Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Ways to determine if a remote IP is malicious

Posted on 2014-04-14
15
Medium Priority
?
760 Views
Last Modified: 2014-04-16
For the last few days, our IPS detected that about 1 remote IP address per 1-2 days out
there in the Internet that attempted to access our site are triggering Heartbeat signature alerts.  However, we & the IPS vendor can't be certain if these are false positives.

At 1-2 IP addresses, it may be manageable to block those IP & after say several months,
lift up the rules that block them but we're concerned that

Q1:
Is there any website, mailing list or any method out there that help determine if
the remote source IP addresses are known to be malicious?

Q2:
If I use our local ISP's DNS to do nslookup & it returned that the IP is of
'Non-existent domain', can I safely block it & assume it's malicious?  I'm
assuming a non-existent or non-registered IP has malicious intent

Q3:
Appreciate if anyone can take a look & tell me if the following IP are known
to be malicious or related to Heartbeat?
62.76.40.157     ==>       62-76-40-157.clodo.ru
180.153.198.13 ==>       Non-existent domain
165.124.184.128 ==>  hamsa.cs.northwestern.edu
180.153.195.117 ==> Non-existent domain
180.153.196.193 ==> Non-existent domain
10.251.87.209     ==>  Non-existent domain

Q4:
Can I take the approach to block first & when a  a genuine/non-malicious user
call up to complain his access is blocked, then only unblock it?  So assume
malicious unless proven otherwise.  I suppose this is feasible if we're not
getting lots of IP daily to block.
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 

Author Comment

by:sunhux
ID: 40000884
A few more:

54.234.94.143      ec2-54-234-94-143.10.251.87.209
54.81.153.80      ec2-54-81-153-80.compute-1.amazonaws.com
54.198.183.170      ec2-54-198-183-170.compute-1.amazonaws.com
54.82.249.111      ec2-54-82-249-111.compute-1.amazonaws.com
0
 

Author Comment

by:sunhux
ID: 40000977
Can I say that often those suspicious remote IPs are 'spoofed' by
the attacker, ie amended in the data packets so might as well
just block them.

If the attacker is using a constantly/frequently changing IP, then
this approach of block & after a few months, unblock will be
too tedious for us, right?
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 320 total points
ID: 40001012
Domains aren't the only things that have IP addresses.  All of the IP addresses above that start with 180 are from Shanghai China.  The 164 is from Northwestern University.

10.251.87.209 is a private non-routable and should be on your own LAN.!
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 960 total points
ID: 40001473
If you have a firewall, you should be able to setup a block of any IP.

You can run a reverse lookup on an IP address to see what domains are on it:
http://www.yougetsignal.com/tools/web-sites-on-web-server/

You can check a site's overall security from a malware standpoint with this link
http://www.unmaskparasites.com/

Here is a heartbleed checker
https://lastpass.com/heartbleed/

Here is a free web security scanner
http://websecuritytool.codeplex.com/
0
 

Author Comment

by:sunhux
ID: 40001589
http://www.unmaskparasites.com/
Suppose I don't have a website but just some Internet connections
that are outgoing, I suppose the above won't help.

is there any link that could assess if an Internet IP addr is malicious?
I would like to assess the remote IP, not my own site's IP
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 960 total points
ID: 40001600
You can track then down with this tool
http://www.geobytes.com/IpLocator.htm

That IP resolves to webcluster.oversun.clodo.ru

Take that address on MxToolbox and run some tests.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001603
If you don't have a firewall, you can install ZoneAlarm and block the ip with that software firewall
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001635
From the warning at the top of the screen, I would say yes.

It may be they don't have an SSL certificate or other security requirement installed to be considered safe, of they could have been reported as sending spam.
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 720 total points
ID: 40001933
Here's some additional references.  Modify the IP address in the URI accordingly.

http://sitecheck2.sucuri.net/results/62.76.40.157
https://www.virustotal.com/en/ip-address/62.76.40.157/information/
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40002941
Have we answered your question?
0
 

Author Comment

by:sunhux
ID: 40003032
Yes.


http://sitecheck2.sucuri.net/results/62.76.40.157
In particular, I'm looking for URL like the above.  If there's
more (eg: by other Service Providers other than the 8
listed, say TrendMicro, Checkpoint etc, will be good to
add on to the list as well.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40003033
Ok, are you going to block it?
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40003043
Try zone alarm. They have different versions. You will see all alerts of IP's trying to access your network
0
 

Author Comment

by:sunhux
ID: 40003368
Wonderful;  I'll block only those that the sites

http://sitecheck2.sucuri.net/results/a.b.c.d
http://www.malwaredomainlist.com/

had listed as known malicious sources
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question