+1 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 9, 2016 5:29 PM, "Eric Kuhnke" <[email protected]> wrote:
> you brought a known-infected laptop into your office and plugged it into > your LAN? uhhh... okay..... > > http://www.dban.org/ > > the port 443 connection is probably command and control for some variety > of rootkit/APT. > > > > On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop <[email protected]> > wrote: > >> I’ve got a customer with a bugged laptop. Not biggie, sending spam. >> >> I haven’t quite tracked that down yet, looks like it is logging into a >> remote server on 443, nothing obvious. >> >> What I’ve noticed that brought me to bring this to the list is that it is >> currently 192.168.0.50 on my office network, probing 192.168.1.4 through 6 >> on SNMP (doesn’t exist on my network, only on my sandbox that this laptop >> can’t see at all, nothing has been on my sandbox in weeks), also pinging my >> edge, though not my local edge, my network edge on it’s internal IP of >> 10.0.11.1. >> >> The customer’s IP address is on the 10.0.22.0/24 subnet, two hops to >> 10.0.11.0/24. At my office it is two hops from 192.168.0.0/24 to >> 10.0.11.1. >> >> If it was some form of a hack you’d figured they’d go by my public IP, >> though I suppose they’re looking for the possibility of not being secured >> on the inside. >> >> Just throwing this out there, looked interesting and weird to me. >> >> >
