A picard moment for you (shodan.io)

Oh yes its our friendly scumbags from shodan (my blog) – over to you captain

connect from 
cloud.census.shodan.io[94.102.49.193]

Its from our beachhut scanning outpost in the Seychelles (my blog) and a small /24 this time if you want to mass block this scammy isp and its lovely client.

So shields up, and i hope you never get this recycled ip addresss once shodan.io have fucked it up reputation wise.  I never delist shodian.io ip addresses from who ever the isp is.

Enjoy your day.

Another shodan.io find once again co hosted with David Attenborough

The delights of being a shodan.io spotter (my blog) never disappoint.  Beats birdwatching

pirateCome and meet

pirate.census.shodan.io
does not resolve to address 71.6.146.185

Of whom that isp is remembered

But is actually

;; ANSWER SECTION:
pirate.census.shodan.io. 300    IN      A       216.117.2.180

picardWhich may also be called burger (my blog) I make no comment about them as i know them already other than hi once more shall suffice.

What was up with burger ?

Anyhow something well worth crimson firewalling. You should by all know my views on the scum at shodan.io.

Enjoy your day

 

a shodan.io spotting in the wild. (co hosted with David Attenborough)

Robert Stilwell judo criminal

Robert Stilwell judo criminal

Turn on your crimson forcefield, as shodan (my blog) have moved to fresh scanning pasture.

I was alerted by my cron job with a person pretending to be them

burger.census.shodan.io does not resolve to address 66.240.219.146

That’s cari.net (who ring a bell my blog) – perhaps there ex hosters now ?

A dig of burger.census.shodan.io states.

; <<>> DiG 9.10.3-P4-Debian <<>> burger.census.shodan.io
;; ANSWER SECTION:
burger.census.shodan.io. 299    IN      A       216.117.2.180

picardI suggest a block of 216.117.2.180 too which is a provider called abuse @cyrusone.com

I am not delisting cari.net from the zoo’s firewall hosting shodan is shady to start with.

This has been a public information announcement, nobody wants to be scanned by these scum and villainy be they genuine shodan or fakes.

Have a happy wednesday.  If you work for cyrusone.com hello, hope to see you and block more of your ip ranges soon.

Shodan.io sighting in the wild

tube recycle those 1's and 0's

tube recycle those 1’s and 0’s

I smell scammers and crooks (my blog)  on the loose, one to block me thinks.

postfix/smtpd[*]: warning: hostname ninja.census.shodan.io does not resolve to address 71.6.158.166

Hello to complaints@cari.net

CustName:       CariNet, Inc.
Address:        8929 Complex Drive
City:           San Diego
StateProv:      CA
PostalCode:     92123
Country:        US

shodan.io my next thing to block at the zoo

cashewShodan is a list of things making up the internet (brands of router etc) and some of those can be exploited.

The zoo is fairly good at security and we are not running a crappy ancient  intel pppoa modem supplied by British telecom but whenever shodan.io turn up there’s a lot probes afterwards that failtoban (my blog) have to deal with.

So the thinking is the less shodan can see or the more ancient the listings for our ranges then the harder it is for others. Its not an question of them stopping it, by all means do scan the zoo for problems but dont let me catch me doing it.

So the firewall got a new section, called shodan since i am boring and if at some stage on the future i forget why then i know what it is supposed to be after all ranges do get cleaned up.  It consists of

ip route add prohibit 188.138.9.0/24 [de plusserver.de]
ip route add prohibit 162.159.245.38 [us cloudflare]
ip route add prohibit 162.159.244.38 [us cloudflare]
ip route add prohibit 66.240.192.138 [census8.shodan.io][us cari.net]

The 162.159.24* ranges are nameservers and www,the 188.138 /24 subnet was my first range when a probe from shodan was first seen, then after that is when 66.240 turned up.

malletI kind of do /24 blocking when i see problems from a subnet so there may be friendly fire from other legitimate things which is somebody elses problem.  So maybe i am indiscriminate but i found a new range.

Maybe shodan has legitimate uses but i am not debating that but its general use leaves something to be desired.

ip route add prohibit 71.6.135.131 [us cari.net]

Also seems to identify as shodan in a grep of my logs so i guess me and shodan are going to have a bit of fun while others on shodan’s ips have a few issues.

isabellHell this is fun, i have a cron job* setup when.

188.138.1.218 [de]

Comes to my attention next which rings a few bells from above with 188.138 which i have mentioned. So i dig for the string census

census0.shodan.io. 208.180.20.97
census1 198.20.69.74
census2 198.20.69.98
census3 198.20.70.114
census4.shodan.io. 198.20.99.130
census5 93.120.27.62
census6 66.240.236.119
census7.shodan.io. 71.6.135.131
census8.shodan.io 66.240.192.138
census9.shodan.io 71.6.167.142
census10.shodan.io. 82.221.105.6
census11.shodan.io. 82.221.105.7 now 82.221.105.7
census12.shodan.io. 71.6.165.200
census13.shodan.io. 208.180.20.97
census14.shodan.io. 208.180.20.97 [duplicate]

There is a range of isp’s here and it seems complaining to cloudflare will achieve nothing as cari.net and plusserver.de do the probing.

Anyhow what you do with this information is up to you. It will probably change but if your aware of things thats not a huge problem.

updated November 2015

However i would not want to be in those ipv4 ranges.
* grep shodan /var/log/mail.log /var/log/auth.log /var/log/daemon.log