Usually it means one of their honeypot servers (shadow servers) got hit with an attack signature from the IP they listed …. Usually that’s how they do the detection ….
> On Sep 5, 2017, at 10:40 AM, Steve Jones <[email protected]> wrote: > > We get these reports, of yet i havent found any to be false positives, I > notify customers of s detected risk once then leave it on them. > However we now have one thats reporting mirai botnet drone detection. We > notified the customer, it went away for a like a week and has resurfaced. > hes got some ingenius gateway thing, looks like its an IP > camera/filesharing/gps location tracking deal. > > Before I shut this customer off, I just want to be able to verify this isnt a > false positive. There are many scanners for this online but will only scan > the IP that originates, we did send him a link > > The tools for scanning appears to limit to local subnet only. > > shadowservers report isnt all that clear on whether its simply detected a > vulnerability, or has detected a fingerprint of the infection, If it didnt > specifically name the infection I would assume the former.
