Skip to main content

RedIRIS Compromised?

For those not familiar with Spanish ISPs, RedIRIS is Spain's National Research and Education Network. They are part of Consorci de Serveis Universitaris de Catalunya and Forum of Incident Response and Security TeamsEssentially its an organization devoted to university networking projects and advanced R&D. They get their own nice big netblock to mess around with (in this case 193.144.0.0/14). Similar projects in the US would be CalREN, Internet2 and LambdaRail. 

I'm seeing what looks like malicious scanning from the RedIRIS netblock, like this:

**** - - [08/Sep/2014:18:54:34 -0400] "GET /muieblackcat HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:34 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:34 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:35 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:35 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:35 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:36 -0400] "GET //mysql/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:36 -0400] "GET //scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:37 -0400] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:37 -0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:37 -0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:38 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:38 -0400] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:39 -0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:39 -0400] "GET //web/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:39 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 15 "-" "-"
**** - - [08/Sep/2014:18:54:40 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 404 15 "-" "-"

The traffic lacks the usual signs of IP spoofing. Spoofed scanning I come across tends to show multiple IPs attempting to make the same types of connections within a somewhat short period of time. With this, the access attempts are unique. If these connections are spoofed, they would be pointless - not enough connections to add any server load for a DoS attempt, and no way to route a reply. Days ago, and with another target host, I say an identical block of requests from a server in a California data center. This all points to a bot net looking to expand itself.

I've tried to contact RedIRIS, but they are a big organization and my Spanish is barely comprehensible. If anyone affiliated with RedIRIS, FIRST or CSUC reads this, please email me or leave a comment below with your email. I would be happy to provide additional data that would help to identify and remove the source of malicious traffic.

As many readers already know, the files this scan looks for should never be accessible to public traffic. Best practices indicate removing installation files once application install is completed. Keeping configuration files in uniquely named directories doesn't hurt, either.