I am positive tinba cannot run on the probes. So either that IDS is brain damaged or some joker made a UDM that acts like tinba or both. What Marc said: the 'CnC' appears to be at the root name servers. Queue conspiracy theory .....
Daniel On 5.07.16 14:15 , Hank Nussbacher wrote: > I received a report from one of our security monitoring systems about > one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which > appears to be infected with Tinba: > > >> Security incident #1 - Tinba infection > >> Involved internal Hosts: > >> atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since > >> 2016-06-30 > >> 23:58:54 till 2016-07-01 05:01:20 > >> Malicious activities found: > >> Tinba infection > >> related indication of compromise: > >> Communication with CnC > >> 192.112.36.4 > >> 192.203.230.10 > >> 192.228.79.201 > >> 192.33.4.12 > >> 192.36.148.17 > >> 193.0.14.129 > >> 198.41.0.4 > >> 198.97.190.53 > >> 199.7.83.42 > >> 199.7.91.13 > >> 202.12.27.33 > > > Should we be worried? > > > Thanks, > > Hank >
