid
2 Posts
Interesting. I see scans from some of those IPs listed in of the replies above. I am curious now, in order for such a project to be legitimate who needs to authorize such a project?
Anonymous
host lookups on all those ^^ IPs no longer return as *internetscanningproject*.

apparently Linode has terminated those hosts. afaict, there's no more scanning traffic from them.

we'll see if/when/where they pop up again.
Anonymous
This organization is becoming more aggressive. Have seen hundreds of scans bouncing off our systems. Using several different types of scans. We have not authorized nor seek their assistance. I have tried contacting the internet service provider to stop the traffic. This has not helped. At this point we are considering a notification to Fedral teams about the scans. Today reached out to internetscanningproject.org directly in an attempt to stop the scanning activities. Anyone else saturated with their scans? Having issues getting the traffic and scans stopped? Is this a benevolent organization or just a front for malicious scans against public facing IP addresses and sites? Perhaps time for an aggressive response?
Butcher

2 Posts
Hate to revive a dead thread but I started seeing something similar from a few IPs.
208.100.26.233 ip233.208-100-26.static.steadfastdns.net
208.100.26.235 ip235.208-100-26.static.steadfastdns.net
208.100.26.236 ip236.208-100-26.static.steadfastdns.net
208.100.26.237 ip237.208-100-26.static.steadfastdns.net

Same home page:
Let us apologize for any inconvenience our scans may have caused you. 
<br>
<br>We can assure you the intent of our scans are in no way&nbsp;malicious
or intended to cause harm to your systems. We are a company
which specializes in security research and malware analysis.&nbsp;
<br>
<br>We conduct internet wide scans on a monthly&nbsp;basis in order to evaluate
the security posture of organizations world wide similar to project sonar
and shodan. Our intentions are strictly for the public good.&nbsp;
<br>
<br>If you do no wish to be scanned on a&nbsp;monthly basis our ops team can
add your ranges to the opt out list using the form on the right.
<br>
<br>Again we apologize for any confusions.&nbsp;
<br>
<br>If you have further questions, feel free to email us at
<a href="mailto:concerns@internet-research-project.com">concerns@internet-research-project.com</a>
</p>
not really keen on submitting our info, and it's been crickets from steadfast.
Dan

1 Posts

Sign Up for Free or Log In to start participating in the conversation!