you brought a known-infected laptop into your office and plugged it into your LAN? uhhh... okay.....
http://www.dban.org/ the port 443 connection is probably command and control for some variety of rootkit/APT. On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop <gwl...@cngwireless.net> wrote: > I’ve got a customer with a bugged laptop. Not biggie, sending spam. > > I haven’t quite tracked that down yet, looks like it is logging into a > remote server on 443, nothing obvious. > > What I’ve noticed that brought me to bring this to the list is that it is > currently 192.168.0.50 on my office network, probing 192.168.1.4 through 6 > on SNMP (doesn’t exist on my network, only on my sandbox that this laptop > can’t see at all, nothing has been on my sandbox in weeks), also pinging my > edge, though not my local edge, my network edge on it’s internal IP of > 10.0.11.1. > > The customer’s IP address is on the 10.0.22.0/24 subnet, two hops to > 10.0.11.0/24. At my office it is two hops from 192.168.0.0/24 to > 10.0.11.1. > > If it was some form of a hack you’d figured they’d go by my public IP, > though I suppose they’re looking for the possibility of not being secured > on the inside. > > Just throwing this out there, looked interesting and weird to me. > >
