Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Our public IP address is listed in a Spamhaus blacklist #850

Closed
amcewen opened this issue Jul 16, 2018 · 7 comments

Comments

@amcewen
Copy link
Member

commented Jul 16, 2018

https://www.abuseat.org/lookup.cgi?ip=185.135.104.23

(Noticed because my email provider is refusing email from me due to the network being blacklisted).

From that blacklist URL it seems that there's a Windows machine somewhere on the network which is infected with the Conficker worm. Seems it was a machine that was most recently on the network yesterday.

I've run a scanning tool to look for infected machines (I had to change impacket.dcerpc to impacket.dcerpc.v5 at the top of scanner21.py to get it to work) and that doesn't report any hosts on 10.0.29.x, 10.0.30.x or 10.0.11.x, which makes it look more like it's someone's own laptop that's infected...

@ajlennon is running a different scan tool too, so we'll see if he finds anything.

@amcewen

This comment has been minimized.

Copy link
Member Author

commented Jul 16, 2018

Having checked on the Tapestry WiFi, that routes me out via the same IP address, so it might not be a machine on our network. @mattwilsondotuk, do you have any way to spot which host is trying to connect out to 104.244.14.252 to narrow down which machine is infected, alongside our local checks...?

@skos-ninja

This comment has been minimized.

Copy link

commented Jul 16, 2018

I have firewalled the IP that it was detected connecting to and enabled logging so if it tries connecting again I can see it

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jul 16, 2018

I have some Nessus scans running. Will upload when done

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jul 16, 2018

@amcewen

This comment has been minimized.

Copy link
Member Author

commented Jul 19, 2018

The abuse alert page has continued reporting issues each day (generally at 19:45-19:55) and @skos-ninja hasn't seen any alerts on the firewall (apart from the one from my laptop just now when I tried connecting out to test it), so it looks like our network is in the clear.

I told @mattwilsondotuk about it when I bumped into him the other evening, so he's aware of it. I'm going to leave this open until we get our static IP (or the reported problem gets fixed) - we need to bug Jason about clearing the IX Liverpool server closet to get the static IP moved on.

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2018

If the static IP is going to take time could we get onto our own separate dynamic IP in the meantime?

@amcewen

This comment has been minimized.

Copy link
Member Author

commented Aug 28, 2018

The original IP is still listed, although hasn't been seen to be a problem since August 20th, but as reported on #893, we're now on a static IP and that is clear.

@amcewen amcewen closed this Aug 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.