Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone know about ShadowServer.org Is it legitimate?


  • Please log in to reply
8 replies to this topic

#1 Carpentry

Carpentry

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 December 2017 - 02:58 AM

I visited their website and it claims to be an anti-malware/cybercrime website. I also visited this site: http://216.218.206.66/ and it gives the following message :

The Shadowserver Foundation
If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at a service that you have running.
The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have services running that should not be exposed because they are trivial to exploit or abuse. The goal of this project is to identify hosts that have these types of services exposed and report them back to the network owners for remediation.
Further details on this scanning project can be found on our blog at: http://blog.shadowserver.org/2014/03/28/the-scannings-will-continue-until-the-internet-improves/
Statistics on these scans can be found at: http://blog.shadowserver.org/2014/08/22/of-scannings-and-statistics/
If you would like to sign up for reports on any data that we have collected on your network, you can request them from here: https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
All of the probes that are used in our tests are benign and do not ( and will never ) contain exploit code. Scans with these types of tools are off-limits for us.
All the data that we collect is visible to anyone who connects to a particular host with on the proper port using the proper commands.
If you have any more questions please feel free to send us an email at: gro [tod] revreswodahs [ta] nacssnd

The Shadowserver Foundation

 

I visited the blog link which listed different ports that it scans they do and clicked on  "https://isakmpscan.shadowserver.org" which was listed under the port they where attempting to connect with on my PC. They call it the "Vulnerable ISAKMP Scanning Project" now they mentioned it had something to do with Cisco Routers and software and linked here from that page: IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products

 

The only Cisco files i have are Cisco EAP-FAST Module, Cisco LEAP Module, and Cisco PEAP Module, so I don't know what to make of this. But, they attempted a UDP connection on something running under svchost through port 500. I had other connection attempts from "Shadow Server" and some blacklisted domains - but "Shadow Server" was the first one logged on my firewall.


Edited by Carpentry, 29 December 2017 - 03:14 AM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 29 December 2017 - 04:51 AM

Yes, they are legit, been around for at least 10 years, if I'm not mistaken.

 

Is this a corporate laptop with vpn connection?


Edited by Didier Stevens, 29 December 2017 - 04:53 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 December 2017 - 04:51 PM

no personal laptop. I am thinking about deleting the files since they dont appear to be essential



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 30 December 2017 - 08:48 AM

In what folder are these files located on your laptop?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 30 December 2017 - 01:30 PM

These three folders are in ProgramFiles(x86)/Cisco/

 

I read that I can re-install them using the driver for my laptops wireless device and are probably not necessary.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 30 December 2017 - 03:11 PM

And what version of Windows is your laptop?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 30 December 2017 - 07:23 PM

I am running Windows 7 Home Premium. Are you thinking this could be something fishy or trying to determine whether the files are necessary?


Edited by Carpentry, 30 December 2017 - 07:25 PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 31 December 2017 - 03:23 AM

No, this is not fishy.

 

But just deleting the files can be difficult on Windows 10, and in general, just deleting files of unwanted software is not good practice. You are better to uninstall the application (if you are 100% sure it is not needed).

 

Also, if the software is installed but you are 100% sure it is not running, then it does not increase your attack surface.


Edited by Didier Stevens, 31 December 2017 - 03:24 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 02 January 2018 - 08:28 PM

Hmm, well I suspect it might have come with my Ethernet driver so I guess it might be running.

 

New Years's greetings






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users