I'm part of a BotNet? I doubt it.

Discussion in 'other security issues & news' started by Hungry Man, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://cbl.abuseat.org/lookup.cgi?ip=**.**.**

    I got blocked from a website saying that my IP was blacklisted.

    Waledac is a Windows worm thingy. I haven't even booted into Windows from my computer in at least a day. There's another Windows computer on the network but I also doubt that it's infected (automatically downloads the latest updates, running EMET.)

    Strange. Thoughts?

    edit: Perhaps this is linked to OpenDNS, which I switched to yesterday.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Is your ISP giving you a fix or dynamic IP? I guess dynamic, so .... just turn off the modem/router for sometime to force the release of a new IP to you. A previous user of that IP got infected and that's the origin of the banning.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I've been on this IP for a while. It says it last noticed the infection about ~1day ago. I definitely had this IP a day ago.

    edit: My router shows that only my usual computers have been connected - no one's on my network that shouldn't be.
    edit2: And my Windows computer is fully patched + HMP/MBAM revealed nothing.

    Looks like a false positive. Weird though.
     
    Last edited: Apr 2, 2012
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    I mean external IP (not internal NAT related), I guess you understood that, right?
    If yes, then just a false positive from their side.... nothing to worry about unless keeps popping up.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think I understand at least. I mean, my router's IP is my external IP, yes? That's been the same for a while.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yeap, sorry you never know :D
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Good to make sure :p
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What's the website? Is it private? :D

    Anyway, it happens to me once in a while as well, because I'm on dynamic IP address. It's actually enfuriating. I need to reset the connection everytime it happens.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The website is what I linked but isntead of *'s it's my router's IP.

    I don't see how it can by a dynamic IP. I'm fairly certain that it hasn't changed.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Aha! You have been assimilated. I knew you were one of them!

    Seriously, don't limit your investigation to your PCs. Check the routers, modems, etc too. Hopefully it is a false positive.
    It doesn't appear to be linked to Open DNS. I've used it for a while. The site shows my IP is OK, which is for all purposes static.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Scanned the Windows 7 laptop. It's fully patched (the botnet makes use of a Windows exploit that was patched a while ago) and it's running EMET + MSE + updates all the time.

    My other computer is ChromeOS, which is not infected.
    My other computer is Ubuntu 12.04, and I'll be very impressed if a Windows exploit managed to own this machine lol

    The router could be exploited. But why would it be showing as a Windows botnet? I can't find anything on Google about that and nothing on my router's logs suggests an infection.

    IDK. It's weird.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    All's good here as well.

    @ Hungry Man

    If the IP is static (you mentioned you've been using it for a while now), then as noon_particular mentioned, you should investigate further.

    If it was a dynamic IP, then it would most likely be just a coincidence that you're using that IP. Being static/"static"... you make sure all is OK.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It is dynamic. I haven't been thinking straight lol it could easily have been from someone else and I've only just noticed it now...
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It could be something that attacks other hardware via Windows. Remember the older UPnP exploit?

    Just to rule it out, have you run a Tor exit node or anything similar that would have you relaying someone elses traffic?
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Dude, you really should reconsider being a hungry man. We usually don't think straight when hungry. :D
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, there's clearly something off with my head today lol

    Nope.

    I did consider that it was an infected Windows poisoning my router or some such thing. Checking my router logs and looking at what has connected to it this seems very unlikely.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Unless you want to proactively reflash your peripheral hardware and/or insert a known clean sniffer in between the devices, that pretty much leaves you with waiting to see if your IP gets flagged again. Is your modem an ISP supplied unit? If so, maybe they can check or verify it unless you have access to it.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    My cable box is ISP supplied. I could probably call them but I'm lazy. I'll see if I get flagged again. If I do I'll reflash my router.
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    You are the Botnet master.:D Strange things Happen with our lovely internet.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    From what I've heard, the passwords for most ISP supplied equipment are available if you know where to look. Most of them have remote administration enabled by default. I haven't had cable internet, so I haven't checked out cable modems. That said, all of the ISP supplied DSL modems I've used have open ports. Every one of them has had an upper range (past 10,000) port open that I couldn't close, even with administrative access to the modem. It wouldn't surprise me one bit if the same is true of cable modems. I can't see any reason for such ports to be open except for an additional means of remote access. It would stand to reason that someone would know how to exploit it. At one time, I had a site bookmarked that could scan all ports 2500 at a time. Can't seem to find that particular scan any more.

    In this instance, I think all the equipment is fine. It's really Hungry that's been compromised. :p
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's no remote administration for the cable box or anything like that, it's just a box that routes the cable line to an ethernet line. No wireless parts.

    The router is fairly locked down.

    Losing my mind!
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The ISP most likely has remote access to that cablebox. Most ISPs have a standard list of passwords they use with them. These password lists are available if you look hard enough. I'm not saying this is what's wrong. Just don't be too quick to dismiss the possibility.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Looks under the keyboard.
    Not in the coffee cup.
    Uh oh. What is the cat playing with? Goes bouncing across the floor.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Possibly. I don't know much about that. I know they can access them because when I have issues/ call them they can get some information from the box. I don't know how much though or what they can do with it or really much about any of it.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If only it were so simple!
     
Loading...
Thread Status:
Not open for further replies.