Re: botnet drops vs. scanning results

lcaruso · ‎02-21-2011

Hi,

We are running the botnet filter for a few of our clients and have it set to the recommended level of dropping moderate to very high threats.

One server was sending unsolicited packets to CHINANET Fujian province network, so we were concerned about that and fairly certain this server was infected. After peforming complete, deep, heruistic scanning with a couple of products, we came up with nothing found on that server.

So my question is the scanning a false negative or the botnet a false postive? Is the botnet filter reliable? How do we reconcile these results?

Our clients are wondering if they wasted their money on this.

Maykol Rojas · ‎02-21-2011

Hi,

Please check questions inline:

Where did you see the logs?

It was a botnet filter log message?

Is the site blacklisted at this point?

What is that website?

What kind of packets is the server sending?

If the site is not malicious, it might be a false positive and it that case you should open a TAC service request.

Let me know.

Mike

lcaruso · ‎02-22-2011

Yes, it was a botnet filter log message. Port 53. See attached.

I saw the drops under the "infected hosts" page and then expanding the "+" under that host to show which addresses/sites had drops.

It was an ip address not a dns name. I don't know if it's is blacklisted. How do I find outl?

GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 75.100.24.158... ok.
Final results obtained from whois.apnic.net.
Results:
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum:      218.85.0.0 - 218.86.127.255
netname:      CHINANET-FJ
descr:        CHINANET Fujian province network
descr:        Data Communication Division
descr:        China Telecom
country:      CN
admin-c:      CH93-AP
tech-c:       CA67-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-FJ
changed:      hostmaster@ns.chinanet.cn.net 20020422
status:       ALLOCATED NON-PORTABLE
source:       APNIC

role:         CHINANETFJ IP ADMIN
address:      7,East Street,Fuzhou,Fujian,PRC
country:      CN
phone:        +86-591-83309761
fax-no:       +86-591-83371954
e-mail:       fjnic@fjdcb.fz.fj.cn
trouble:      send spam reports and abuse reports
trouble:      to abuse@fjdcb.fz.fj.cn
trouble:      Please include detailed information and
trouble:      times in UTC
admin-c:      FH71-AP
tech-c:       FH71-AP
nic-hdl:      CA67-AP
remarks:      www.fjtelecom.com
notify:       fjnic@fjdcb.fz.fj.cn
mnt-by:       MAINT-CHINANET-FJ
changed:      fjnic@fjdcb.fz.fj.cn 20100108
source:       APNIC

person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net
address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (75.100.24.158) has visited 1 times today.