• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 857
  • Last Modified:

Ways to determine if a remote IP is malicious

For the last few days, our IPS detected that about 1 remote IP address per 1-2 days out
there in the Internet that attempted to access our site are triggering Heartbeat signature alerts.  However, we & the IPS vendor can't be certain if these are false positives.

At 1-2 IP addresses, it may be manageable to block those IP & after say several months,
lift up the rules that block them but we're concerned that

Is there any website, mailing list or any method out there that help determine if
the remote source IP addresses are known to be malicious?

If I use our local ISP's DNS to do nslookup & it returned that the IP is of
'Non-existent domain', can I safely block it & assume it's malicious?  I'm
assuming a non-existent or non-registered IP has malicious intent

Appreciate if anyone can take a look & tell me if the following IP are known
to be malicious or related to Heartbeat?     ==>       62-76-40-157.clodo.ru ==>       Non-existent domain ==>  hamsa.cs.northwestern.edu ==> Non-existent domain ==> Non-existent domain     ==>  Non-existent domain

Can I take the approach to block first & when a  a genuine/non-malicious user
call up to complain his access is blocked, then only unblock it?  So assume
malicious unless proven otherwise.  I suppose this is feasible if we're not
getting lots of IP daily to block.
4 Solutions
sunhuxAuthor Commented:
A few more:      ec2-54-234-94-      ec2-54-81-153-80.compute-1.amazonaws.com      ec2-54-198-183-170.compute-1.amazonaws.com      ec2-54-82-249-111.compute-1.amazonaws.com
sunhuxAuthor Commented:
Can I say that often those suspicious remote IPs are 'spoofed' by
the attacker, ie amended in the data packets so might as well
just block them.

If the attacker is using a constantly/frequently changing IP, then
this approach of block & after a few months, unblock will be
too tedious for us, right?
Dave BaldwinFixer of ProblemsCommented:
Domains aren't the only things that have IP addresses.  All of the IP addresses above that start with 180 are from Shanghai China.  The 164 is from Northwestern University. is a private non-routable and should be on your own LAN.!
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tony GiangrecoCommented:
If you have a firewall, you should be able to setup a block of any IP.

You can run a reverse lookup on an IP address to see what domains are on it:

You can check a site's overall security from a malware standpoint with this link

Here is a heartbleed checker

Here is a free web security scanner
sunhuxAuthor Commented:
Suppose I don't have a website but just some Internet connections
that are outgoing, I suppose the above won't help.

is there any link that could assess if an Internet IP addr is malicious?
I would like to assess the remote IP, not my own site's IP
Tony GiangrecoCommented:
You can track then down with this tool

That IP resolves to webcluster.oversun.clodo.ru

Take that address on MxToolbox and run some tests.
Tony GiangrecoCommented:
If you don't have a firewall, you can install ZoneAlarm and block the ip with that software firewall
Tony GiangrecoCommented:
From the warning at the top of the screen, I would say yes.

It may be they don't have an SSL certificate or other security requirement installed to be considered safe, of they could have been reported as sending spam.
Giovanni HewardCommented:
Here's some additional references.  Modify the IP address in the URI accordingly.

Tony GiangrecoCommented:
Have we answered your question?
sunhuxAuthor Commented:

In particular, I'm looking for URL like the above.  If there's
more (eg: by other Service Providers other than the 8
listed, say TrendMicro, Checkpoint etc, will be good to
add on to the list as well.
Tony GiangrecoCommented:
Ok, are you going to block it?
Tony GiangrecoCommented:
Try zone alarm. They have different versions. You will see all alerts of IP's trying to access your network
sunhuxAuthor Commented:
Wonderful;  I'll block only those that the sites


had listed as known malicious sources
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now