Re: [AFMUG] Odd situation

[David]

Thats why the account should be secured first. Then worry about backlash.
Once the account is shutdown then the outgoing spam will stop. Use log to
track all denied addresses and dump them into a dns blackhole.


On 02/10/2016 12:21 PM, Ken Hohhof wrote:

“From their account” and “from their IP” are usually separate things. Probably need to determine if someone actually determined it was from their IP, or just assumed that. It used to be common to plant a spambot on a compromised computer, but so many ISPs block outbound traffic to port 25 that this method is much less common these days. The more common method now is to get hold of someone’s email credentials and use those to relay spam through the email host’s mail relay, often from a botnet, but not from the compromised customer’s computer or IP address. Once you have their credentials, you can relay spam from any IP address through the legitimate MX server which trusts those credentials, at least until the account gets suspended. So maybe the computer is infected with malware and part of a botnet, but likely it would be sending spam on port 587 using SMTP AUTH and a list of stolen usernames and passwords. All the time we get customers who assume their computer is infected because their email credentials are being used to send spam, they don’t understand once someone has their credentials the spam can come from anywhere.

*From:* David <mailto:dmilho...@wletc.com>
*Sent:* Wednesday, February 10, 2016 10:52 AM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Odd situation

Sounds like a typical compromised email account with a trojan running the whole thing.

Secure email account
then disinfect machine with lysol and should be good LOL


On 02/10/2016 10:31 AM, Glen Waldrop wrote:

Rural customer. Just about the only neighbor that could have gotten on their WIFI just died in their early 90s.

No idea.

I think it is just a 100% misdiagnosis by non-IT guys. I’m trying to get the info myself. From what I’ve been able to put together it sounds like someone has their login and password to their email accounts.

Still need all of the info.

I guess that 90+ year old could have been taking in side money as a spammer, but...

*From:* That One Guy /sarcasm <mailto:thatoneguyst...@gmail.com>
*Sent:* Tuesday, February 09, 2016 10:01 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Odd situation

dish probably connected some smart tv/roku/wifi extender in an unsecured fashion to their network and never told the customer about it, and it has since been hijacked and is relaying spam On Tue, Feb 9, 2016 at 9:38 PM, Glen Waldrop <gwl...@cngwireless.net <mailto:gwl...@cngwireless.net>> wrote:

    First and foremost my office is a computer service, so bugged
    computers come through here 24/7. It is my job.

    The whole point of that was to monitor what it was doing.

    Digging in to the IP’s it was communicating with, the secure
    connection was to Microsoft. Windows 8 and 10 have to call home
    to big brother constantly. Not a fan.
    Looks like yet another “the sky is falling, fix it, it is pwned
    beyond belief” was sent to my office with pretty much nothing
    wrong with it. I went through it multiple times, all I found was
    the Inbox toolbar. Watched it on torch for 5 hours, nothing but
    Microsoft and the SNMP traffic, no emails, nada.
    The SNMP queries coming from it still puzzle me, though it is
    likely the laptop is trying to monitor his home security system
    or something.
    Long story short, the laptop was sent to me because supposedly
    they’re sending 17k spam a day from their IP. Problem is they’re
    on my Internet and the IP in question belongs to Dish network,
    which they do have as a backup, but wasn’t even connected at the
    time.

    Looks like a whole lot of misdiagnosis by non-IT guys.
    *From:* Eric Kuhnke <mailto:eric.kuh...@gmail.com>
    *Sent:* Tuesday, February 09, 2016 4:37 PM
    *To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Odd situation
    only the second most preposterous part of the movie, after the
    part where javier bardem escapes and detonates the floor of a
    london tube tunnel at precisely the right time, causing the train
    to chase bond...

    Q is supposed to be a genius level intellect and network
    security/blackhat, yet he plugs the device into their secure network?

    nevermind all the fancy eye candy GUI hacking crap which is
    required because it's hollywood...
    On Tue, Feb 9, 2016 at 2:35 PM, Cameron Crum <cc...@wispmon.com
    <mailto:cc...@wispmon.com>> wrote:

        Didn't this happen in Skyfall?
        On Tue, Feb 9, 2016 at 4:33 PM, Josh Luthman
        <j...@imaginenetworksllc.com
        <mailto:j...@imaginenetworksllc.com>> wrote:

            +1

            Josh Luthman
            Office: 937-552-2340 <tel:937-552-2340>
            Direct: 937-552-2343 <tel:937-552-2343>
            1100 Wayne St
            Suite 1337
            Troy, OH 45373

            On Feb 9, 2016 5:29 PM, "Eric Kuhnke"
            <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> wrote:

                you brought a known-infected laptop into your office
                and plugged it into your LAN?  uhhh... okay.....

                http://www.dban.org/

                the port 443 connection is probably command and
                control for some variety of rootkit/APT.


                On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop
                <gwl...@cngwireless.net
                <mailto:gwl...@cngwireless.net>> wrote:

                    I’ve got a customer with a bugged laptop. Not
                    biggie, sending spam.

                    I haven’t quite tracked that down yet, looks like
                    it is logging into a remote server on 443,
                    nothing obvious.
                    What I’ve noticed that brought me to bring this
                    to the list is that it is currently 192.168.0.50
                    on my office network, probing 192.168.1.4 through
                    6 on SNMP (doesn’t exist on my network, only on
                    my sandbox that this laptop can’t see at all,
                    nothing has been on my sandbox in weeks), also
                    pinging my edge, though not my local edge, my
                    network edge on it’s internal IP of 10.0.11.1.

                    The customer’s IP address is on the 10.0.22.0/24
                    <http://10.0.22.0/24> subnet, two hops to
                    10.0.11.0/24 <http://10.0.11.0/24>. At my office
                    it is two hops from 192.168.0.0/24
                    <http://192.168.0.0/24> to 10.0.11.1.

                    If it was some form of a hack you’d figured
                    they’d go by my public IP, though I suppose
                    they’re looking for the possibility of not being
                    secured on the inside.

                    Just throwing this out there, looked interesting
                    and weird to me.



--

If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.