Tons of Stretchoid IP ranges missing? #251
Comments
|
Hi! Yes they are a real cancer, and more it goes more I think that I need to build bash reporters. Would you adhere to such a reporting system? |
|
FYI, I currently use AbuseIPDB and this is how I obtained my IP list so far. I just discovered your project and I had a look at your Stretchoid IP list and this is what made me post this thread, just to point out that there are a lot more Stretchoid IP address ranges than what you have gathered so far. Maybe we should merge our lists together. I also have a huge list of other Internet "cancers" such as 3xK Tech GmbH scanners, Digital Ocean scanners, Alibaba Cloud scanners and many, many more. |
|
I would be very glad to have your help! for vendors not changing too often you can add lists here https://github.com/wdes/security/tree/main/data/collections I have to push my recent work on modernizing the code for different detections |
|
This is what I have so far that is 100% labelled as Stretchoid, but I have a lot more from Microsoft IP addresses that I suspect are Stretchoid, but are not officially labelled Stretchoid just yet (but maybe they will over the next few weeks, not sure). 4.151.38.0/24 # 2024-12-29 - Microsoft (stretchoid.com) |
|
How do you suspect an IP? |
|
Seems like stretchoid was kicked out of Digital Ocean and lives in AS8075. You could get a list of stretchoid IP ranges from Alienvault. # Get API KEY from https://otx.alienvault.com/settings
curl -H "X-OTX-API-KEY: $API_KEY" "https://otx.alienvault.com/api/v1/indicators/domain/stretchoid.com/passive_dns" > stretchoid.json
cat stretchoid.json | jq -r '."passive_dns"[]."address" | select(test("^\\d{1,3}(\\.\\d{1,3}){3}$")) | (split(".") | .[0:3] + ["0"] | join("."))' | sort -Vu |
|
The way this botnet works is that it will send more probes (from new IP addresses) whenever it finds that you blocked the previous ones. It's a chain system where each probe is queued. They send them sparingly, little by little, in a trickling manner. But when you block an IP, they will send another probe from a new IP. The more you block Stretchoid, the more you will receive new IP addresses from it. All one has to do is to run a website or any public facing server and have some kind of cron job that reads the logs and blacklists Stretchoid's IP addresses in CSF firewall (or any other programmable firewall). Whenever you blacklist a Stretchoid IP, then over the course of 12 hours, you will receive another Stretchoid IP and then another one and then another one... After 5 IP from the same 24-bit subnet (0/24) I blacklist the whole subnet to increase the chances of getting probed by IP addresses from new subnets I've never seen before. I've been "collecting" Microsoft Stretchoid IP addresses for 6 months now. Before that, they were using Digital Ocean's datacentres, but since last year, Microsoft saw an opportunity to even further prostitute themselves by leasing their unsold Azure IP space to Stretchoid. That's why I marked them as Microsoft, because before, they were labelled as Digital Ocean. You can say a big thanks to Microsoft for letting this happen and cashing in on it too! If you think Microsoft is there to protect you or your interests, think again. The sole reason they're in business is to make money. I've stopped using Microsoft products and services years ago and would never trust them with my personal information either, especially given the horrific, disastrous security holes legacy that has followed in almost every version of Windows so far, but anyway, I digress. To answer your question, Stretchoid will generally scan for open ports and this is how I generally catch them. I suspect that it's reselling or sharing this information with a bunch of Azure servers, because vulnerability scanners often come from Azure shortly after (the same day or the day after) and they scan for THOUSANDS of known PHP filenames and try to inject SQL in various, often inexistent, URL on our server. Note that if you do not block Stretchoid IP addresses, they will try again to scan a new port number almost every day. They usually go very slowly (between 1 to 10 ports per day per IP) in the hope of not getting caught. Also to note: If your server uses multiple WAN facing addresses, Stretchoid will try all of them, not just IP addresses tied to a particular website or service on your server. Here's an example of 2 new Stretchoid IP addresses that did a port scan on our server this afternoon. I'm not showing our IP addresses, but each of those screenshot contain 3 of our 5 public IP addresses: 
Stretchoid will also very briefly scan Apache servers, but rarely more than 2 or 3 requests and then it will just go silent for a day or more and probably try again. I think that they mainly do that to see if port 443 is open and to see how your 404 errors look like so they can sniff what web platform your server is using (Apache, NGINX, etc...) but I usually block them before they can come back so I'm not sure to what extent they would scan. All their requests are always obvious 404 nonsense. Example of an Apache request made by a Stretchoid IP:
|
|
A couple more new ones for you guys. Stay safe out there. 20.15.163.0/24 # 2025-05-23 - Microsoft (stretchoid.com) For those interested, I also literally just stumbled upon the following list, which seems to actively be kept up to date and it looks like they already have all the IP addresses that I have ever been scanned from, so this is legit: https://github.com/MDMCK10/internet-scanners/blob/main/strechoid.nft |
Hi, just posting this to try to help the security community. You are missing lots of Stretchoid IP ranges in https://security.wdes.eu/scanners/stretchoid.txt
I stopped comparing with my list very early on at the 4.0.0.0/16 range, but here are a few examples of what you're missing and I'm sure there are thousands more...
4.236.187.0/24 # 2025-03-15 - Microsoft (stretchoid.com)
4.236.188.0/24 # 2025-03-15 - Microsoft (stretchoid.com)
4.236.189.0/24 # 2025-03-15 - Microsoft (stretchoid.com)
4.236.190.0/24 # 2025-03-05 - Microsoft (stretchoid.com)
4.236.191.0/24 # 2025-04-04 - Microsoft (stretchoid.com)
4.246.227.0/24 # 2025-03-15 - Microsoft (stretchoid.com)
4.246.228.0/24 # 2025-03-15 - Microsoft (stretchoid.com)
I'm not posting this to blame you. Stretchoid is a real Internet cancer and I hope that the more they get blocked, the more their mysterious and anonymous "research project" ends.
The text was updated successfully, but these errors were encountered: