Re: Not so Nice Net

[Martin Manjak <mmanjak () ALBANY EDU>]

Jeff,

Just want to clarify: you are referring to 91.0.0.0/8?

That's an awful lot of addresses, and AS's.

All not nice?
Marty


On 2/8/2012 11:18 AM, Jeff Moore wrote:
> Hi all - Got a weird one here... Has anyone else noticed that almost all
> traffic from 91.x.x.x is of a "not so good" nature? We created a custom
> snort sig a while back to track the 91.x.x.x range because we saw that a
> majority of TORPIGs control servers were in that range and our institution
> rarely if ever gets traffic from that net.
> What we found interesting was that over the last year or more we have found
> that every single hit on that signature traced back to be "Not so Nice"
> hosts. for example:
> http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23
> (one from this morning. just mail rep on this one). We have also traced
> each of these down on our side and have found that the only
> traffic(initiated from our net) that was not virus/malware related was
> traffic from "Panda Download Manager" Which we also didn't want and is a
> shady-ish MP3 download engine. It astounds me that day in day out if we see
> traffic from this net it is always "Not so Nice"!
>
> I was just curious if you all have been seeing this as well and if not can
> ya take a peek to see if it rings true with your systems as well?
>
> Maybe I have just gotten lucky. Just a strange little oddity that I was
> curious if you all have seen.
>
> Thanks All!


-- 

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.