Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP Blacklisted for sending spam


  • This topic is locked This topic is locked
9 replies to this topic

#1 blenderman9000

blenderman9000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 04 December 2014 - 11:52 PM

Hello!

 

Our IP was blacklisted for sending high amounts of spam to certain honeypots. Whenever one of us in our network visits a cloudflare protected website, we always get a captcha every 30 mins. 

 

Here are some websites that have our ip detected as malicious: (its fine for our ip to be shown because we'll be definitely changing it when we fix this)

http://www.projecthoneypot.org/ip_24.28.10.122 (for a month, I've frequently visited this and the amount emails kept going up)

http://cbl.abuseat.org/lookup.cgi?ip=24.28.10.122&.pubmit=Lookup

 

In the second website, it shows that we might have a possible Linux virus. But none of our computers have any distro of linux installed EXCEPT for my machine, which has a clean dual boot installation of Kali Linux (we all use windows for our main OS). I havent downloaded any software in Kali Linux, and I rarely even boot to Kali. 

 

One note is that we all use Android phones, and they obviously use a proprietary distro of linux. That /could/ be the reason why its showing up as Linux on the site above, but I doubt it.

 

One person in my family uses Yahoo, while the other two of us use Gmail. I received a spam email from the yahoo address, but looking closley, it was sent from an IP from Taiwan: 114.36.246.192

 

This was a week or so before all of this started happening: One of the machines using Gmail already had Malwarebytes installed and detected a Trojan.Ransom and quarantined it. (I will definitely sniff port 25 on that machine later).

 

Here is the header (partially censored)

 

From "**@yahoo.com" Thu Dec  4 10:26:11 2014

X-Apparently-To: **@yahoo.com; Thu, 04 Dec 2014 02:46:12 +0000
Return-Path: <turismo@dipcas.es>
X-YahooFilteredBulk: 114.36.246.192
Received-SPF: none (domain of dipcas.es does not designate permitted sender hosts)
X-YMailISG: 20xIr2EWLDsWgBHuD8D2p9qjkZlmOUAWfLpCCyoVAGWD_0jg
 s_F9r1SylWJW3GIp8B8VmtkJjCs3Ec9BZNnmFZgXlYojNoIsgkP8ZaprJwq.
 g6AFd6VgxDQONtAhq1i2szIpD0EiaLyz5HTqBRo7oNtD4wfeCywTQlYBGK2W
 P6cPhHjdsTznpnj46uhkEdITVHzQAjyuFGu6_hHyxa6jxZN9NWQ.FColQK.r
 hiLeS9KiP.1RKxQK5WxWG9TuwtiDtwpQf.ErWMpEKwl9qnhwYfpye5P.Ca87
 EOCdzhIwWU_gzv.scrFyhtBrrf_T6LmuW5EHBBBjH1NW.zhJc16ZKCWknzI6
 vwGOvX6g1mXEyjWMkSDjeK3e5Mu2qpkq7T1RI.AwquzFhbWz66uiOr0Sh3Pe
 wi0L4pPN_tRI2bcstxl7q_jBE9kOl1GM5uD7WSAO616LlPSilL5rmXCsViuo
 yTSYXCFfU0XEWWkwp8uZ3gSV9RxqkNsZzJVO4LecNHhyhtnJbZvIGu_4PvTa
 .nXl4.emyeLIP3zINa0eFw2pHp5EFfcJAdk2wBwOxnL6V7oUXmPQMPOboBdc
 tdki.VFpDsEEyHHdhBMUaXDeh73DCHW0XzR37RlqDh_zJjjwOfgr_HrgBWhV
 aV4EFnp2ng6YcXVzC9NdNg99JsQq9n4CeP.sybnrhgHxXbkJSHLqqXuFucwa
 tcndai5tgU.r0UD.rSuN4FAaM0LyRJRHV_ccVyeFjCULD3BZ96rKX0Nqhyy1
 yrDhQd_pTDVqAHNZCiES54329XEx80BogcGs29C5aV9Czn7mfle023sfA.ma
 boIKI146Nq0Tc3b2OX3e7TZ0EIiEcidvcJFGwI0_Ayb40NpB2TBtfKE4V8XD
 Wvwp0XuqxUI8nOnzcEcPr8sU0ZxLpONjJDLm.y9QUJijv54kQIKhQ5IzDS7h
 cix.1poHE2RSZDLvYA.aV1fJgKJugr2.MuzPI85oxE4b2I289oi6CPBteYJx
 SvqvzTuxYAhajIS7hOqu3sTEpYzdANFg2ASHCpuQSy1yAEtP1SXdbQZZFGJW
 L7Joy291VN_Z.wXr5Mep4liskMT0nBh25CfQkz4x._0fn8lAHy9oQEOSHvq9
 nqoDDG.7wenlweFVl0kywM8h1aB5ftqstyi4BDYfFPfv6ylxiQIvN.fqOwsO
 PkJQSW2eGf3Gt18.WzrjUaifb4FeuB47c1z4G4moxBkSPKL7B0SdLUYaFBGJ
 nZMvHGWy2p1ClodeNEzaRu7fMgPF3sScjImx_urH7u3f4qPH0GBRNZpW28pm
 UzU0e8Nikfa_7UyMhdtll9tQGXjHjSie
X-Originating-IP: [114.36.246.192]
Authentication-Results: mta1022.mail.bf1.yahoo.com  from=dipcas.es; domainkeys=neutral (no sig);  from=dipcas.es; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO [114.36.246.192]) (114.36.246.192)
  by mta1022.mail.bf1.yahoo.com with SMTP; Thu, 04 Dec 2014 02:46:11 +0000
From: "**@yahoo.com" <turismo@dipcas.es>
To: <**@yahoo.com>
Subject: Ph@rmacy
Date: 4 Dec 2014 17:26:11 +0700
Message-ID: <005101d00faf$06e89e1e$970714ad$@dipcas.es>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acim2rcatsypmw5yim2rcatsypmw5y==
Content-Language: en
x-cr-hashedpuzzle: 2D4= 2rca tsyp mw5y im2r cats ypmw 5yim 2rca tsyp mw5y im2r cats ypmw 5yim 2rca;1;tsypmw5yim2rcatsypmw5yim2rcatsypmw5yim2rcatsypmw;Sosha1_v1;7;{52C76898-2AFD-37DA-4FE0-10A275BF52C7};ZQB3AGUAZg2rcatsypmw5yim2rcatsypmw5yim2rcatsypmw;4 Dec 2014 17:26:11 +0700;5yim2rcatsypmw5y
x-cr-puzzleid: {52C76898-2AFD-37DA-4FE0-10A275BF52C7}
Content-Length: 51

 

So we changed the yahoo password immediately. But there was still email being sent.

 

We bought a 1 year copy of Malwarebytes and installed it on all three of our machines. The one I already mentioned most likely reinstalled Mbam. We did a full scan on all computers and nothing was to be found.

 

Soon, im going to try these:

* Opening wireshark and packet sniffing port 25 on all machines overnight

* Scan the phones for viruses

* Change all email passwords

 

So.. does anyone got an idea on what is going on? Thanks :)



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 09 December 2014 - 11:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/558720 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:51 PM

Posted 19 December 2014 - 09:29 AM

blenderman9000, hello and welcome to Bleepingcomputer!

 

My name is Dave and I'll be helping you through the problems you're having.  Before we get too far into this problem you're having, I'd like you to generate DDS logs for each one of the computers on your home network (for instructions, please see the above post).  This will better allow me to hone in on the problem machine (assuming it is one of the windows hosts).  After making the DDS logs, please refrain from making additional changes to the machine as this can make it very difficult for me to assist you. 


//Dave

#4 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:51 PM

Posted 22 December 2014 - 09:31 AM

Blenderman9000,

 

Are you still in need of our assistance here?  Please post back here if you do (even if just to say that you need more time).  If this topic remains inactive, it will be closed.

 

Thanks, and happy holidays!


//Dave

#5 blenderman9000

blenderman9000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 22 December 2014 - 02:41 PM

Hi, sorry for the delay.

Time warner warned told us that they were receiving not traffic from our computers.

I still need some more time and then I'll post the logs.
Thank you.

#6 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:51 PM

Posted 23 December 2014 - 07:10 PM

Hi, sorry for the delay.

 

No worries!  Post when ready, or if you need more time, just let me know.


//Dave

#7 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:51 PM

Posted 27 December 2014 - 01:46 PM

Blenderman9000,

 

Are you still in need of assistance or do you need more time? 

If you need more time, please give me your best time estimate for when you can post back here, so I can know when to expect your response.  If now is not a good time, we can close this topic for now then reopen it when you have the time to address the issue.

 

Thanks!


//Dave

#8 blenderman9000

blenderman9000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 27 December 2014 - 02:23 PM

Let's close it for now because I don't know when I can respond. How can I reopen when I have everything?

#9 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:51 PM

Posted 27 December 2014 - 02:47 PM

Let's close it for now because I don't know when I can respond.

 

No problem, I'll go ahead and do that.

 

A moderator will now post here and lock this topic.  In the post, there will be instructions for how to have the topic reopened when you are ready. :)


//Dave

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:51 AM

Posted 27 December 2014 - 03:16 PM

Hi blenderman9000,

 

When you want the topic re-opened, please PM me :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users