Educause Security Discussion mailing list archives

Re: Not so Nice Net

From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Fri, 10 Feb 2012 15:50:04 +0000

Funny you should bring this up.  I've blocked several /24's in the 91.x.x.x range over the last couple weeks, including 
1 this morning, because of comprehensive network scanning... mostly looking for FTP hosts.

-Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Heath 
Barnhart
Sent: Thursday, February 09, 2012 12:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Not so Nice Net

Same here, I year ago I was seeing torpig traffic from a few 91.x.x.x networks after getting numerous alerts from 
REN-ISAC. We tracked down the hosts and fixed the problems, haven't seen issues in a while. I think I might check again.

On 2/8/2012 10:18 AM, Jeff Moore wrote:
Hi all - Got a weird one here... Has anyone else noticed that almost all traffic from 91.x.x.x is of a "not so good" 
nature? We created a custom snort sig a while back to track the 91.x.x.x range because we saw that a majority of 
TORPIGs control servers were in that range and our institution rarely if ever gets traffic from that net.
What we found interesting was that over the last year or more we have found that every single hit on that signature 
traced back to be "Not so Nice" hosts. for example: 
http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23  (one from this morning. just mail rep on 
this one). We have also traced each of these down on our side and have found that the only traffic(initiated from our 
net) that was not virus/malware related was traffic from "Panda Download Manager" Which we also didn't want and is a 
shady-ish MP3 download engine. It astounds me that day in day out if we see traffic from this net it is always "Not so 
Nice"!

I was just curious if you all have been seeing this as well and if not can ya take a peek to see if it rings true with 
your systems as well?

Maybe I have just gotten lucky. Just a strange little oddity that I was curious if you all have seen.

Thanks All!

--
Jeff Moore
Chemeketa Community College
Desk (503) 877-4707<https://www.google.com/voice?pli=1#phones>
Cell (503) 9<https://www.google.com/voice?pli=1#phones>10-0756
Jeff.Moore () chemeketa edu<mailto:Jeff.Moore () chemeketa edu>

--
Heath Barnhart, CCNA
Network Administrator
Information Systems Services
Washburn University
Topeka, KS

Current thread:

Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net Hanson, Mike (Feb 08)
- Re: Not so Nice Net Martin Manjak (Feb 08)
  - Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
  - Re: Not so Nice Net Brian Helman (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Re: Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Michael Sinatra (Feb 10)
    - Message not available
    - Not so Nice Net Jeff Moore (Feb 10)
    - Re: Not so Nice Net Mike Lococo (Feb 10)
- <Possible follow-ups>
- Re: Not so Nice Net Joe St Sauver (Feb 10)