« sms.ac abuse
Vinnie 1 Hit »

Blacklist for worm infected machines

I’m just curious. Is there a blacklist for worm infected machines? Wouldn’t that be helpful?

I’ve seen some probes in my logs, trying to probe these ports in sequence:
5554
1023
9898

Most of the machines I’ve seen lately have been from Asia. China and Hong Kong. Hmm, come to think of it, those might be bad guys looking for infected machines… Maybe I should include their IP addresses?

It would have been interesting to have a blacklist where you could submit based on unsolicited probes. The problem is probably differentiating between bad guys and infected computers?

This entry was posted on Thursday, June 9th, 2005 at 11:23 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Blacklist for worm infected machines”

  1. Tristor Says:
    June 9th, 2005 at 12:44 pm

    I remember seeing something like this somewhere. I think it may have been one of the blocklists that B.I.S.S. hosts. Bluetack Internet Security Solutions

    I was thinking that it was one of those blocklists that included known trojaned/wormed boxes that were trying to spread themselves to others. But I can’t be sure, wouldn’t hurt to check it out.

  2. Administrator Says:
    June 9th, 2005 at 1:07 pm

    I was thinking more of a blacklist with some clout, but the BISS site is excellent in its own right. Thanks! It’s sort of a blacklist for personal use. They provide a HOSTS file that includes spyware and ads servers, routing them to localhost so you won’t see their crap.

  3. Brian Says:
    June 9th, 2005 at 1:23 pm

    On my home server, I use a wonderful tool called Portsentry. If someone tries to connect to a closed port more than a couple times, they get blocked in iptables or ipchains or /etc/hosts.deny

    http://sourceforge.net/projects/sentrytools

  4. Dougal Campbell Says:
    June 9th, 2005 at 3:26 pm

    It seems like I did run across a reference to a blacklist like that a couple of weeks ago. I’m about to shut my computer down, but I’ll try see if I can find it again later….

  5. Brian Bruns Says:
    June 9th, 2005 at 3:56 pm

    My DNSbl (the AHBL - http://www.ahbl.org ) does accept submissions like this.

    Contact me if you have lists of infected machines, and I’ll tell you what I need to get them added to the dnsbl and ircbl.

  6. Administrator Says:
    June 9th, 2005 at 3:58 pm

    I can collect info like that, possibly. It depends what criteria you need fulfilled to include them. I’ll contact you.

  7. Michel Arboi Says:
    June 10th, 2005 at 5:45 pm

    AFAIK, Spamhaus XBL includes this. http://www.spamhaus.org/xbl/index.lasso
    Other services like DShield or MyNetWatchMan may be helpful too.

Leave a Reply