Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Software Troubleshooting
IP Prob
Message
<blockquote data-quote="hjlbx" data-source="post: 397468"><p>IP Address 203.115.71.150 <strong>is listed</strong> in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.</p><p></p><p>It was last detected at 2015-06-12 12:00 GMT (+/- 30 minutes), approximately 1 days, 10 hours, 30 minutes ago.</p><p></p><p>This IP is infected (or NATting for a computer that is infected) with the <strong>Conficker</strong> botnet.</p><p></p><p>More information about Conficker can be obtained from <a href="http://en.wikipedia.org/wiki/Conficker" target="_blank"><u>Wikipedia</u></a></p><p></p><p></p><p></p><p>Please <strong>follow</strong> these instructions.</p><p></p><p></p><p><a href="http://www.dshield.org/diary/Third+party+information+on+conficker/5860" target="_blank"><u>Dshield</u></a> has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc.</p><p></p><p>One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected.</p><p></p><p>There are several ways to identify Conficker infections remotely. For a fairly complete approach, see <a href="http://www.sophos.com/en-us/support/knowledgebase/61259.aspx" target="_blank"><u>Sophos</u></a>.</p><p></p><p>If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT:</p><p></p><p>Your IP was observed making connections to TCP/IP IP address 216.66.15.114 (a conficker <a href="http://cbl.abuseat.org/sinkhole.html" target="_blank"><u>sinkhole</u></a>) with a destination port 80, source port (for this detection) of 51518 at exactly 2015-06-12 12:09:13 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.</p><p></p><p>If you don't have full firewall logging, perhaps you can set up a firewall block/log of all access (any port) to IP address 216.66.15.114 and keep watch for hits.</p><p></p><p><strong>WARNING: DO NOT</strong> simply block access to 216.66.15.114 and expect to not get listed again. There are many conficker sinkholes - some move around and even we don't know where they all are. Blocking access to just one sinkhole does not mean that you have blocked all sinkholes, so relistings are possible. You have to monitor your firewall logs, identify the infected machine, and repair them if you wish to remain delisted.</p><p></p><p>Recent versions of <a href="http://insecure.org/" target="_blank"><u>NMap</u></a> can detect Conficker, but it's not 100% reliable at finding every infection. Nmap is available for Linux, xxxBSD, Windows and Mac. Nessus can also find Conficker infections remotely. Several other scanners are available <a href="http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/" target="_blank"><u>here</u></a>.</p><p></p><p><a href="http://www.enigmasoftware.com/a1/download/cfremover.exe" target="_blank"><u>Enigma Software's scanner</u></a> is apparently good at finding Conficker A.</p><p></p><p><a href="http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/" target="_blank"><u> University of Bonn</u></a> has a number of scan/removal tools.</p><p></p><p>If you're unable to find the infection, consider:</p><ul> <li data-xf-list-type="ul">If you used a network scanner, make sure that the network specification you used to check your network was right, and you understand how to interpret a conficker detection.</li> </ul> <ul> <li data-xf-list-type="ul">Some network conficker scanners only detect some varieties of conficker. For example, nmap misses some. If you can't find it with nmap, try other scanners like <a href="http://www.mcafee.com/ca/threat-center/confickertest.aspx" target="_blank"><u>McAfee's</u></a>. In other words, try at least two.</li> </ul> <ul> <li data-xf-list-type="ul">Are you sure you have found _all_ computers in your network? Sometimes there are machines quietly sitting in back rooms somewhere that got forgotten about. It would be a good idea to run<br /> nmap -sP <ALL of your network specifications><br /> <br /> which should list all your computers, printers and other network devices. Did you see all the computers you expected to see?</li> </ul> <ul> <li data-xf-list-type="ul">The infected computer may be turned off at the time you ran the scan or not on the network. Double-check everything was turned on during the scan.</li> </ul> <ul> <li data-xf-list-type="ul">If you have wireless, make sure it's secured with WPA or WPA2, and that "strangers" can't connect. WEP security is <strong>NOT</strong> good enough.</li> </ul> <ul> <li data-xf-list-type="ul">Many versions of Conficker propagate via infected thumbdrives/USB keys. When an infected machine is found, ALL such devices associated with the machine should be considered suspect, and either destroyed or completely reformatted.</li> </ul> <ul> <li data-xf-list-type="ul">Conficker also propagates by file and printer shares.</li> </ul><p>If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.</p></blockquote><p></p>
[QUOTE="hjlbx, post: 397468"] IP Address 203.115.71.150 [B]is listed[/B] in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet. It was last detected at 2015-06-12 12:00 GMT (+/- 30 minutes), approximately 1 days, 10 hours, 30 minutes ago. This IP is infected (or NATting for a computer that is infected) with the [B]Conficker[/B] botnet. More information about Conficker can be obtained from [URL='http://en.wikipedia.org/wiki/Conficker'][U]Wikipedia[/U][/URL] Please [B]follow[/B] these instructions. [URL='http://www.dshield.org/diary/Third+party+information+on+conficker/5860'][U]Dshield[/U][/URL] has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc. One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected. There are several ways to identify Conficker infections remotely. For a fairly complete approach, see [URL='http://www.sophos.com/en-us/support/knowledgebase/61259.aspx'][U]Sophos[/U][/URL]. If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT: Your IP was observed making connections to TCP/IP IP address 216.66.15.114 (a conficker [URL='http://cbl.abuseat.org/sinkhole.html'][U]sinkhole[/U][/URL]) with a destination port 80, source port (for this detection) of 51518 at exactly 2015-06-12 12:09:13 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second. If you don't have full firewall logging, perhaps you can set up a firewall block/log of all access (any port) to IP address 216.66.15.114 and keep watch for hits. [B]WARNING: DO NOT[/B] simply block access to 216.66.15.114 and expect to not get listed again. There are many conficker sinkholes - some move around and even we don't know where they all are. Blocking access to just one sinkhole does not mean that you have blocked all sinkholes, so relistings are possible. You have to monitor your firewall logs, identify the infected machine, and repair them if you wish to remain delisted. Recent versions of [URL='http://insecure.org/'][U]NMap[/U][/URL] can detect Conficker, but it's not 100% reliable at finding every infection. Nmap is available for Linux, xxxBSD, Windows and Mac. Nessus can also find Conficker infections remotely. Several other scanners are available [URL='http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/'][U]here[/U][/URL]. [URL='http://www.enigmasoftware.com/a1/download/cfremover.exe'][U]Enigma Software's scanner[/U][/URL] is apparently good at finding Conficker A. [URL='http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/'][U] University of Bonn[/U][/URL] has a number of scan/removal tools. If you're unable to find the infection, consider: [LIST][*]If you used a network scanner, make sure that the network specification you used to check your network was right, and you understand how to interpret a conficker detection.[/LIST] [LIST][*]Some network conficker scanners only detect some varieties of conficker. For example, nmap misses some. If you can't find it with nmap, try other scanners like [URL='http://www.mcafee.com/ca/threat-center/confickertest.aspx'][U]McAfee's[/U][/URL]. In other words, try at least two.[/LIST] [LIST][*]Are you sure you have found _all_ computers in your network? Sometimes there are machines quietly sitting in back rooms somewhere that got forgotten about. It would be a good idea to run nmap -sP <ALL of your network specifications> which should list all your computers, printers and other network devices. Did you see all the computers you expected to see?[/LIST] [LIST][*]The infected computer may be turned off at the time you ran the scan or not on the network. Double-check everything was turned on during the scan.[/LIST] [LIST][*]If you have wireless, make sure it's secured with WPA or WPA2, and that "strangers" can't connect. WEP security is [B]NOT[/B] good enough.[/LIST] [LIST][*]Many versions of Conficker propagate via infected thumbdrives/USB keys. When an infected machine is found, ALL such devices associated with the machine should be considered suspect, and either destroyed or completely reformatted.[/LIST] [LIST][*]Conficker also propagates by file and printer shares.[/LIST] If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
