OSINT: 200.28.54.71 and 186.107.199.1

Ending lunch-and-learns
Merge branch '20240627'
2024-09-18 15:34:33 -05:00 · 2024-07-18 12:14:24 -05:00 · 2024-07-01 14:42:16 -05:00 · 2024-06-27 12:42:06 -05:00 · 2024-06-27 12:39:07 -05:00 · 2024-06-27 12:38:23 -05:00
5 changed files with 75 additions and 72 deletions
--- a/Articles/Lunch-And-Learns.md
+++ b/Articles/Lunch-And-Learns.md
@ -1,14 +0,0 @@
 I've had a request to do some lunch-and-learns about the AniNIX, how we self-host, and how we manage some of our tools. We'll burn roughly the first 30-45 minutes talking through some concepts of how the AniNIX does what it does -- the rest of the time will be an open floor to ask anything you'd like.
 We are going to use [Discord](https://discord.gg/2bmggfR), just for bandwidth reasons and ease of setup, to host the call.
 * If you don't have a Discord account, it's pretty easy to sign up. Just swing by our Discord link and ask for the Lunch&Learn role after creating your account.
 * We are taking questions by IRC for those folks looking for a little more anonymity.
 Due to real-life obligations, the livestream portions are paused but we will be opening the floor for discussions each week with a commit and some discussion on its relevance. Hope to see you in the channel!
 <!--
 We are testing live-streaming to [Twitch](https://www.twitch.tv/darkfeather0664) and [YouTube](https://www.youtube.com/channel/UCe-WNM2mbI51xoVZp3K_wFQ). If you're interested but not ready to join the Discord community, those options are open to you.
 -->
 <!-- We hope to see you there! [Click this Google Calendar link](https://calendar.google.com/calendar/event?action=TEMPLATE&tmeid=bzk4YmplZWpvdW52NWNoZjZna2dtZTNlNWJfMjAyMzExMjNUMTgwMDAwWiBjeGZvcmRAbQ&tmsrc=cxford%40gmail.com&scp=ALL) to add it to your calendar -- we'll be meeting in the 1200-1300 [US Central](https://time.is/CT) block on Thursdays.
 There's no listed schedule of topics right now -- request some on IRC or Discord!-->
--- a/Operation/Incident_Reports.md
+++ b/Operation/Incident_Reports.md
@ -1,3 +1,23 @@
 These are cybersecurity and availability incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems within the last two years.
 **Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping. We are also not including maintenance outages or short-term (<8 hours) ISP events.
 # 2024MAY21 Major Local Power/Internet Outage
 ## Timeline
 * 2024MAY21 20:29:47 -- Initial outage notification by FreshPing
 * 2024MAY21 21:10:00 -- Outage notification by CloudNS
 * 2024MAY22 06:55:00 -- Outage notification by Alliant Energy
 * 2024MAY22 06:57:00 -- Outage notification by Spectrum ISP
 * 2024MAY22 20:15:00 -- Power restoration notification from Alliant.
 * 2024MAY22 22:11:00 -- Services restored.
 ## RCA
 [Major storm](https://www.wisn.com/article/wisconsin-storm-aftermath-power-outages-damage/60865608) took out power and network across the region. Response teams from  power & ISP were overwhelmed providing the response.
 ## Improvements
 * Further business continuity design
 * Generator installation at MSN0
--- a/Policies/Design_Principles.md
+++ b/Policies/Design_Principles.md
@ -61,15 +61,19 @@ GUI elements will generally be deployed by a Web page, as this is a cross-platfo
 ##  Mobile Access Design
 With the rise of the smartphone, remotely accessible services should offer a simple means via some app to reduce network traffic. The app interface should be intuitive and quick to use.
 ## Accessibility
 AniNIX will, within reason, attempt to make its pages as accessible as possible to those with disabilities. To this end, internally-written UI elements should attempt to [maintain ADA / WCAG compliance](https://www.ada.gov/resources/web-guidance/) -- audit tools [such as this one](https://www.accessibilitychecker.org/) can assist.
 Additionally, our protocols-over-apps implementation preference with RSS, IRC, and Git should hopefully make the majority of our content accessible for anyone. This preference should allow designers to create tools to consume content irrespective of the method of perception or interaction for the user.
 ##  Etymology
-The AniNIX attaches a unique name, such as Sora for OpenLDAP or Yggdrasil for Emby, to packages and services it instantiates. The reason for this is that the name defines a scope of functionality the AniNIX expects to rely on -- should the underlying package change, such as replacing Plex Media Server with Emby, documentation and AniNIX packages will use the same name.
+The AniNIX attaches a unique name, such as Sora for OpenLDAP or Yggdrasil for Emby, to packages and services it instantiates. The reason for this is that the name defines a scope of functionality the AniNIX expects to rely on -- should the underlying package change, such as replacing Plex Media Server with Emby, documentation and AniNIX packages will use the same name. We also need a naming convention for unique code we are writing, like Uniglot & TheRaven
-Names given should be chosen for relevance to the function being provided (Singularity being a pull service, Foundation being the basis on which we're built, etc.) and for ease of memory. Only the most basic services, such as IRC, WebServer, and SSH, will be left unnamed.
+These names are not intended to supersede the licensing or attribution of other packages -- applications, once installed, should only update the minimal allowable elements to be usable under AniNIX principles. Wherever possible, this should be done via the application's provided interface, such as enabling dark modes. We also should not remove any links that the application provides to its own documentation, licensing, or websites. This means that AniNIX etymology only applies to administrators and is otherwise invisible to end users. Where the AniNIX is deploying services created by others, we should only use the names in two places: DNS and Kapisi roles. This makes it possible for others to look up the service as we swap out tools without overriding the attribution once the service is accessed.
-These names are not intended to supersede the licensing or attribution of other packages -- applications, once installed, should only update the minimal allowable elements to be usable under AniNIX principles. Wherever possible, this should be done via the application's provided interface, such as enabling dark modes. We also should not remove any links that the application provides to its own documentation, licensing, or websites. This means that AniNIX etymology only applies to administrators and is otherwise invisible to end users.
+Names given should be chosen for relevance to the function being provided (Singularity being a pull service, Foundation being the basis on which we're built, etc.) and for ease of memory. Only the most basic services, such as IRC, WebServer, and SSH, will be left unnamed. Additionally, these names should be selected from one of the following categories:
 Additionally, these names should be selected from one of the following categories:
 1. A natural phenomenon that describes the function, such as Singularity or Aether
 1. Mythological figures that provide wisdom (such as Odin for Yggdrasil, Raven, and Wolfpack), truth (like Wiccan Grimoire), and morality (such as Maat)
--- a/rss/aninix.xml
+++ b/rss/aninix.xml
@ -12,32 +12,33 @@
    <id>https://aninix.net/</id>
    <entry>
-        <title>Lunch-And-Learns Paused Until 2024FEB29</title>
+        <title>Lunch-and-Learns Ended</title>
-        <link href="https://aninix.net/AniNIX/Wiki/commit/48e6e1b31adaf649d9f375570bd85109fa694d9b"></link>
+        <link href="https://aninix.net/aninix.xml#lnl-ended"></link>
-        <updated>2023-10-23T04:09:00Z</updated>
+        <updated>2024-04-25T17:21:00Z</updated>
-        <id>https://aninix.net/AniNIX/Wiki/commit/48e6e1b31adaf649d9f375570bd85109fa694d9b</id>
+        <id>https://aninix.net/aninix.xml#lnl-ended</id>
        <summary>
-            Lunch-and-learns are paused until February 29th -- I have real-life obligations that won't allow me to keep the streaming window. We will instead hold conversations in our Discord #tech channel. I'll post something there when I can and mention the Lunch&amp;Learn role with a commit of interest off the AniNIX projects. If you have questions you want to talk about, ask away!
+            AniNIX will be ending the Lunch-and-Learn series for the time being -- we aren't seeing enough engagement, and admins will be otherwise tasked for the near future. Please still reach out on Discord or IRC if there are topics you want to talk about, or open an issue or merge request with your ideas.
        </summary>
    </entry>
    <entry>
        <title>Lunch-and-Learns Paused 20240502 through 20240627</title>
        <link href="https://aninix.net/aninix.xml#lnl-pause-20240502"></link>
        <updated>2024-04-25T17:21:00Z</updated>
        <id>https://aninix.net/aninix.xml#lnl-pause-20240502</id>
        <summary>
            AniNIX will be pausing Lunch-and-Learns effective 20240502 through 20240627 for real-life training. We will merge AniNIX/Wiki#24 on our return.
        </summary>
    </entry>
     <entry>
-        <title>Expanded Lunch-And-Learns</title>
+        <title>CVE-2024-3094 Follow-up</title>
-        <link href="https://www.youtube.com/channel/UCe-WNM2mbI51xoVZp3K_wFQ#20231023"></link>
+        <link href="https://aninix.net/aninix.xml#CVE-2024-3094"></link>
-        <updated>2023-10-23T04:09:00Z</updated>
+        <updated>2024-04-17T20:15:00Z</updated>
-        <id>https://www.youtube.com/channel/UCe-WNM2mbI51xoVZp3K_wFQ#20231023</id>
+        <id>https://aninix.net/aninix.xml#CVE-2024-3094</id>
        <summary>
-            We are expanding our Lunch-and-Learns to both YouTube and Twitch in an attempt to reach more people. Lunch-and-learns will also move to Thursdays to try to better reach our existing contributors.
+            AniNIX was informed of CVE-2024-3094 via our OSINT community on 2024-03-28 -- patching was completed in AniNIX/Maat on 2024-03-29 and in all systems the day after. Security review of our access logs in AniNIX/Sharingan do not indicate a compromise, using dork `"accepted" AND application_name:"sshd" AND NOT "Accepted publickey"` and others. We apologize for the delay in follow-up and transparency, but other considerations have required attention prior to this post.
        </summary>
    </entry>
    <entry>
        <title>Outage 2023-10-23</title>
        <link href="https://aninix.net/AniNIX/Wiki/src/branch/main/Operation/Continuity.md#business-continuity"></link>
        <updated>2023-10-23T04:09:00Z</updated>
        <id>https://aninix.net/aninix.xml#20231024</id>
        <summary>
                We will have an extended outage 2023-10-24 0700 US Central until late in the evening, as our primary site is undergoing construction. Please watch #tech on Discord fo r tracking service recovery. During this time, please fall back on business continuity procedures to keep access to services provided by the AniNIX.
        </summary>
    </entry>
@ -51,36 +52,6 @@
        </summary>
    </entry>
    <entry>
        <title>How to Grow Your HomeLab</title>
        <link href="https://foundation.aninix.net/AniNIX/Wiki/src/branch/main/Articles/Grow_Your_Homelab.md"></link>
        <updated>2022-04-22T20:30:20Z</updated>
        <id>https://foundation.aninix.net/AniNIX/Wiki/src/branch/main/Articles/Grow_Your_Homelab.md</id>
        <summary>
            For some folks who are just starting out, the initial cost of a complete HomeLab stack and the administration required is a bit much. This article is a growth plan for how to get started, what technologies and tools to buy/deploy first, etc.
        </summary>
    </entry>
    <entry>
        <title>Lunch And Learns</title>
        <link href="https://foundation.aninix.net/AniNIX/Wiki/src/branch/main/Articles/Lunch-And-Learns.md"></link>
        <updated>2022-04-14T20:30:20Z</updated>
        <id>https://foundation.aninix.net/AniNIX/Wiki/src/branch/main/Articles/Lunch-And-Learns.md</id>
        <summary>
            I've had a request to do some lunch-and-learns about the AniNIX, how we self-host, and how we manage some of our tools. We'll burn roughly the first 30-45 minutes talking through some concepts of how the AniNIX does what it does -- the rest of the time will be an open floor to ask anything you'd like. If you're interested, swing by! Google Calendar link is on the article page.
        </summary>
    </entry>
    <entry>
        <title>The Complicated Cloud</title>
        <link href="https://foundation.aninix.net/AniNIX/Wiki/src/branch/main/Articles/The_Complicated_Cloud.md"></link>
        <updated>2022-02-17T16:30:20Z</updated>
        <id>https://foundation.aninix.net/AniNIX/Wiki/src/branch/cloud/Articles/The_Complicated_Cloud.md</id>
        <summary>
            The AniNIX is a self-hosted system, as much as we can make it. However, because we don't operate in isolation, it's worth documenting how we use the cloud for what declassified information we replicate onto cloud stores and why we need some cloud services.
        </summary>
    </entry>
    <entry>
        <title>GPG Key Distribution</title>
        <link href="https://foundation.aninix.net/AniNIX/ShadowArch/src/branch/main/EtcFiles/aninix.gpg"></link>
--- a/rss/osint.xml
+++ b/rss/osint.xml
@ -11,12 +11,34 @@
    <id>https://aninix.net/</id>
    <entry>
        <title>200.28.54.71 and 186.107.199.1</title>
        <link href="https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#200.28.54.71"></link>
        <updated>2024-06-27T17:25:00Z</updated>
        <id>https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#200.28.54.71</id>
        <author><name>DarkFeather</name></author>
        <summary>
            Two Chilean IPs, 200.28.54.71 and 186.107.199.1, were observed using a wide spectrum of attacks, including network trojans, PHP file inclusion attempts, web shells, and Apache exploits, against our web front. Both showed a sophisticated and diverse exploit set, but neither were attempting to exploit toolchains used by our network. Both have been banned at edge. Total event count is 264.
        </summary>
    </entry>
    <entry>
        <title>84.239.54.49</title>
        <link href="https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#84.239.54.49"></link>
        <updated>2024-06-27T17:25:00Z</updated>
        <id>https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#84.239.54.49</id>
        <author><name>DarkFeather</name></author>
        <summary>
            A Romanian IP, 84.239.54.49, was detected pushing a variety of web application attacks and network trojan attempts against our web front. These were primarily Suricata/Snort signature 1:2016982:5 auto_prepend_file PHP config option in uri. We have no evidence that these attacks were successful. Total malicious attempts captured was 54.
        </summary>
    </entry>
    <entry>
        <title>2024MAR11 ACEVILLE PTELTD, Singapore</title>
        <link href="https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#ACEVILLEPTELTD"></link>
        <updated>2024-03-11T07:52:00Z</updated>
        <id>https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#ACEVILLEPTELTD</id>
-        <author>DarkFeather</author>
+        <author><name>DarkFeather</name></author>
        <summary>
            Provider "ACEVILLE PTELTD" from blocks 43.156.0.0/16, 43.134.0.0/15, 43.134.0.0/17 was detected trying to bruteforce our network with a distributed attack network. We are blocking these networks for malicious attempts in the hundreds.
        </summary>
@ -27,7 +49,7 @@
        <link href="https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#24.144.93.118"></link>
        <updated>2023-11-17T03:30:00Z</updated>
        <id>https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#24.144.93.118</id>
-        <author>DarkFeather</author>
+        <author><name>DarkFeather</name></author>
        <summary>
            24.144.93.118/32 was detected using a network scanner against our external address. Total volume was 55 -- this action repeated on 2023-11-18 at 08:40Z.
        </summary>
@ -36,7 +58,7 @@
    <entry>
        <title>46.101.38.229/32</title>
        <link href="https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#46.101.38.229"></link>
-        <updated>2023-01-16T21:44:07Z</updated>
+        <updated>2023-01-16T21:44:08Z</updated>
        <id>https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml#46.101.38.229</id>
        <summary>
            46.101.38.229/32 was detected using a variety of attacks against our 80/tcp/http listener for AniNIX/WebServer. Suricata detection rules classified the incoming threats as a variety of SSH attacks -- total volume was 48.
Author	SHA1	Message	Date
DarkFeather	7e836a4f69	OSINT: 200.28.54.71 and 186.107.199.1	2024-09-18 15:34:33 -05:00
DarkFeather	ce5bf2bca8	Ending lunch-and-learns	2024-07-18 12:14:24 -05:00
DarkFeather	3b09dcc275	Merge branch '20240627'	2024-07-01 14:42:16 -05:00
DarkFeather	05364cdc3f	Validator fixes	2024-06-27 12:42:06 -05:00
DarkFeather	e7dd4fcedb	Power outage follow-up	2024-06-27 12:39:07 -05:00
DarkFeather	e3fe99556a	84.239.54.49 detection	2024-06-27 12:38:23 -05:00
DarkFeather	0863e35549	ADA compliance clarification	2024-04-25 13:49:11 -05:00
DarkFeather	49c9de4370	Announcing pause	2024-04-25 12:22:48 -05:00
DarkFeather	d87d492cdc	Resuming livestream notifications -- to be published 20240627	2024-04-25 12:19:48 -05:00
DarkFeather	1a4a2a098e	CVE-2024-3094 post	2024-04-17 15:27:01 -05:00
DarkFeather	f67cbe3b8f	Further rewrite on etymology	2024-03-30 15:14:19 -05:00