Category MALICIOUS IP: 203.153.100.82 Infected with a spam sending trojan, proxy or some other form of botnet. It HELOs as a bare IP address (INDONESIA)

The IP Address 203.153.100.82 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-04-18 18:00 GMT (+/- 30 minutes), approximately 1 hours ago.

It has been relisted following a previous removal at 2014-04-09 01:07 GMT (9 days, 17 hours, 55 minutes ago).

The listing of this IP is because it HELOs as a bare IP address (A bare ip address looks like: "54.33.33.5"). It is not HELO'ing as itself ("203.153.100.82"). Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection.

These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often/var/log/auth.log) for logins from unusual IP addresses not normally associated with that login id. If you find any, secure the associated account. This usually means changing the password or disabling the account.

If it's a mail server, see naming problems for details on how to diagnose and fix the problem. If you are running Symantec Protection Center, this appeared to be a known issue in the past. See this Knowlege Base item. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. The KB item indicates that the problem will be resolved in a "future build", but no ETA was provided. If you have SPC's email notification feature turned on, we recommend checking through the Knowledge Base item to see if your version has this issue fixed. If not we recommend turning SPC's notification feature off before delisting your IP address as a temporary workaround.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP:

Heuristic.LooksLike.HTML.Suspicious-URL.K

SPAMBOTSERVER, COMMENT SPAMMER, DICTIONARY ATTACKER, MALWARE

http://203.153.100.82/

• https://www.virustotal.com/de/url/4d0bf7e41c8dceaebbafa1bf0c70c8b1560a49ce397a92df5a1913a979f70f37/analysis/1397848027/

• https://www.virustotal.com/de/ip-address/203.153.100.82/information/

Heuristic.LooksLike.HTML.Suspicious-URL.K

• https://www.virustotal.com/de/file/8822bad3d62e9fbc8dc272644c42f81e4fec540ef7f05c9fd7bcaa26aee7a61b/analysis/

HOSTNAME:

http://ip-82-100-static.velo.net.id/

• https://www.virustotal.com/de/url/85f9e6aa401e85da826c0d9590b8b671a24afac3000580f79754982b0f9ffadf/analysis/1397850756/

IP BLACKLISTED AT:

1) SPAMHAUS (CBL):

• http://www.spamhaus.org/query/ip/203.153.100.82

2) COMPOSITE BLOCKING LIST:

• http://cbl.abuseat.org/lookup.cgi?ip=203.153.100.82

3) SPAMCOP:

• http://www.spamcop.net/w3m?action=checkblock&ip=203.153.100.82

4) CISCO SENDERBASE:

• http://www.senderbase.org/lookup/?search_string=203.153.100.82

5) BLOCKLIST.DE:

• http://www.blocklist.de/en/view.html?ip=203.153.100.82

6) PSBL.ORG:

• http://psbl.org/listing?ip=203.153.100.82

7) WPBL.INFO:

• http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.100.82

8) PROJECT HONEYPOT:

• https://www.projecthoneypot.org/ip_203.153.100.82

9) SORBS:

• http://www.au.sorbs.net/lookup.shtml

10) NiX SPAM:

• http://www.dnsbl.manitu.net/lookup.php?language=en&value=203.153.100.82

------------------------------------------

SEE ALSO:

• https://urlquery.net/report.php?id=1397848399616

• http://zulu.zscaler.com/submission/show/0d60892bc9e925ace8bf7a1c422b7358-1397848147

http://203.153.100.82/winbox/winbox.exe

• https://www.virustotal.com/de/url/2e48031a59a5f99f23b91508988285232203405cb8640f3c8c40c24e1a702284/analysis/1397848218/

• https://www.virustotal.com/de/file/eabfa1fd55a53367b901364486f5a5607b9ab04ad94403b7d0fc12509ad85321/analysis/

Category SUSPICIOUS IP: 17.158.8.111 - HELOs as 17.158.8.111 for 185.5.99.21 - RFC 2821, section 4.1.1.1

In the Latest CBL Statement (in Relation to this MALICIOUS IP-Posting) the following has been analysed:

It was last detected at 2013-12-08 03:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago. 

The listing of this IP is because it HELLOs as (IP) 17.158.8.111. Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection. (RFC 2821, section 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO))

These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often /var/log/auth.log) for logins from this IP. If you find any, secure the associated account. This usually means changing the password or disabling the account. 

If it's a mail server, see naming problems for details on how to diagnose and fix the problem. 

If IP address 17.158.8.111 is or is NATing for a Symantec Protection Center instance, this appears to be a known issue. See this Knowlege Base item. We are attempting to work through this issue with them. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. 

The KB item indicates that the problem will be resolved in a "future build", but no ETA is provided. If you have SPC's email notification feature turned on, we recommend turning it off before delisting your IP address as a temporary workaround. 

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

CBL-LINK:  http://cbl.abuseat.org/lookup.cgi?ip=185.5.99.21

Network Owner on this IP: Apple