Educause Security Discussion mailing list archives

Re: Not so Nice Net

From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 8 Feb 2012 09:30:57 -0800

  Traceroute on that address goes to a client of t-internet.de, which I
believe is part of the t-*.de cluster of services possibly affiliated with
T-Mobile.
 
  I recall that when I started doing network security, more than 15 years
ago, t-dialin.de was a recurring source of "bad" traffic, and their network
administrators were the most likely to promise to act on complaints -- to no
visible effect.
 
Technology evolves faster than people....
 
David Gillett, CISSP CCNP
 

  _____  

From: Jeff Moore [mailto:mail () JEFFMOORE COM] 
Sent: Wednesday, February 08, 2012 08:18
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Not so Nice Net


Hi all - Got a weird one here... Has anyone else noticed that almost all
traffic from 91.x.x.x is of a "not so good" nature? We created a custom
snort sig a while back to track the 91.x.x.x range because we saw that a
majority of TORPIGs control servers were in that range and our institution
rarely if ever gets traffic from that net. 
What we found interesting was that over the last year or more we have found
that every single hit on that signature traced back to be "Not so Nice"
hosts. for example:
http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23
(one from this morning. just mail rep on this one). We have also traced each
of these down on our side and have found that the only traffic(initiated
from our net) that was not virus/malware related was traffic from "Panda
Download Manager" Which we also didn't want and is a shady-ish MP3 download
engine. It astounds me that day in day out if we see traffic from this net
it is always "Not so Nice"!

I was just curious if you all have been seeing this as well and if not can
ya take a peek to see if it rings true with your systems as well? 

Maybe I have just gotten lucky. Just a strange little oddity that I was
curious if you all have seen.

Thanks All!

-- 
Jeff Moore
Chemeketa Community College

Desk (503)  <https://www.google.com/voice?pli=1#phones> 877-4707
Cell (503)  <https://www.google.com/voice?pli=1#phones> 910-0756
Jeff.Moore () chemeketa edu

Current thread:

Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net Hanson, Mike (Feb 08)
- Re: Not so Nice Net Martin Manjak (Feb 08)
  - Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
  - Re: Not so Nice Net Brian Helman (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Re: Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Message not available
    - Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Mike Lococo (Feb 10)
- <Possible follow-ups>
- Re: Not so Nice Net Joe St Sauver (Feb 10)