I'm part of a BotNet? I doubt it.

http://cbl.abuseat.org/lookup.cgi?ip=**.**.**

I got blocked from a website saying that my IP was blacklisted.

Waledac is a Windows worm thingy. I haven't even booted into Windows from my computer in at least a day. There's another Windows computer on the network but I also doubt that it's infected (automatically downloads the latest updates, running EMET.)

Strange. Thoughts?

edit: Perhaps this is linked to OpenDNS, which I switched to yesterday.

 

Is your ISP giving you a fix or dynamic IP? I guess dynamic, so .... just turn off the modem/router for sometime to force the release of a new IP to you. A previous user of that IP got infected and that's the origin of the banning.

 

I've been on this IP for a while. It says it last noticed the infection about ~1day ago. I definitely had this IP a day ago.

edit: My router shows that only my usual computers have been connected - no one's on my network that shouldn't be.
edit2: And my Windows computer is fully patched + HMP/MBAM revealed nothing.

Looks like a false positive. Weird though.

 

I mean external IP (not internal NAT related), I guess you understood that, right?
If yes, then just a false positive from their side.... nothing to worry about unless keeps popping up.

 

I think I understand at least. I mean, my router's IP is my external IP, yes? That's been the same for a while.

 

Yeap, sorry you never know

 

Good to make sure

 

What's the website? Is it private?

Anyway, it happens to me once in a while as well, because I'm on dynamic IP address. It's actually enfuriating. I need to reset the connection everytime it happens.

 

The website is what I linked but isntead of *'s it's my router's IP.

I don't see how it can by a dynamic IP. I'm fairly certain that it hasn't changed.

 

Aha! You have been assimilated. I knew you were one of them!

Seriously, don't limit your investigation to your PCs. Check the routers, modems, etc too. Hopefully it is a false positive.
It doesn't appear to be linked to Open DNS. I've used it for a while. The site shows my IP is OK, which is for all purposes static.

 

Scanned the Windows 7 laptop. It's fully patched (the botnet makes use of a Windows exploit that was patched a while ago) and it's running EMET + MSE + updates all the time.

My other computer is ChromeOS, which is not infected.
My other computer is Ubuntu 12.04, and I'll be very impressed if a Windows exploit managed to own this machine lol

The router could be exploited. But why would it be showing as a Windows botnet? I can't find anything on Google about that and nothing on my router's logs suggests an infection.

IDK. It's weird.

 

All's good here as well.

@ Hungry Man

If the IP is static (you mentioned you've been using it for a while now), then as noon_particular mentioned, you should investigate further.

If it was a dynamic IP, then it would most likely be just a coincidence that you're using that IP. Being static/"static"... you make sure all is OK.

 

It is dynamic. I haven't been thinking straight lol it could easily have been from someone else and I've only just noticed it now...

 

It could be something that attacks other hardware via Windows. Remember the older UPnP exploit?

Just to rule it out, have you run a Tor exit node or anything similar that would have you relaying someone elses traffic?

 

Dude, you really should reconsider being a hungry man. We usually don't think straight when hungry.

 

Yeah, there's clearly something off with my head today lol

Nope.

I did consider that it was an infected Windows poisoning my router or some such thing. Checking my router logs and looking at what has connected to it this seems very unlikely.

 

Unless you want to proactively reflash your peripheral hardware and/or insert a known clean sniffer in between the devices, that pretty much leaves you with waiting to see if your IP gets flagged again. Is your modem an ISP supplied unit? If so, maybe they can check or verify it unless you have access to it.

 

My cable box is ISP supplied. I could probably call them but I'm lazy. I'll see if I get flagged again. If I do I'll reflash my router.

 

You are the Botnet master. Strange things Happen with our lovely internet.

 

From what I've heard, the passwords for most ISP supplied equipment are available if you know where to look. Most of them have remote administration enabled by default. I haven't had cable internet, so I haven't checked out cable modems. That said, all of the ISP supplied DSL modems I've used have open ports. Every one of them has had an upper range (past 10,000) port open that I couldn't close, even with administrative access to the modem. It wouldn't surprise me one bit if the same is true of cable modems. I can't see any reason for such ports to be open except for an additional means of remote access. It would stand to reason that someone would know how to exploit it. At one time, I had a site bookmarked that could scan all ports 2500 at a time. Can't seem to find that particular scan any more.

In this instance, I think all the equipment is fine. It's really Hungry that's been compromised.

 

There's no remote administration for the cable box or anything like that, it's just a box that routes the cable line to an ethernet line. No wireless parts.

The router is fairly locked down.

Losing my mind!

 

The ISP most likely has remote access to that cablebox. Most ISPs have a standard list of passwords they use with them. These password lists are available if you look hard enough. I'm not saying this is what's wrong. Just don't be too quick to dismiss the possibility.

 

Looks under the keyboard.
Not in the coffee cup.
Uh oh. What is the cat playing with? Goes bouncing across the floor.

 

Possibly. I don't know much about that. I know they can access them because when I have issues/ call them they can get some information from the box. I don't know how much though or what they can do with it or really much about any of it.

 

If only it were so simple!