Re: Not so Nice Net

["Hanson, Mike" <mhanson () CSS EDU>]

Jeff,

I actually have several of the 91.x.x.x address range blocked on our
outgoing firewall because I had tracked down malware/bot infected student
computers trying to phone home to those address ranges.

Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


On Wed, Feb 8, 2012 at 10:18 AM, Jeff Moore <mail () jeffmoore com> wrote:

> Hi all - Got a weird one here... Has anyone else noticed that almost all
> traffic from 91.x.x.x is of a "not so good" nature? We created a custom
> snort sig a while back to track the 91.x.x.x range because we saw that a
> majority of TORPIGs control servers were in that range and our institution
> rarely if ever gets traffic from that net.
> What we found interesting was that over the last year or more we have
> found that every single hit on that signature traced back to be "Not so
> Nice" hosts. for example:
> http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23
> (one from this morning. just mail rep on this one). We have also traced
> each of these down on our side and have found that the only
> traffic(initiated from our net) that was not virus/malware related was
> traffic from "Panda Download Manager" Which we also didn't want and is a
> shady-ish MP3 download engine. It astounds me that day in day out if we see
> traffic from this net it is always "Not so Nice"!
>
> I was just curious if you all have been seeing this as well and if not can
> ya take a peek to see if it rings true with your systems as well?
>
> Maybe I have just gotten lucky. Just a strange little oddity that I was
> curious if you all have seen.
>
> Thanks All!
>
> --
> Jeff Moore
> Chemeketa Community College
> Desk (503) 877-4707 <https://www.google.com/voice?pli=1#phones>
> Cell (503) 9 <https://www.google.com/voice?pli=1#phones>10-0756
> Jeff.Moore () chemeketa edu