First and foremost my office is a computer service, so bugged computers come through here 24/7. It is my job.
The whole point of that was to monitor what it was doing. Digging in to the IP’s it was communicating with, the secure connection was to Microsoft. Windows 8 and 10 have to call home to big brother constantly. Not a fan. Looks like yet another “the sky is falling, fix it, it is pwned beyond belief” was sent to my office with pretty much nothing wrong with it. I went through it multiple times, all I found was the Inbox toolbar. Watched it on torch for 5 hours, nothing but Microsoft and the SNMP traffic, no emails, nada. The SNMP queries coming from it still puzzle me, though it is likely the laptop is trying to monitor his home security system or something. Long story short, the laptop was sent to me because supposedly they’re sending 17k spam a day from their IP. Problem is they’re on my Internet and the IP in question belongs to Dish network, which they do have as a backup, but wasn’t even connected at the time. Looks like a whole lot of misdiagnosis by non-IT guys. From: Eric Kuhnke Sent: Tuesday, February 09, 2016 4:37 PM To: [email protected] Subject: Re: [AFMUG] Odd situation only the second most preposterous part of the movie, after the part where javier bardem escapes and detonates the floor of a london tube tunnel at precisely the right time, causing the train to chase bond... Q is supposed to be a genius level intellect and network security/blackhat, yet he plugs the device into their secure network? nevermind all the fancy eye candy GUI hacking crap which is required because it's hollywood... On Tue, Feb 9, 2016 at 2:35 PM, Cameron Crum <[email protected]> wrote: Didn't this happen in Skyfall? On Tue, Feb 9, 2016 at 4:33 PM, Josh Luthman <[email protected]> wrote: +1 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 9, 2016 5:29 PM, "Eric Kuhnke" <[email protected]> wrote: you brought a known-infected laptop into your office and plugged it into your LAN? uhhh... okay..... http://www.dban.org/ the port 443 connection is probably command and control for some variety of rootkit/APT. On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop <[email protected]> wrote: I’ve got a customer with a bugged laptop. Not biggie, sending spam. I haven’t quite tracked that down yet, looks like it is logging into a remote server on 443, nothing obvious. What I’ve noticed that brought me to bring this to the list is that it is currently 192.168.0.50 on my office network, probing 192.168.1.4 through 6 on SNMP (doesn’t exist on my network, only on my sandbox that this laptop can’t see at all, nothing has been on my sandbox in weeks), also pinging my edge, though not my local edge, my network edge on it’s internal IP of 10.0.11.1. The customer’s IP address is on the 10.0.22.0/24 subnet, two hops to 10.0.11.0/24. At my office it is two hops from 192.168.0.0/24 to 10.0.11.1. If it was some form of a hack you’d figured they’d go by my public IP, though I suppose they’re looking for the possibility of not being secured on the inside. Just throwing this out there, looked interesting and weird to me.
