Translate

12/08/2013

Category SUSPICIOUS IP: 17.158.8.111 - HELOs as 17.158.8.111 for 185.5.99.21 - RFC 2821, section 4.1.1.1

In the Latest CBL Statement (in Relation to this MALICIOUS IP-Posting) the following has been analysed:

It was last detected at 2013-12-08 03:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago. 
The listing of this IP is because it HELLOs as (IP) 17.158.8.111Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection. (RFC 2821, section 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO))
These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often /var/log/auth.log) for logins from this IP. If you find any, secure the associated account. This usually means changing the password or disabling the account. 
If it's a mail server, see naming problems for details on how to diagnose and fix the problem. 
If IP address 17.158.8.111 is or is NATing for a Symantec Protection Center instance, this appears to be a known issue. See this Knowlege Base item. We are attempting to work through this issue with them. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. 
The KB item indicates that the problem will be resolved in a "future build", but no ETA is provided. If you have SPC's email notification feature turned on, we recommend turning it off before delisting your IP address as a temporary workaround. 
This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

CBL-LINK:  http://cbl.abuseat.org/lookup.cgi?ip=185.5.99.21

Network Owner on this IP: Apple

Keine Kommentare:

Kommentar veröffentlichen