[dns-operations] honeypot : so many bees from Amazon

MAYER Hans Hans.Mayer at iiasa.ac.at
Tue Mar 5 09:24:16 UTC 2019 

Dear All,

With the experience of these scans during the last months I was interested to know more about the intentions of these hackers. Therefore I created a subdomain also with reverse lookup for an IP-range which is not used. As these lookups for my in-addr.arpa. range are still ongoing it was not surprising that after short time the dots in the geo-map are spread over the world. Looking for names in this subdomain is only possible if someone did a reverse lookup before. Assuming that the same source IP addresses respectively domains for name lookups are identical to those for reverse lookup is completely wrong. This is a list of all IP addresses which did a lookup for this honeypot names during the last 5 days:

3.208.24.74     ec2-3-208-24-74.compute-1.amazonaws.com.
3.80.93.35     ec2-3-80-93-35.compute-1.amazonaws.com.
3.85.93.0     ec2-3-85-93-0.compute-1.amazonaws.com.
3.88.100.109     ec2-3-88-100-109.compute-1.amazonaws.com.
3.90.201.243     ec2-3-90-201-243.compute-1.amazonaws.com.
3.91.30.123     ec2-3-91-30-123.compute-1.amazonaws.com.
3.95.226.247     ec2-3-95-226-247.compute-1.amazonaws.com.
13.52.77.52     ec2-13-52-77-52.us-west-1.compute.amazonaws.com.
13.56.168.100     ec2-13-56-168-100.us-west-1.compute.amazonaws.com.
13.57.211.248     ec2-13-57-211-248.us-west-1.compute.amazonaws.com.
18.144.22.236     ec2-18-144-22-236.us-west-1.compute.amazonaws.com.
18.205.25.35     ec2-18-205-25-35.compute-1.amazonaws.com.
18.236.162.184     ec2-18-236-162-184.us-west-2.compute.amazonaws.com.
18.237.104.100     ec2-18-237-104-100.us-west-2.compute.amazonaws.com.
34.201.112.86     ec2-34-201-112-86.compute-1.amazonaws.com.
34.203.34.125     ec2-34-203-34-125.compute-1.amazonaws.com.
34.209.72.240     ec2-34-209-72-240.us-west-2.compute.amazonaws.com.
34.211.107.180     ec2-34-211-107-180.us-west-2.compute.amazonaws.com.
34.217.215.120     ec2-34-217-215-120.us-west-2.compute.amazonaws.com.
34.219.162.16     ec2-34-219-162-16.us-west-2.compute.amazonaws.com.
34.220.201.91     ec2-34-220-201-91.us-west-2.compute.amazonaws.com.
34.221.117.253     ec2-34-221-117-253.us-west-2.compute.amazonaws.com.
34.222.137.205     ec2-34-222-137-205.us-west-2.compute.amazonaws.com.
34.224.174.188     ec2-34-224-174-188.compute-1.amazonaws.com.
34.228.69.14     ec2-34-228-69-14.compute-1.amazonaws.com.
34.230.19.93     ec2-34-230-19-93.compute-1.amazonaws.com.
35.160.244.197     ec2-35-160-244-197.us-west-2.compute.amazonaws.com.
35.167.192.183     ec2-35-167-192-183.us-west-2.compute.amazonaws.com.
52.11.241.28     ec2-52-11-241-28.us-west-2.compute.amazonaws.com.
52.12.187.35     ec2-52-12-187-35.us-west-2.compute.amazonaws.com.
52.53.152.137     ec2-52-53-152-137.us-west-1.compute.amazonaws.com.
52.89.35.100     ec2-52-89-35-100.us-west-2.compute.amazonaws.com.
54.145.15.148     ec2-54-145-15-148.compute-1.amazonaws.com.
54.153.106.24     ec2-54-153-106-24.us-west-1.compute.amazonaws.com.
54.160.224.178     ec2-54-160-224-178.compute-1.amazonaws.com.
54.164.10.21     ec2-54-164-10-21.compute-1.amazonaws.com.
54.167.59.28     ec2-54-167-59-28.compute-1.amazonaws.com.
54.177.42.164     ec2-54-177-42-164.us-west-1.compute.amazonaws.com.
54.183.206.159     ec2-54-183-206-159.us-west-1.compute.amazonaws.com.
54.186.47.231     ec2-54-186-47-231.us-west-2.compute.amazonaws.com.
54.191.144.173     ec2-54-191-144-173.us-west-2.compute.amazonaws.com.
54.193.100.84     ec2-54-193-100-84.us-west-1.compute.amazonaws.com.
54.201.110.109     ec2-54-201-110-109.us-west-2.compute.amazonaws.com.
54.209.142.179     ec2-54-209-142-179.compute-1.amazonaws.com.
54.210.87.43     ec2-54-210-87-43.compute-1.amazonaws.com.
54.212.39.71     ec2-54-212-39-71.us-west-2.compute.amazonaws.com.
54.214.127.179     ec2-54-214-127-179.us-west-2.compute.amazonaws.com.
54.215.240.32     ec2-54-215-240-32.us-west-1.compute.amazonaws.com.
54.218.221.102     ec2-54-218-221-102.us-west-2.compute.amazonaws.com.
54.219.151.85     ec2-54-219-151-85.us-west-1.compute.amazonaws.com.
54.221.33.71     ec2-54-221-33-71.compute-1.amazonaws.com.
54.241.187.214     ec2-54-241-187-214.us-west-1.compute.amazonaws.com.
54.242.169.195     ec2-54-242-169-195.compute-1.amazonaws.com.
54.67.89.221     ec2-54-67-89-221.us-west-1.compute.amazonaws.com.
54.70.125.167     ec2-54-70-125-167.us-west-2.compute.amazonaws.com.
54.82.20.141     ec2-54-82-20-141.compute-1.amazonaws.com.
69.175.15.106     server.ssc-singlehop1.com.
71.6.165.142
74.125.190.150
107.20.131.196     ec2-107-20-131-196.compute-1.amazonaws.com.
107.6.173.166     api-5.resolver.prd.daymax.xyz.
198.143.174.170     api-6.resolver.prd.daymax.xyz.
208.100.26.239     ip239.208-100-26.static.steadfastdns.net.
240e:13:1800:100::123

So 7 of total 64 IP addresses are not coming from amazonaws.com


Kind regards
Hans








--

Ing. Dipl.-Ing. Hans Mayer
Systems Administrator
Information and Communication Technologies (ICT)

International Institute for Applied Systems Analysis (IIASA)
Schlossplatz 1
A-2361 Laxenburg, Austria
Phone: +43 2236 807 Ext 215
Mobile: +43 676 83 807 215
Web: http://www.iiasa.at
E-Mail: mayer at iiasa.ac.at<mailto:mayer at iiasa.ac.at>

Note: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID.  You may ignore it.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190305/de8a4d26/attachment.html>

More information about the dns-operations mailing list