IP Address 203.115.71.150
is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-06-12 12:00 GMT (+/- 30 minutes), approximately 1 days, 10 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the
Conficker botnet.
More information about Conficker can be obtained from
Wikipedia
Please
follow these instructions.
Dshield has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc.
One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected.
There are several ways to identify Conficker infections remotely. For a fairly complete approach, see
Sophos.
If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT:
Your IP was observed making connections to TCP/IP IP address 216.66.15.114 (a conficker
sinkhole) with a destination port 80, source port (for this detection) of 51518 at exactly 2015-06-12 12:09:13 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
If you don't have full firewall logging, perhaps you can set up a firewall block/log of all access (any port) to IP address 216.66.15.114 and keep watch for hits.
WARNING: DO NOT simply block access to 216.66.15.114 and expect to not get listed again. There are many conficker sinkholes - some move around and even we don't know where they all are. Blocking access to just one sinkhole does not mean that you have blocked all sinkholes, so relistings are possible. You have to monitor your firewall logs, identify the infected machine, and repair them if you wish to remain delisted.
Recent versions of
NMap can detect Conficker, but it's not 100% reliable at finding every infection. Nmap is available for Linux, xxxBSD, Windows and Mac. Nessus can also find Conficker infections remotely. Several other scanners are available
here.
Enigma Software's scanner is apparently good at finding Conficker A.
University of Bonn has a number of scan/removal tools.
If you're unable to find the infection, consider:
- If you used a network scanner, make sure that the network specification you used to check your network was right, and you understand how to interpret a conficker detection.
- Some network conficker scanners only detect some varieties of conficker. For example, nmap misses some. If you can't find it with nmap, try other scanners like McAfee's. In other words, try at least two.
- Are you sure you have found _all_ computers in your network? Sometimes there are machines quietly sitting in back rooms somewhere that got forgotten about. It would be a good idea to run
nmap -sP <ALL of your network specifications>
which should list all your computers, printers and other network devices. Did you see all the computers you expected to see?
- The infected computer may be turned off at the time you ran the scan or not on the network. Double-check everything was turned on during the scan.
- If you have wireless, make sure it's secured with WPA or WPA2, and that "strangers" can't connect. WEP security is NOT good enough.
- Many versions of Conficker propagate via infected thumbdrives/USB keys. When an infected machine is found, ALL such devices associated with the machine should be considered suspect, and either destroyed or completely reformatted.
- Conficker also propagates by file and printer shares.
If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
