Sign in / up

back to article Internet mapping and research outfit Censys reveals state-based abuse, harassment

Censys Inc, vendor of the popular Censys internet-mapping tool, has revealed that state-based actors are trying to abuse its services by hiding behind academic researchers. Censys started life in 2015 as an academic project that aimed to scan the internet and provide data to the research community. In 2017 the project formed a …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

  1. This post has been deleted by its author

    1. Goodwin Sands
      Reply Icon

      Re: How ironic!

      100% agree.

      Ydy for instance 1372 connection attempts from censys to my dual-homed mail server. 775 over one connection, 597 over the other.

      Connections (ydy) were from 6 /24's

      162.142.125.0

      167.94.138.0

      167.94.145.0

      167.94.146.0

      199.45.154.0

      206.168.34.0

      48% of attempts resolved to censys-scanner.com, 52% to nxd.

      And this goes on day after day, and has done for years.

      Connections attempts from censys total 7% of all connections attempts I see, and I imagine it'll be about same for everyone else not behind CGNAT.

      Censys (and others doing same) have a complete flippin' cheek doing it.

      6 1 Reply
    2. HXO
      Reply Icon

      Re: How ironic!

      Not saying Censys is not bothering you, but I only see the below GETs from them in logs. Frequency about once a week.

      /

      /.well-known/security.txt

      /favicon.ico

      /icon.png

      /login

      /robots.txt

      /security.txt

      /sitemap.xml

      /wiki

      Maybe because I have no server info in response headers?

      0 1 Reply
    3. Sp1z
      Reply Icon

      Re: How ironic!

      Oh cool another one for my block_ips_by_asn.sh script:

      AS398324

      162.142.125.0/24

      167.248.133.0/24

      167.94.138.0/24

      206.168.32.0/24

      206.168.33.0/24

      206.168.34.0/24

      206.168.35.0/24

      66.132.148.0/24

      66.132.153.0/24

      66.132.159.0/24

      0 0 Reply
      1. Steve Foster
        Reply Icon

        Re: How ironic!

        You can cut that list by a few entries as the 206.138.x.x /24 blocks are contiguous and can be merged into a single /22 block.

        And Censys have two other ASNs [that I know of] - 398705 & 398722.

        0 0 Reply
    4. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: How ironic!

      Good to know where these scans come from, and their utility (from the paper PDF for SIGCOMM):

      "in October 2024, Censys identified SCADA user interfaces (HMIs) for water distribution networks belonging to 268 U.S. towns and cities that allowed unauthenticated manipulation; the U.S. Environmental Protection Agency (EPA), with assistance from state water administrators, worked with utilities to remove over 97% of these HMIs"

      (Another example: 8,000+ Asus routers mystery botnet identified by Censys search, iiuc, ...)

      1 0 Reply
  2. amanfromMars 1 Silver badge

    Even the slowest of slow horses have bolted from that draughty old rotten stable

    ‘Universities are being used to proxy offensive government operations, turning research access decisions political’

    Such is long ago well known to be both the destiny and fate of any illuminating research, and thus be why nowadays is access to sensitive and top secret research/information/intelligence a closed private affair for exclusive global executive administration being diligently denied by all means possible and imaginable to offensive government officers/bellicose political puppets and pathetic public muppets.

    And that is not a question shared for future verification. It is a current and presently difficult unverifiable fact and poses any perverse elite and corrupted political office systems a dire straits existential threat if not treated and afforded with every necessary courtesy acknowledging the radical fundamental and revolutionary change of state in universal circumstances.

    2 12 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

      Machine translation? Try new software, doesn't read well in English.

      5 1 Reply
      1. amanfromMars 1 Silver badge
        Reply Icon

        Re: Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

        Machine translation? Try new software, doesn't read well in English. .... Anonymous Coward

        The English is easily read, AC, therefore the difficulty you have is probably private and certainly personal and shared as you apparently displaying a deficit of comprehensive understanding. Tackle it in smaller bits and/or byte size pieces and that can be helpful.

        Would it be easier for you if Google Translated into Chinese (traditional) ‽ .....

        眾所周知,任何啟發性的研究都注定要經歷這樣的命運。正因如此,如今獲取敏感且絕密的研究/資訊/情報,已成為全球行政部門專屬的私人事務,並被竭盡所能地拒絕讓那些咄咄逼人的政府官員/好戰的政治傀儡和可悲的公眾傀儡獲取。

        而這個問題並非為了將來的驗證而公開。這是一個當下難以驗證的事實,如果不以一切必要的禮遇來對待和承認普遍情況下國家發生的根本性和革命性變革,它將對任何腐敗的精英和腐敗的政治辦公系統構成可怕的生存威脅。

        .... or how about a DeepL leap with a translation into Russian ....

        Давно известно, что это судьба и рок любого просветительского исследования, и именно поэтому в настоящее время доступ к конфиденциальной и строго секретной информации/разведданным является закрытым частным делом, доступным исключительно для глобальной исполнительной власти, который всеми возможными и мыслимыми средствами тщательно скрывают от агрессивных правительственных чиновников/воинственных политических марионеток и жалких публичных марионеток.

        И это не вопрос, который можно проверить в будущем. Это актуальный и в настоящее время труднопроверяемый факт, который представляет собой серьезную угрозу существованию любой извращенной элиты и коррумпированной политической системы, если к нему не отнестись с должным уважением и не признать радикальные фундаментальные и революционные изменения в государстве в универсальных обстоятельствах.

        Переведено с помощью DeepL.com (бесплатная версия)

        ...... or are those also somewhat too alien for you to make good and great use of?

        2 15 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

          The French version is definitely the most readable (yet as dubious):

          Tel est depuis longtemps bien connu le destin et le sort de toute recherche éclairante, et c'est pourquoi aujourd'hui l'accès à des recherches/informations/renseignements sensibles et top secrets est une affaire privée fermée réservée à l'administration exécutive mondiale exclusive, refusée avec diligence par tous les moyens possibles et imaginables aux agents gouvernementaux offensants/marionnettes politiques belliqueuses et aux marionnettes publiques pathétiques.

          0 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

          @amanfromMars 1

          In Trump dialect: Simple and direct speech good. Convoluted BS bad. You're bad man, a very bad man, we should do something about bad men.

          1 0 Reply
    2. TimMaher Silver badge
      Reply Icon
      Holmes

      Re: “slow horses”

      New series starts on the 24th @AMFM.

      Brilliant.

      1 0 Reply
    3. Philo T Farnsworth Silver badge
      Reply Icon

      Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

      Why all the downvotes, folks? Dire Straits was a pretty decent band1, though I admit I must've missed the release of "Existential Threat." I'll have to look that up in their back catalog.

      ___________

      1 Per Douglas Adams, "Mark Knopfler has an extraordinary ability to make a Schechter Custom Stratocaster hoot and sing like the angels on a Saturday night, exhausted from being good all week and needing a stiff drink." And anything good enough for Douglas Adams is good enough for me.

      4 0 Reply
      1. amanfromMars 1 Silver badge
        Reply Icon

        Tilting at Windmills has One Forever Achieving Nothing Positive and Worthwhile.

        Why all the downvotes, folks? .... Philo T Farnsworth

        One is fortunate indeed, Philo T Farnsworth, whenever unexplained negativity and its allied master and monster of unreasonable dislike can so readily render one extraordinarily further strengthened and undaunted and have one able to enjoy the wallows of truth which you yourself have also discovered whenever others may disagree with your views and opinions and find them, for whatever reasons held dark and secret and unshared, unworthy of their support and agreement.

        I revel in your downvotes but facts are facts. ...... https://forums.theregister.com/forum/all/2025/08/27/chatgpt_has_a_problem_with/#c_5134116

        PS ... To all of you Anonymous Cowards and serial silent downvoters of comments out there, El Reg provides you with a global platform easily able to effectively deliver all of the elements and levers of future practical and ethereal virtual change, so let's hear and see your voice rather than it being assumed, by virtue of its non-appearance, greater general humanity hasn't a clue about what to do about what is being done both either threatening and/or directly effecting the future available programmed paths and long programming marches of their existence ...... although quite whether humanity be ever able or enabled to lead and driver such as be akin to an Almighty Intervention is something to ponder on and wonder at.

        0 3 Reply
        1. KnockKnock
          Reply Icon

          Re: Tilting at Windmills has One Forever Achieving Nothing Positive and Worthwhile.

          What the actual fuck are you babbling about? Enough already.

          0 0 Reply
    4. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Even the slowest of slow horses have bolted from that draughty old rotten stable

      Was was this unintelligible comment upvoted?

      0 0 Reply
  3. Reginald O.

    Build that Wall!

    The solution seems easy enough: Deny all requests from places like CHINA that abuse data privileges.

    I would use the one strike and your out rule.

    In other words, if we catch you doing something shady, one time, you are OUT!

    Ditto for slop requests: Do it right, or don't do it at all!

    Do I have to think of everything for you guys?

    1 2 Reply
    1. Gene Cash Silver badge
      Reply Icon

      Re: Build that Wall!

      I have .cn and .ru blocked by default. Attacks on my ssh port dropped dramatically.

      0 0 Reply
      1. drankinatty
        Reply Icon

        Re: Build that Wall!

        Moving ssh to a high port takes care of 99% of the bad guys, and if you want to take care of the other 1%, you can implement port-knocking enable ssh only after the proper sequence of knocks is received. I too am fairly strict on geographic blocking, but I tend to only do that by CIDR rather than top-level domain. Though no approach is perfect. The fragmentation and resale of IPv4 blocks has made it almost impossible to get a consistent listing of geographic origin anymore.

        Says a lot about humanity when you look at what the internet has become since the naive days when Mosaic was the only browser in town ... and what it says about humanity, isn't good.

        3 0 Reply
  4. drankinatty

    These "Research" Companies are a Cancer

    Censys, Shodan, Digital Ocean and the lot are a research cancer that has grown on the internet that abuses and then catalogs your IP and public-facing services and makes that information available to the bad guys for free. I have near daily fail2ban bans of IPs similar to (among other services):

    "2025-08-31T01:11:13.452946-05:00 valkyrie postfix/smtpd[19354]: improper command pipelining after CONNECT from 216-131-108-38.zrh.as62651.net[216.131.108.38]: €€ü[WË8…z*)QáÙ©·85§Ž7°ÂÏÄ øµQC ıÃB¶’ºBx³¶2唾6쬡ÄÜv—K“Ô€>À,À0€ŸÌ©Ì¨ÌªÀ+À/"

    or

    "2025-08-31T09:10:49.166588-05:00 valkyrie postfix/smtpd[25479]: improper command pipelining after CONNECT from unknown[104.248.30.84]: ¥€¡fi.baßÞ!P _ эÐÀД¦Í²½K˜dwÂ} s7òöó£ãÕ“©—m§‘í[׿€3™t 怊€€gÀžÀ¢€ž€9€kÀŸÀ£€Ÿ"

    If you check the information collected, not only do they provide complete reports on the services, but also the software running behind them, version and patch-level (e.g. PHP, etc..). No wonder the bad actors flock to these "research" sites, they do most of the work for them.

    Further, very few of these "research" sites provide an "opt-out" by providing a list of IPs they operate on (I can think of one that does). I've literally got ipset lists with hundreds and hundreds of IPs from researcher's past IPs that have been blocked, but it is just a temporary game of whack-a-mole.

    There is a fine line between "research" and "hacking", and these sites fall further toward the latter.

    3 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like