Educause Security Discussion mailing list archives
Re: Not so Nice Net
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Fri, 10 Feb 2012 15:50:04 +0000
Funny you should bring this up. I've blocked several /24's in the 91.x.x.x range over the last couple weeks, including 1 this morning, because of comprehensive network scanning... mostly looking for FTP hosts. -Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Heath Barnhart Sent: Thursday, February 09, 2012 12:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Not so Nice Net Same here, I year ago I was seeing torpig traffic from a few 91.x.x.x networks after getting numerous alerts from REN-ISAC. We tracked down the hosts and fixed the problems, haven't seen issues in a while. I think I might check again. On 2/8/2012 10:18 AM, Jeff Moore wrote: Hi all - Got a weird one here... Has anyone else noticed that almost all traffic from 91.x.x.x is of a "not so good" nature? We created a custom snort sig a while back to track the 91.x.x.x range because we saw that a majority of TORPIGs control servers were in that range and our institution rarely if ever gets traffic from that net. What we found interesting was that over the last year or more we have found that every single hit on that signature traced back to be "Not so Nice" hosts. for example: http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23 (one from this morning. just mail rep on this one). We have also traced each of these down on our side and have found that the only traffic(initiated from our net) that was not virus/malware related was traffic from "Panda Download Manager" Which we also didn't want and is a shady-ish MP3 download engine. It astounds me that day in day out if we see traffic from this net it is always "Not so Nice"! I was just curious if you all have been seeing this as well and if not can ya take a peek to see if it rings true with your systems as well? Maybe I have just gotten lucky. Just a strange little oddity that I was curious if you all have seen. Thanks All! -- Jeff Moore Chemeketa Community College Desk (503) 877-4707<https://www.google.com/voice?pli=1#phones> Cell (503) 9<https://www.google.com/voice?pli=1#phones>10-0756 Jeff.Moore () chemeketa edu<mailto:Jeff.Moore () chemeketa edu> -- Heath Barnhart, CCNA Network Administrator Information Systems Services Washburn University Topeka, KS
Current thread:
- Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net Hanson, Mike (Feb 08)
- Re: Not so Nice Net Martin Manjak (Feb 08)
- Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Re: Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Message not available
- Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Mike Lococo (Feb 10)
- <Possible follow-ups>
- Re: Not so Nice Net Joe St Sauver (Feb 10)