Normally I dont do much about it, but malicious activity I police when possible. I do not want us, as a company to get involved in diagnosing or mitigating IoT malware, I told them (the company, not the customer) thats outside my work payscale, but on the side I will take care of it. You guys, how do you handle stuff like this from the ISP perspective, its an AUP violation so we are covered, but its also a dick move to shut a guy off for something they may not understand.
I read through the write-ups on their sites, but didnt find anything more specific to this, it shows some ports in the report. Im just curious how to determine if this was a result of the daily scans they do or a honeypot hit On Tue, Sep 5, 2017 at 10:21 AM, Larry Smith <[email protected]> wrote: > There is a pretty good writeup on the shadowserver site > about each of the items they report. For the botnet related > (search botnet) they give some documentation (separate link) > but with many of these, too much information about what you > are doing spoils the pot as it were... > > -- > Larry Smith > [email protected] > > On Tue September 5 2017 09:40, Steve Jones wrote: > > We get these reports, of yet i havent found any to be false positives, I > > notify customers of s detected risk once then leave it on them. > > However we now have one thats reporting mirai botnet drone detection. We > > notified the customer, it went away for a like a week and has resurfaced. > > hes got some ingenius gateway thing, looks like its an IP > > camera/filesharing/gps location tracking deal. > > > > Before I shut this customer off, I just want to be able to verify this > isnt > > a false positive. There are many scanners for this online but will only > > scan the IP that originates, we did send him a link > > > > The tools for scanning appears to limit to local subnet only. > > > > shadowservers report isnt all that clear on whether its simply detected a > > vulnerability, or has detected a fingerprint of the infection, If it > didnt > > specifically name the infection I would assume the former. >
