Mailing List Archive

Microsoft is hacking my Asterisk??? O_o
Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server
from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
40.76.244.210... Traceroute really goes to MSN. More than a half of all
usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Azure?




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Max Tulyev" <maxtul@netassist.ua>
To: nanog@nanog.org
Sent: Tuesday, November 3, 2020 1:55:45 PM
Subject: Microsoft is hacking my Asterisk??? O_o

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server
from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
40.76.244.210... Traceroute really goes to MSN. More than a half of all
usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?
RE: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
https://azure.microsoft.com/en-us/resources/knowledge-center/how-do-i-report-a-security-incident-or-abuse/

How do I report a security incident or abuse?
To report suspected security issues or abuse of Azure, please contact the cert.microsoft.com<https://portal.msrc.microsoft.com/engage/cars> team, which is available 24/7.


From: NANOG <nanog-bounces+chkuhtz=microsoft.com@nanog.org> On Behalf Of Mike Hammett
Sent: Tuesday, November 3, 2020 12:00 PM
To: Max Tulyev <maxtul@netassist.ua>
Cc: nanog@nanog.org
Subject: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o

Azure?


-----
Mike Hammett
Intelligent Computing Solutions<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ics-il.com%2F&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348449036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PehbslJLV1QvoCFjaGcWmD8gx0st3Jt54u0CNhlXZfI%3D&reserved=0>
[http://www.ics-il.com/images/fbicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FICSIL&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348459032%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NUTpWNYJIuFZatw4ZaMe8uxGV44JP%2FniICj7lndIdHc%3D&reserved=0>[http://www.ics-il.com/images/googleicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplus.google.com%2F%2BIntelligentComputingSolutionsDeKalb&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348469032%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pjnk46f1Kr6igjmDkAYxiO41EQoqwQ3Qi7kIFNAuj%2BU%3D&reserved=0>[http://www.ics-il.com/images/linkedinicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fintelligent-computing-solutions&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348469032%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HvRDFSLR1FNb%2BF%2FhLV7MEs3pdo%2Fbcs9EBOxzciEE1ZM%3D&reserved=0>[http://www.ics-il.com/images/twittericon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FICSIL&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348479024%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IdsqBrq5mySWYXWY2PJCDEQx2uSfxnNS2krARMi8cX0%3D&reserved=0>
Midwest Internet Exchange<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.midwest-ix.com%2F&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348489036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zOxLFx7J2KciWAgUJeWsJrViINZ3kdAIuw0HybednwE%3D&reserved=0>
[http://www.ics-il.com/images/fbicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmdwestix&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348489036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hmOcqi2P%2BsLgTZkRk8sne37%2BrLFEBn9qeQ41DDTYWFU%3D&reserved=0>[http://www.ics-il.com/images/linkedinicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fmidwest-internet-exchange&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348499023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Qxy89R1YH2YaaZSx2x2%2BKPcYTvxapCzvmmzZeq9RSlU%3D&reserved=0>[http://www.ics-il.com/images/twittericon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmdwestix&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348499023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=klPXyp6TeXe%2FBGAtPwd%2B77zec2ws59ksDBCGwnhqvI4%3D&reserved=0>
The Brothers WISP<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.thebrotherswisp.com%2F&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348509023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7dQukUH7Fg3uaqhDsQybgJMExCoekPo7B57%2BVjK%2FYCU%3D&reserved=0>
[http://www.ics-il.com/images/fbicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fthebrotherswisp&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348519019%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qXu0bFMKf3BsEDqWnObYo7t%2F13mqqPn9E%2BOT8MVfY5Q%3D&reserved=0>[http://www.ics-il.com/images/youtubeicon.png]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCXSdfxQv7SpoRQYNyLwntZg&data=04%7C01%7Cchkuhtz%40microsoft.com%7C3a3d40dd12ef405010b508d880331f4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400304348519019%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qyRUtvkknUQQApqI%2BRmeQT%2FSm9QhEwOHmRdbX98YEMI%3D&reserved=0>
________________________________
From: "Max Tulyev" <maxtul@netassist.ua<mailto:maxtul@netassist.ua>>
To: nanog@nanog.org<mailto:nanog@nanog.org>
Sent: Tuesday, November 3, 2020 1:55:45 PM
Subject: Microsoft is hacking my Asterisk??? O_o

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server
from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
40.76.244.210... Traceroute really goes to MSN. More than a half of all
usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
I've seen that, a shared IP on Azure that hit my honeypot IP. Ended up
being an Xbox authentication IP address one day.

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Tue, Nov 3, 2020 at 2:59 PM Mike Hammett <nanog@ics-il.net> wrote:

> Azure?
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------
> *From: *"Max Tulyev" <maxtul@netassist.ua>
> *To: *nanog@nanog.org
> *Sent: *Tuesday, November 3, 2020 1:55:45 PM
> *Subject: *Microsoft is hacking my Asterisk??? O_o
>
> Hi All,
>
> I have just seen a number of IPs trying to brute-force my VoIP server
> from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
> 40.76.244.210... Traceroute really goes to MSN. More than a half of all
> usual attempts to hack my Asterisk I got today, came from MSN.
>
> What is happening? Am I missed something?
>
>
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Yo Max!

On Tue, 3 Nov 2020 21:55:45 +0200
Max Tulyev <maxtul@netassist.ua> wrote:

> I have just seen a number of IPs trying to brute-force my VoIP server
> from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
> 40.76.244.210... Traceroute really goes to MSN. More than a half of
> all usual attempts to hack my Asterisk I got today, came from MSN.

I have also been sing that for a few weeks.

My assumption is they let Azure customers hack all they want. They
ignore email complaints.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
No it's not Microsoft. Welcome to the internet. It's probably someone on
Azure trying to find vulnerable systems. Have a look at some of the Videos
from Astricon explaining the pitfalls of voip fraud and security.

https://www.youtube.com/watch?v=9Wzzlo1kfTQ (disclaimer: that's my talk)
https://www.youtube.com/watch?v=CCDqpJc2aXQ
https://www.youtube.com/watch?v=h5Fw70KzAls
https://www.youtube.com/watch?v=hLFz8mlmKIY




On Tue, Nov 3, 2020 at 2:55 PM Max Tulyev <maxtul@netassist.ua> wrote:

> Hi All,
>
> I have just seen a number of IPs trying to brute-force my VoIP server
> from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
> 40.76.244.210... Traceroute really goes to MSN. More than a half of all
> usual attempts to hack my Asterisk I got today, came from MSN.
>
> What is happening? Am I missed something?
>
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Ah, so then potentially spoofed, trying to get people to honeypot blacklist XBox.




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Josh Luthman" <josh@imaginenetworksllc.com>
To: "Mike Hammett" <nanog@ics-il.net>
Cc: "Max Tulyev" <maxtul@netassist.ua>, "NANOG list" <nanog@nanog.org>
Sent: Tuesday, November 3, 2020 2:03:01 PM
Subject: Re: Microsoft is hacking my Asterisk??? O_o


I've seen that, a shared IP on Azure that hit my honeypot IP. Ended up being an Xbox authentication IP address one day.





Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373



On Tue, Nov 3, 2020 at 2:59 PM Mike Hammett < nanog@ics-il.net > wrote:




Azure?




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP



From: "Max Tulyev" < maxtul@netassist.ua >
To: nanog@nanog.org
Sent: Tuesday, November 3, 2020 1:55:45 PM
Subject: Microsoft is hacking my Asterisk??? O_o

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server
from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
40.76.244.210... Traceroute really goes to MSN. More than a half of all
usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Yo Christian!

On Tue, 3 Nov 2020 20:02:06 +0000
Christian Kuhtz via NANOG <nanog@nanog.org> wrote:

> To report suspected security issues or abuse of Azure, please contact
> the cert.microsoft.com<https://portal.msrc.microsoft.com/engage/cars>
> team, which is available 24/7.

Useless.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
RE: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Sorry, why is this useless?


-----Original Message-----
From: NANOG <nanog-bounces+chkuhtz=microsoft.com@nanog.org> On Behalf Of Gary E. Miller
Sent: Tuesday, November 3, 2020 12:06 PM
To: Christian Kuhtz via NANOG <nanog@nanog.org>
Subject: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o

Yo Christian!

On Tue, 3 Nov 2020 20:02:06 +0000
Christian Kuhtz via NANOG <nanog@nanog.org> wrote:

> To report suspected security issues or abuse of Azure, please contact
> the cert.microsoft.com<https://portal.msrc.microsoft.com/engage/cars>
> team, which is available 24/7.

Useless.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
Re: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
Yo Christian!

On Tue, 3 Nov 2020 20:22:59 +0000
Christian Kuhtz <chkuhtz@microsoft.com> wrote:

> Sorry, why is this useless?

Because Azure never, ever, acts on my complaints. None of the
large number I have sent.

>
>
> -----Original Message-----
> From: NANOG <nanog-bounces+chkuhtz=microsoft.com@nanog.org> On Behalf
> Of Gary E. Miller Sent: Tuesday, November 3, 2020 12:06 PM
> To: Christian Kuhtz via NANOG <nanog@nanog.org>
> Subject: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o
>
> Yo Christian!
>
> On Tue, 3 Nov 2020 20:02:06 +0000
> Christian Kuhtz via NANOG <nanog@nanog.org> wrote:
>
> > To report suspected security issues or abuse of Azure, please
> > contact the
> > cert.microsoft.com<https://portal.msrc.microsoft.com/engage/cars>
> > team, which is available 24/7.
>
> Useless.
>
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> gem@rellim.com Tel:+1 541 382 8588
>
> Veritas liberabit vos. -- Quid est veritas?
> "If you can't measure it, you can't improve it." - Lord Kelvin




RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
we have seen 8.8.8.8 end up on some ban lists.


On Tue, Nov 3, 2020 at 3:17 PM Mike Hammett <nanog@ics-il.net> wrote:

> Ah, so then potentially spoofed, trying to get people to honeypot
> blacklist XBox.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------
> *From: *"Josh Luthman" <josh@imaginenetworksllc.com>
> *To: *"Mike Hammett" <nanog@ics-il.net>
> *Cc: *"Max Tulyev" <maxtul@netassist.ua>, "NANOG list" <nanog@nanog.org>
> *Sent: *Tuesday, November 3, 2020 2:03:01 PM
> *Subject: *Re: Microsoft is hacking my Asterisk??? O_o
>
> I've seen that, a shared IP on Azure that hit my honeypot IP. Ended up
> being an Xbox authentication IP address one day.
>
> Josh Luthman
> 24/7 Help Desk: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
> On Tue, Nov 3, 2020 at 2:59 PM Mike Hammett <nanog@ics-il.net> wrote:
>
>> Azure?
>>
>>
>>
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> ------------------------------
>> *From: *"Max Tulyev" <maxtul@netassist.ua>
>> *To: *nanog@nanog.org
>> *Sent: *Tuesday, November 3, 2020 1:55:45 PM
>> *Subject: *Microsoft is hacking my Asterisk??? O_o
>>
>> Hi All,
>>
>> I have just seen a number of IPs trying to brute-force my VoIP server
>> from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
>> 40.76.244.210... Traceroute really goes to MSN. More than a half of all
>> usual attempts to hack my Asterisk I got today, came from MSN.
>>
>> What is happening? Am I missed something?
>>
>>
>
Re: Microsoft is hacking my Asterisk??? O_o [ In reply to ]
When I had honeypot blacklisting for my whole network, I ran across people spoofing the Google authoritative name servers.




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Dovid Bender" <dovid@telecurve.com>
To: "Mike Hammett" <nanog@ics-il.net>
Cc: "Josh Luthman" <josh@imaginenetworksllc.com>, "NANOG list" <nanog@nanog.org>
Sent: Tuesday, November 3, 2020 2:47:58 PM
Subject: Re: Microsoft is hacking my Asterisk??? O_o


we have seen 8.8.8.8 end up on some ban lists.




On Tue, Nov 3, 2020 at 3:17 PM Mike Hammett < nanog@ics-il.net > wrote:




Ah, so then potentially spoofed, trying to get people to honeypot blacklist XBox.




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP



From: "Josh Luthman" < josh@imaginenetworksllc.com >
To: "Mike Hammett" < nanog@ics-il.net >
Cc: "Max Tulyev" < maxtul@netassist.ua >, "NANOG list" < nanog@nanog.org >
Sent: Tuesday, November 3, 2020 2:03:01 PM
Subject: Re: Microsoft is hacking my Asterisk??? O_o


I've seen that, a shared IP on Azure that hit my honeypot IP. Ended up being an Xbox authentication IP address one day.





Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373



On Tue, Nov 3, 2020 at 2:59 PM Mike Hammett < nanog@ics-il.net > wrote:

<blockquote>


Azure?




-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP



From: "Max Tulyev" < maxtul@netassist.ua >
To: nanog@nanog.org
Sent: Tuesday, November 3, 2020 1:55:45 PM
Subject: Microsoft is hacking my Asterisk??? O_o

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server
from Microsoft network. For example, 13.90.148.133, 20.55.203.249,
40.76.244.210... Traceroute really goes to MSN. More than a half of all
usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?





</blockquote>