Some idiot is using your tool to mass scan our network
vsecades opened this issue Β· 93 comments
ditto
146.185.142.70 - - [05/Apr/2020:00:01:06 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:01:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:01:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:01:44 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:02:15 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:02:39 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:02:39 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:02:45 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:02:47 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:03:20 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:03:48 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:04:08 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:04:08 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:04:31 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:04:33 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:04:38 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.65.11.106 - - [05/Apr/2020:00:04:54 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:14 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:05:16 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:17 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:21 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
51.68.70.66 - - [05/Apr/2020:00:05:23 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
51.68.70.66 - - [05/Apr/2020:00:05:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:05:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:05:37 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:05:41 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:05:46 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:06:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:06:47 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:07:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:07:30 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:07:50 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.65.11.106 - - [05/Apr/2020:00:08:05 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:08:20 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
I'm willing to bet most of the traffic this repo gets is from people looking through their access logs
Edit: Those commenting on this issue worried about security should really audit their environment over adding their IP to an exclusion list.
@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.
ditto
2020-04-14T07:50:24.481022498Z 5.196.65.217 - - [14/Apr/2020:07:50:24 +0000] "GET / HTTP/1.0" 301 185 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
@jeanpul @TehVulpes @vsecades @knightorc
Make a PR to https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf
Thanks, you can close this issue now
Wait so I don't understand people... are connecting to this tool and are able to scan networks i'm connected to?
Wait so I don't understand people... are connecting to this tool and are able to scan networks i'm connected to?
No, people are just too lazy to mind their networks security so they simply decide to blame random things on earth for that.
OP is able to create the issues with the same subject name as well on nmap, zmap, patator and many other tools repos. It just doesn't matter for them that this tool has zero relevance to their own security issues.
138.197.212.58 - - [06/Jun/2020:12:38:49 +0200] "GET / HTTP/1.0" 301 564 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
the user of this IP is starting to piss me off nicely.
I don't now how to Make a PR to https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf
and what is PR ?
You realize that 'exclude.conf' isnt even called right? Pissing into an ocean of piss.
@joseph-giron yes, configuration files are specified on the command-line and not hard-coded, so only those performing legitimate surveys of the Internet (possibly wanting to be responsible or respectful of those NOCs who still live in the world of generating abuse complaints when snort tells them to) would be likely to use them. Maybe there are a few script kids out there who are intelligent enough to avoid hitting the small collection of networks on this list to avoid their scans generating abuse complaints that may get their boxes killed, but I guess it's probably a near-zero population
We can all stop pissing. I've finally learned my lesson about answering these sort of issues in hope of them being closed by the individual entering them. They don't seem to be headed towards a conclusion (by Rob or by the initial creator of the issue) so I'll give up
Nice!
"Some idiot" is using his time to spam this repo
based
Sent a field team to neutralize the suspect, so the vulnerability is fixed! This can be closed now
@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.
So why don't we close the Internet as it was created without any regard for their misuse?
@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.
Roads are built without any regard for their misuse. What are you thinking of targeting next? nmap?
These are the kind of people who, when someone tries to break into their house, their first thought is apparently "I'm gonna call the crowbar company and give them a piece of my mind!" π
I had no idea GitHub comments could be this active.
File this under PEBKAC.
After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.
To all the people that raise an issue like this, the problem is the IP address that is using masscan, not the tool.
So "dig -x IP address" will tell you who owns that IP address. Complain to them.
eg "dig -x 146.185.142.70" returns that IP address with a nameserver at Digital Ocean. So someone has a server hosted there that is scanning. Complain to them.
@rswail How dare you be reasonable ! It's because of people developing Linux that hackers use their TCP stack to attack our networks !
@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.
yes, the creator of hammer also should have thought better
This tool is coded in C, which was unfortunately created without any regard for its misuse. OP should open the bug upstream.
After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.
We'll threaten the criminals with legal action, that'll stop them!
That should broken up into three steps:
- Shore up your network defense
- Call legal
- Close this issue as WONTFIX
After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.
"I demand to speak to your manager!" ~ @vsecades (aka Karen)
This tool is coded in
C, which was unfortunately created without any regard for its misuse. OP should open the bug upstream.
It should be rewritten in Rust, which is impossible to misuse.
This project might be a useful solution: https://github.com/chrissound/GitChapter you would be able to write technical documentation around the fix.
To all the people that raise an issue like this, the problem is the IP address that is using masscan, not the tool.
So "dig -x IP address" will tell you who owns that IP address. Complain to them.
eg "dig -x 146.185.142.70" returns that IP address with a nameserver at Digital Ocean. So someone has a server hosted there that is scanning. Complain to them.
For Digital Ocean I don't know but OVH don't care about what people do with their server, so they will answer you : "we are not responsible of what people are doing with their server". Moreover International instances never answer to reports. Maybe the best answer is to blacklist IPs as much as possible (maybe countries too).
This project might be a useful solution: chrissound/GitChapter you would be able to write technical documentation around the fix.
Please don't use GitHub issues as an advertising platform.
I am in love with this repo! So much fun, reading the issues!
I think this project should be banned, people keep misusing it.
I think we should also ban knives, killers keep using them to stab people!
Reminds me the attack of the repo men, https://acme.com/software/thttpd/repo.html.
Almost 20 years, and they're still around.
I like the one guy in the exclude.conf pulling out his defense contractor epeen. You can just smell the federal standard violations they are covering up by having a guy staring at access logs of their swiss cheese perimeter firewall.
This issue has been receive a lot of attention on Hacker News, hence the sudden influx of comments.
You can't ban the inevitable, build the defence.
@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.
oh, hello there friend, welcome to the internet. You must be new here. It is a wonderful and exciting place full of wonder (and horror if you go looking for it).
Please, in the future refrain from opening frivilously ridiculous tickets on repos of hardworking individuals who use their own time, sweat and labor to give back to the community.
If you're upset about your network being scanned, may I suggest learning how your firewall works.
Well, this is interesting (as long as something this stupid can be interesting).
Somebody stated what we all already know: That there are a lot of stupid people using available tools for stupid purposes.
But the person that stated this doesn't seem to be any less stupid than any other stupid involved.
Real recognizes real. Stupid people recognize stupid people.
Err, never mind
That should broken up into three steps:
- Shore up your network defense
- Call legal
- Close this issue as WONTFIX
Ah yes, the versatile lawyered-up nofix.
"some idiot is trying to blame poor network security on a random tool, on GitHub, since why the f**k not"
should go after nmap m8. they're super bad
if (idiot) return -1;
Fixed it.
Thanks, you can close this issue now
Not my project. If so inclined close the issue.
Hi,
I ran massscan to find your brain but I haven't been able to find it, I might need to create another issue since the tool isn't working or is it maybe something else?
@vsecades How did you determine that masscan was being used to do the scanning? What were the key indicators?
@vsecades How did you determine that masscan was being used to do the scanning? What were the key indicators?
We were tracking outages on a Web server, and found your tool on our server logs.
We were tracking outages on a Web server, and found your tool on our server logs.
@vsecades the person you're replying to has no relation to the masscan project, masscan is not "his tool".
I would highly recommend closing this issue. At least this tool is polite enough to identify itself in its user-agent string, all the other more malicious scanners that are currently scanning your network aren't.
some idiot closed the issue
Possibly that should provide visibility into the collateral damage these tools cause other folks.
idk the internet also does a lot of harmful things.
Pain.
A number of attempts have been made to draft code that allows for resolving idiots, however most of them appear to get rejected with a status of "CANTFIX/HUMANRIGHTS" ... I'm sure progress towards implementation will be made just as soon as someone finds a work around for users refusing to run their system security software set to enforcing=pain
I just came to read the comments π
I see the issue Karen
I can't believe this is an actual thread in 2020.
In a big network security system, masscan was showing up in the logs like every hour, but no one never batched an eye for years. Appointed IT personnel only cared about abnormal traffic, not for scans style of "masscan". So maybe all this fuss is just because you don't want to see masscan-related traffic in your logs (to keep the logs less crowded)?
Possibly that should provide visibility into the collateral damage these tools cause other folks.
@vsecades
You don't realize how lucky you are. Seriously. You just found that there are massive scan on internet (they have always been there). And you just found that tools that attackers have, they can be used by you to check your defenses, for free.
I suggest you to collect some of these tools, build up some knowledge (or find someone who has it) and run these tools against your own system to check if there is any vulnerability.
This is the right way to use this tool. And this can save your from the next hacker attack.
Have you tried calling the internet police?
Wow, never figured this would go viral. Keep at it then.
Wow, never figured this would go viral. Keep at it then.
Buddy, the Internet will never forget now that you don't understand how the Internet functions, what goes on or network security in general. Going viral isn't something you should be proud of in this instance.
Wow, never figured this would go viral. Keep at it then.
Buddy, the Internet will never forget now that you don't understand how the Internet functions, what goes on or network security in general. Going viral isn't something you should be proud of in this instance.
you mean 'forget that you're learning..' I mean damn man why so rough? I have been at this 30 years i don't put random down like that, they could end up your boss. OS is learn and grow together.. that is github
damn this died
@vsecades you can close this now, thx
I thought I did unfortunately these folks love to keep on trolling.
@vsecades you can close this now, thx
I thought I did unfortunately these folks love to keep on trolling.
That's on you for making an unneccessary issue like this in the first place π³
Exposed one of my web servers to the internet (gasp) and within an hour I am seeing traffic from this tool appear. So good job on developing this π
@MartinDevillers Please read the comments at https://news.ycombinator.com/item?id=24728123.
Thanks @Zenexer my comment was meant as a joke: I am fully expecting random traffic to hit my server the moment I exposed it to the internet. Was fun to see a github url pass by in the access logs. All good
This was really fun lmao
Is for real? hahahah
nope.
Don't these dullards know the "block list" isn't actually called anywhere in the code / program? I guess placing their IP's in a text file is one way of placating them, or maybe it might make them a target. After all, there's the IP's right there and the people reporting them are whining about it.
lol. the thread.the ignorance is overflowing.Port scanning is very essential in protecting the whole internet.It helps in conducting internet Census that helps orgs managing their portion of the internet plan accordingly.It helps cyber security professionals to find vulnerable machines that they can protect by altering owners to patch the machines before they are victimized.Long live Masscan!
if i blow my brains out in front of this bot, would it change its ways forever?
hm.
no.
Might be a good time to brush up on firewall administration, just sayinβ.
Came to read comments π
Came to read comments π
Lol That's why I follow this thread...
Please.. Please Stop... I have had Enough Of This Necro Bumping..... Thanks, Brandan Delafuente @.***
Up at the top of your screen you should have a button labeled [Unsubscribe].
Please.. Please Stop... I have had Enough Of This Necro Bumping..... Thanks, Brandan Delafuente @.***
Up at the top of your screen you should have a button labeled [Unsubscribe].
I blindly subscribe to threads and don't expect them to be dredged back into my inbox by someone who read a Hacker News thread from a few years ago
I respect the help but it is not appropriate with the preceding context
Please.. Please Stop... I have had Enough Of This Necro Bumping..... Thanks, Brandan Delafuente @.***
Up at the top of your screen you should have a button labeled [Unsubscribe].
I blindly subscribe to threads and don't expect them to be dredged back into my inbox by someone who read a Hacker News thread from a few years ago
I respect the help but it is not appropriate with the preceding context
ok.
@dfault-user is the weather getting warmer where you are yet? We've just had our first few sunny days! I'm enjoying it.
@dfault-user is the weather getting warmer where you are yet? We've just had our first few sunny days! I'm enjoying it.
it isn't too bad
i also additionally apologize for my previous conduct. not sure where that came from other than a place of disgruntlement