Re: [AFMUG] Odd situation

[David]

Sounds like a typical compromised email account with a trojan running 
the whole thing.
Secure email account
then disinfect machine with lysol and should be good LOL

On 02/10/2016 10:31 AM, Glen Waldrop wrote:
Rural customer. Just about the only neighbor that could have gotten on 
their WIFI just died in their early 90s.
No idea.

I think it is just a 100% misdiagnosis by non-IT guys. I’m trying to 
get the info myself.
From what I’ve been able to put together it sounds like someone has 
their login and password to their email accounts.
Still need all of the info.
I guess that 90+ year old could have been taking in side money as a 
spammer, but...
*From:* That One Guy /sarcasm <mailto:thatoneguyst...@gmail.com>
*Sent:* Tuesday, February 09, 2016 10:01 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Odd situation
dish probably connected some smart tv/roku/wifi extender in an 
unsecured fashion to their network and never told the customer about 
it, and it has since been hijacked and is relaying spam
On Tue, Feb 9, 2016 at 9:38 PM, Glen Waldrop <gwl...@cngwireless.net 
<mailto:gwl...@cngwireless.net>> wrote:

    First and foremost my office is a computer service, so bugged
    computers come through here 24/7. It is my job.

    The whole point of that was to monitor what it was doing.

    Digging in to the IP’s it was communicating with, the secure
    connection was to Microsoft. Windows 8 and 10 have to call home to
    big brother constantly. Not a fan.
    Looks like yet another “the sky is falling, fix it, it is pwned
    beyond belief” was sent to my office with pretty much nothing
    wrong with it. I went through it multiple times, all I found was
    the Inbox toolbar. Watched it on torch for 5 hours, nothing but
    Microsoft and the SNMP traffic, no emails, nada.
    The SNMP queries coming from it still puzzle me, though it is
    likely the laptop is trying to monitor his home security system or
    something.
    Long story short, the laptop was sent to me because supposedly
    they’re sending 17k spam a day from their IP. Problem is they’re
    on my Internet and the IP in question belongs to Dish network,
    which they do have as a backup, but wasn’t even connected at the time.

    Looks like a whole lot of misdiagnosis by non-IT guys.
    *From:* Eric Kuhnke <mailto:eric.kuh...@gmail.com>
    *Sent:* Tuesday, February 09, 2016 4:37 PM
    *To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Odd situation
    only the second most preposterous part of the movie, after the
    part where javier bardem escapes and detonates the floor of a
    london tube tunnel at precisely the right time, causing the train
    to chase bond...

    Q is supposed to be a genius level intellect and network
    security/blackhat, yet he plugs the device into their secure network?

    nevermind all the fancy eye candy GUI hacking crap which is
    required because it's hollywood...
    On Tue, Feb 9, 2016 at 2:35 PM, Cameron Crum <cc...@wispmon.com
    <mailto:cc...@wispmon.com>> wrote:

        Didn't this happen in Skyfall?
        On Tue, Feb 9, 2016 at 4:33 PM, Josh Luthman
        <j...@imaginenetworksllc.com
        <mailto:j...@imaginenetworksllc.com>> wrote:

            +1

            Josh Luthman
            Office: 937-552-2340 <tel:937-552-2340>
            Direct: 937-552-2343 <tel:937-552-2343>
            1100 Wayne St
            Suite 1337
            Troy, OH 45373

            On Feb 9, 2016 5:29 PM, "Eric Kuhnke"
            <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> wrote:

                you brought a known-infected laptop into your office
                and plugged it into your LAN? uhhh... okay.....

                http://www.dban.org/

                the port 443 connection is probably command and
                control for some variety of rootkit/APT.


                On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop
                <gwl...@cngwireless.net
                <mailto:gwl...@cngwireless.net>> wrote:

                    I’ve got a customer with a bugged laptop. Not
                    biggie, sending spam.

                    I haven’t quite tracked that down yet, looks like
                    it is logging into a remote server on 443, nothing
                    obvious.
                    What I’ve noticed that brought me to bring this to
                    the list is that it is currently 192.168.0.50 on
                    my office network, probing 192.168.1.4 through 6
                    on SNMP (doesn’t exist on my network, only on my
                    sandbox that this laptop can’t see at all, nothing
                    has been on my sandbox in weeks), also pinging my
                    edge, though not my local edge, my network edge on
                    it’s internal IP of 10.0.11.1.

                    The customer’s IP address is on the 10.0.22.0/24
                    <http://10.0.22.0/24> subnet, two hops to
                    10.0.11.0/24 <http://10.0.11.0/24>. At my office
                    it is two hops from 192.168.0.0/24
                    <http://192.168.0.0/24> to 10.0.11.1.

                    If it was some form of a hack you’d figured they’d
                    go by my public IP, though I suppose they’re
                    looking for the possibility of not being secured
                    on the inside.

                    Just throwing this out there, looked interesting
                    and weird to me.



--
If you only see yourself as part of the team but you don't see your 
team as part of yourself you have already failed as part of the team.