"Internet scanning project" scans - SANS Internet Storm Center

"Internet scanning project" scans
A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states: "Hello! You've reached the Internet Scanning Project. We're computer security researchers performing periodic Internet-wide health assessments. If you reached this site because of activity you observed on your network: We apologize for any concern caused by our network activity. We are not specifically targeting your network. We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity. This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole. However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blocklist." It does not provide any information or assurances that this is a legitimate research project and I wouldn't be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn't reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them. It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a "legitimate" scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug. Chris Mohan --- Internet Storm Center Handler on Duty	Chris 105 Posts ISC Handler Jul 26th 2014
Thread locked Subscribe	Jul 26th 2014 7 years ago
The same landing page can be found on http://extranet.cwdriver.com/ C.W. Driver is a building company in the U.S. and nothing on their website suggests that they have branched out into internet security.	Anonymous
Quote	Jul 28th 2014 7 years ago
We have not seen on our network yet but will try to dig deeper and will update here.	makflwana 17 Posts
Quote	Jul 28th 2014 7 years ago
Been tracking this issue for three months. Finally reached out to provider and requested the process be discontinued. In the past it was background noise. Now lots of noise. Reviewing logs to verify activity has been stopped. Anyone else?	Butcher 2 Posts
Quote	Jul 28th 2014 7 years ago
Captured on honeybot this activity has been increasing since mid July. GET / HTTP/1.0 User-Agent: research-scanner/1.0 (www.internetscanningproject.org) Accept: / Also have payloads from same sources on TCP 8443 referring to syndication.twimg.com	Butcher 1 Posts
Quote	Jul 28th 2014 7 years ago
It appears this domain was purchased mid-July: $> whois internetscanningproject.org Domain Name:INTERNETSCANNINGPROJECT.ORG Domain ID: D173360519-LROR Creation Date: 2014-07-19T23:06:53Z Updated Date: 2014-07-19T23:20:08Z Registry Expiry Date: 2015-07-19T23:06:53Z Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR) Sponsoring Registrar IANA ID: 146	Butcher 1 Posts
Quote	Jul 28th 2014 7 years ago
There might be more IP's associated with it, but these are the ones that reverse resolve. ip \| hostname \| last_seen -----------------+-------------------------------------------------------+------------------------------- 173.230.155.62 \| research-scanner-24bbbd14.internetscanningproject.org \| 2014-07-28 19:55:01.818701-05 173.230.156.31 \| research-scanner-142c5a17.internetscanningproject.org \| 2014-07-25 15:42:02.798173-05 173.230.157.41 \| research-scanner-72293de2.internetscanningproject.org \| 2014-07-28 20:52:00.845565-05 173.255.212.158 \| research-scanner-42ed2812.internetscanningproject.org \| 2014-07-28 20:58:00.699605-05 173.255.215.249 \| research-scanner-781aa1b3.internetscanningproject.org \| 2014-07-28 20:36:01.872817-05 173.255.216.111 \| research-scanner-32a2f717.internetscanningproject.org \| 2014-07-28 16:54:01.422038-05 173.255.218.186 \| research-scanner-eebf1d7e.internetscanningproject.org \| 2014-07-25 14:45:02.054302-05 173.255.223.118 \| research-scanner-792f48cb.internetscanningproject.org \| 2014-07-25 02:46:01.643971-05 173.255.244.30 \| research-scanner-7b15a479.internetscanningproject.org \| 2014-07-28 20:50:01.842861-05 173.255.246.52 \| research-scanner-32fbd1ba.internetscanningproject.org \| 2014-07-28 18:18:01.603766-05 173.255.254.115 \| research-scanner-7cbfba81.internetscanningproject.org \| 2014-07-28 20:30:01.948203-05 192.155.82.223 \| research-scanner-4f0a6fc8.internetscanningproject.org \| 2014-07-28 19:19:01.908154-05 192.155.84.120 \| research-scanner-56e70800.internetscanningproject.org \| 2014-07-28 20:56:01.175267-05 192.81.130.219 \| research-scanner-12117663.internetscanningproject.org \| 2014-07-28 19:49:01.428791-05 192.81.130.26 \| research-scanner-3f821e5c.internetscanningproject.org \| 2014-07-27 19:04:03.510175-05 192.81.131.15 \| research-scanner-388c8368.internetscanningproject.org \| 2014-07-25 15:04:02.606994-05 198.74.51.88 \| research-scanner-4751ac6f.internetscanningproject.org \| 2014-07-28 18:41:01.880492-05 23.239.7.135 \| research-scanner-115c30bb.internetscanningproject.org \| 2014-07-28 19:50:01.895319-05 50.116.1.32 \| research-scanner-5fd0afaf.internetscanningproject.org \| 2014-07-26 12:40:02.273331-05 50.116.10.162 \| research-scanner-626a7484.internetscanningproject.org \| 2014-07-25 13:28:54.776485-05 50.116.11.215 \| research-scanner-4faed9b5.internetscanningproject.org \| 2014-07-28 20:31:02.160961-05 50.116.12.175 \| research-scanner-5af5641d.internetscanningproject.org \| 2014-07-28 15:45:01.588531-05 50.116.15.188 \| research-scanner-5661c4ee.internetscanningproject.org \| 2014-07-28 20:10:01.500932-05 50.116.3.246 \| research-scanner-794ef2a0.internetscanningproject.org \| 2014-07-25 14:10:03.116174-05 66.175.218.106 \| research-scanner-5b861793.internetscanningproject.org \| 2014-07-28 19:58:01.669066-05 74.207.244.187 \| research-scanner-16886a88.internetscanningproject.org \| 2014-07-28 16:02:01.824553-05 74.207.246.143 \| research-scanner-c81e151d.internetscanningproject.org \| 2014-07-28 18:25:01.351594-05 74.207.252.212 \| research-scanner-48139945.internetscanningproject.org \| 2014-07-25 18:27:02.424728-05 96.126.102.57 \| research-scanner-72ccbf15.internetscanningproject.org \| 2014-07-25 14:10:03.119172-05 96.126.103.181 \| research-scanner-573be186.internetscanningproject.org \| 2014-07-28 18:24:01.376803-05 96.126.96.249 \| research-scanner-68b27fa1.internetscanningproject.org \| 2014-07-28 20:36:01.881438-05	Frank 24 Posts
Quote	Jul 29th 2014 7 years ago
Was able to find that it has a mail server also - internetscanningproject.org.mail.protection.outlook.com and IP is 65.19.178.10 It uses IPv6 and IPv4. 2600:3c01::f03c:91ff:fe73:54bc 50.116.1.197 50.116.1.0/24 50.116.0.0/16 50.0.0.0/8	makflwana 17 Posts
Quote	Jul 29th 2014 7 years ago
Dear internet scanning project, please blacklist my IP CIDR ranges 0.0.0.0/1 and 128.0.0.0/1	Mysid 146 Posts
Quote	Jul 29th 2014 7 years ago
We requested that they stop scanning us yesterday. Will post if we see any new scans.	Mysid 1 Posts
Quote	Jul 29th 2014 7 years ago
CWDriver is a legit construction company. They had a stale DNS entry from awhile ago. It's been removed. They've nothing to do with 'internetscanningproject.com'.	Mysid 2 Posts
Quote	Jul 29th 2014 7 years ago
Interesting. I see scans from some of those IPs listed in of the replies above. I am curious now, in order for such a project to be legitimate who needs to authorize such a project?	Anonymous
Quote	Jul 30th 2014 7 years ago
host lookups on all those ^^ IPs no longer return as internetscanningproject. apparently Linode has terminated those hosts. afaict, there's no more scanning traffic from them. we'll see if/when/where they pop up again.	Anonymous
Quote	Jul 30th 2014 7 years ago
This organization is becoming more aggressive. Have seen hundreds of scans bouncing off our systems. Using several different types of scans. We have not authorized nor seek their assistance. I have tried contacting the internet service provider to stop the traffic. This has not helped. At this point we are considering a notification to Fedral teams about the scans. Today reached out to internetscanningproject.org directly in an attempt to stop the scanning activities. Anyone else saturated with their scans? Having issues getting the traffic and scans stopped? Is this a benevolent organization or just a front for malicious scans against public facing IP addresses and sites? Perhaps time for an aggressive response?	Butcher 2 Posts
Quote	Sep 30th 2014 7 years ago
Hate to revive a dead thread but I started seeing something similar from a few IPs. 208.100.26.233 ip233.208-100-26.static.steadfastdns.net 208.100.26.235 ip235.208-100-26.static.steadfastdns.net 208.100.26.236 ip236.208-100-26.static.steadfastdns.net 208.100.26.237 ip237.208-100-26.static.steadfastdns.net Same home page: Let us apologize for any inconvenience our scans may have caused you.  <br> <br>We can assure you the intent of our scans are in no way malicious or intended to cause harm to your systems. We are a company which specializes in security research and malware analysis.  <br> <br>We conduct internet wide scans on a monthly basis in order to evaluate the security posture of organizations world wide similar to project sonar and shodan. Our intentions are strictly for the public good.  <br> <br>If you do no wish to be scanned on a monthly basis our ops team can add your ranges to the opt out list using the form on the right. <br> <br>Again we apologize for any confusions.  <br> <br>If you have further questions, feel free to email us at <a href="mailto:concerns@internet-research-project.com">concerns@internet-research-project.com</a> </p> not really keen on submitting our info, and it's been crickets from steadfast.	Dan 1 Posts
Quote	Apr 24th 2017 5 years ago

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:

"Hello! You've reached the Internet Scanning Project.

We're computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blocklist."

It does not provide any information or assurances that this is a legitimate research project and I wouldn't be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn't reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a "legitimate" scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler

Jul 26th 2014

The same landing page can be found on http://extranet.cwdriver.com/

C.W. Driver is a building company in the U.S. and nothing on their website suggests that they have branched out into internet security.

Anonymous

We have not seen on our network yet but will try to dig deeper and will update here.

makflwana

17 Posts

Been tracking this issue for three months. Finally reached out to provider and requested the process be discontinued. In the past it was background noise. Now lots of noise. Reviewing logs to verify activity has been stopped. Anyone else?

Butcher

2 Posts

Captured on honeybot this activity has been increasing since mid July.

GET / HTTP/1.0
User-Agent: research-scanner/1.0 (www.internetscanningproject.org)
Accept: */*

Also have payloads from same sources on TCP 8443 referring to syndication.twimg.com

Butcher
1 Posts

It appears this domain was purchased mid-July:

$> whois internetscanningproject.org
Domain Name:INTERNETSCANNINGPROJECT.ORG
Domain ID: D173360519-LROR
Creation Date: 2014-07-19T23:06:53Z
Updated Date: 2014-07-19T23:20:08Z
Registry Expiry Date: 2015-07-19T23:06:53Z
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Sponsoring Registrar IANA ID: 146

Butcher
1 Posts

There might be more IP's associated with it, but these are the ones that reverse resolve.

ip | hostname | last_seen
-----------------+-------------------------------------------------------+-------------------------------
173.230.155.62 | research-scanner-24bbbd14.internetscanningproject.org | 2014-07-28 19:55:01.818701-05
173.230.156.31 | research-scanner-142c5a17.internetscanningproject.org | 2014-07-25 15:42:02.798173-05
173.230.157.41 | research-scanner-72293de2.internetscanningproject.org | 2014-07-28 20:52:00.845565-05
173.255.212.158 | research-scanner-42ed2812.internetscanningproject.org | 2014-07-28 20:58:00.699605-05
173.255.215.249 | research-scanner-781aa1b3.internetscanningproject.org | 2014-07-28 20:36:01.872817-05
173.255.216.111 | research-scanner-32a2f717.internetscanningproject.org | 2014-07-28 16:54:01.422038-05
173.255.218.186 | research-scanner-eebf1d7e.internetscanningproject.org | 2014-07-25 14:45:02.054302-05
173.255.223.118 | research-scanner-792f48cb.internetscanningproject.org | 2014-07-25 02:46:01.643971-05
173.255.244.30 | research-scanner-7b15a479.internetscanningproject.org | 2014-07-28 20:50:01.842861-05
173.255.246.52 | research-scanner-32fbd1ba.internetscanningproject.org | 2014-07-28 18:18:01.603766-05
173.255.254.115 | research-scanner-7cbfba81.internetscanningproject.org | 2014-07-28 20:30:01.948203-05
192.155.82.223 | research-scanner-4f0a6fc8.internetscanningproject.org | 2014-07-28 19:19:01.908154-05
192.155.84.120 | research-scanner-56e70800.internetscanningproject.org | 2014-07-28 20:56:01.175267-05
192.81.130.219 | research-scanner-12117663.internetscanningproject.org | 2014-07-28 19:49:01.428791-05
192.81.130.26 | research-scanner-3f821e5c.internetscanningproject.org | 2014-07-27 19:04:03.510175-05
192.81.131.15 | research-scanner-388c8368.internetscanningproject.org | 2014-07-25 15:04:02.606994-05
198.74.51.88 | research-scanner-4751ac6f.internetscanningproject.org | 2014-07-28 18:41:01.880492-05
23.239.7.135 | research-scanner-115c30bb.internetscanningproject.org | 2014-07-28 19:50:01.895319-05
50.116.1.32 | research-scanner-5fd0afaf.internetscanningproject.org | 2014-07-26 12:40:02.273331-05
50.116.10.162 | research-scanner-626a7484.internetscanningproject.org | 2014-07-25 13:28:54.776485-05
50.116.11.215 | research-scanner-4faed9b5.internetscanningproject.org | 2014-07-28 20:31:02.160961-05
50.116.12.175 | research-scanner-5af5641d.internetscanningproject.org | 2014-07-28 15:45:01.588531-05
50.116.15.188 | research-scanner-5661c4ee.internetscanningproject.org | 2014-07-28 20:10:01.500932-05
50.116.3.246 | research-scanner-794ef2a0.internetscanningproject.org | 2014-07-25 14:10:03.116174-05
66.175.218.106 | research-scanner-5b861793.internetscanningproject.org | 2014-07-28 19:58:01.669066-05
74.207.244.187 | research-scanner-16886a88.internetscanningproject.org | 2014-07-28 16:02:01.824553-05
74.207.246.143 | research-scanner-c81e151d.internetscanningproject.org | 2014-07-28 18:25:01.351594-05
74.207.252.212 | research-scanner-48139945.internetscanningproject.org | 2014-07-25 18:27:02.424728-05
96.126.102.57 | research-scanner-72ccbf15.internetscanningproject.org | 2014-07-25 14:10:03.119172-05
96.126.103.181 | research-scanner-573be186.internetscanningproject.org | 2014-07-28 18:24:01.376803-05
96.126.96.249 | research-scanner-68b27fa1.internetscanningproject.org | 2014-07-28 20:36:01.881438-05

Frank

24 Posts

Was able to find that it has a mail server also - internetscanningproject.org.mail.protection.outlook.com and IP is 65.19.178.10

It uses IPv6 and IPv4.
2600:3c01::f03c:91ff:fe73:54bc
50.116.1.197
50.116.1.0/24
50.116.0.0/16
50.0.0.0/8

makflwana

17 Posts

Dear internet scanning project, please blacklist my IP CIDR ranges 0.0.0.0/1 and 128.0.0.0/1

Mysid

146 Posts

We requested that they stop scanning us yesterday. Will post if we see any new scans.

Mysid
1 Posts

CWDriver is a legit construction company. They had a stale DNS entry from awhile ago. It's been removed. They've nothing to do with 'internetscanningproject.com'.

Mysid
2 Posts

Interesting. I see scans from some of those IPs listed in of the replies above. I am curious now, in order for such a project to be legitimate who needs to authorize such a project?

Anonymous

host lookups on all those ^^ IPs no longer return as *internetscanningproject*.

apparently Linode has terminated those hosts. afaict, there's no more scanning traffic from them.

we'll see if/when/where they pop up again.

Anonymous

This organization is becoming more aggressive. Have seen hundreds of scans bouncing off our systems. Using several different types of scans. We have not authorized nor seek their assistance. I have tried contacting the internet service provider to stop the traffic. This has not helped. At this point we are considering a notification to Fedral teams about the scans. Today reached out to internetscanningproject.org directly in an attempt to stop the scanning activities. Anyone else saturated with their scans? Having issues getting the traffic and scans stopped? Is this a benevolent organization or just a front for malicious scans against public facing IP addresses and sites? Perhaps time for an aggressive response?

Butcher

2 Posts

Hate to revive a dead thread but I started seeing something similar from a few IPs.
208.100.26.233 ip233.208-100-26.static.steadfastdns.net
208.100.26.235 ip235.208-100-26.static.steadfastdns.net
208.100.26.236 ip236.208-100-26.static.steadfastdns.net
208.100.26.237 ip237.208-100-26.static.steadfastdns.net

Same home page:
Let us apologize for any inconvenience our scans may have caused you. 
 
 We can assure you the intent of our scans are in no way malicious
or intended to cause harm to your systems. We are a company
which specializes in security research and malware analysis. 
 
 We conduct internet wide scans on a monthly basis in order to evaluate
the security posture of organizations world wide similar to project sonar
and shodan. Our intentions are strictly for the public good. 
 
 If you do no wish to be scanned on a monthly basis our ops team can
add your ranges to the opt out list using the form on the right.
 
 Again we apologize for any confusions. 
 
 If you have further questions, feel free to email us at
<a href="mailto:concerns@internet-research-project.com">concerns@internet-research-project.com</a>

not really keen on submitting our info, and it's been crickets from steadfast.

Dan

1 Posts