Seleccionar idioma Con la tecnología de Traductor de Google (https://translate.google.

com)

CBL LOOKUP
IMPORTANT: Many CBL/XBL listings are caused by a
vulnerability in Mikrotik routers. If you have a Mikrotik router, LOOKUP/REMOVE
please check out the Mikrotik blog on this subject
(/lookup.cgi)
(https://blog.mikrotik.com/security/winbox-vulnerability.html)
and follow the instructions before attempting to remove your
CBL listing. © 2018 CBL. A DIVISION OF
SPAMHAUS. ALL RIGHTS RESERVED.
| PRIVACY POLICY (/PRIVACY.HTML)
IP | TERMS AND CONDITIONS
45.236.107.161 No soy un robot LOOKUP
Address: reCAPTCHA (/TANDC.HTML)
Privacidad - Condiciones

RESULTS OF LOOKUP
45.236.107.161 is listed

This IP address was detected and listed 1 times in the past 28

days, and 0 times in the past 24 hours. The most recent
detection was at Wed Jul 17 09:55:00 2019 UTC +/- 5 minutes

This IP address is infected with, or is NATting for a machine

infected with a botnet, usually associated with the Avalanche
malware network. This infection will probably be of the Dofoil or
Gamarue malware (or one of the other Anti-Virus vendor aliases,
such as: Andromeda, Smoke Loader, Win3/Dofoil,
W32/Zurgop.BK!tr.dldr, Gamarue and many others

This is one of the most dangerous bot networks ever to be

discovered, every node is fully capable of participating in
identity theft, keystroke logging, disk erasure, camera capture,
or encrypting les and holding them for ransom (for example
the recent Wannacry debacle).

Gamarue is a downloader (also known as smoke loader/dofoil)

largely used in the Andromeda and Avalanche botnets.

Andromeda is a very large scale malware delivery platform,

using Gamarue (and other downloaders) to download malicious
software to infected machines. At it's peak (Nov/Dec 2017) had
more than 5 million infected machines.
Avalanche is a large-scale content and management platform
also designed for the delivery of bullet-proof botnets, and used
Andromeda to bootstrap. Avalanche's scale and scope spanned
victims from 180 countries, over 800,000 domains in 60+ top-
level domains (TLD), more than one million phishing and spam
e-mails, 500,000 infected machines worldwide, and 130TB of
captured and analyzed data.

There was a coordinated e ort from international law

enforcement agencies that included Germany's Public
Prosecutor's O ce Verden and the Lüneburg Police, the U.S.
Attorney O ce for the Western District of Pennsylvania,
Department of Justice and the Federal Bureau of Investigation
(FBI), Europol, and Eurojust as well as partners in ShadowServer,
resulted in one of the most successful anti-cybercrime
operations in recent years (late 2016).

An even more successful take down of Andromeda took place in

Nov 29/2017.

WARNING: Despite the above, it MUST NOT be assumed that

since the network has been disabled that this listing no longer
matters. As long as the malware remains present on your
machine, there is a strong possibility that this infection may
become re-enabled. Therefore, all e ort should be made to nd
and eradicate it.

This was detected by a TCP connection from "45.236.107.161"

on port "49188" going to IP address "184.105.192.2" (the
sinkhole (sinkhole.html)) on port "443".

The botnet command and control domain for this connection

was "j95sy8vyb.ru".

This detection corresponds to a connection at Wed Jul 17

09:53:41 2019 UTC (this timestamp is believed accurate to
within one second).

Detection Information Summary

Destination IP 184.105.192.2
Destination port 443
Source IP 45.236.107.161
Source port 49188
 Detection Information Summary
C&C name/domain j95sy8vyb.ru
Protocol TCP
Time Wed Jul 17 09:53:41 2019 UTC

Behind a NAT, you should be able to nd the infected machine

by looking for attempted connections to IP address
"184.105.192.2" or host name "j95sy8vyb.ru" on any port with a
network sni er such as Wireshark. Equivalently, you can
examine your DNS server or proxy server logs to references to
"184.105.192.2" or "j95sy8vyb.ru". See Advanced Techniques
(advanced.html) for more detail on how to use Wireshark -
ignore the references to port 25/SMTP tra c - the identifying
activity is NOT on port 25.

Please note that some of the above quoted information may be

empty ("") or "na" or "-". In those cases, the feed has declined or
is unable to give us that information. Hopefully enough
information will be present to allow you to pinpoint the
connections. If not, the destination ports to check are usually
port 80, 8080, 443 or high ports (around 16000) outbound from
your network. Most of these infections make very large numbers
of connections; they should stand out.

These infections are rated as a "severe threat" by Microsoft. It is

a trojan downloader, and can download and execute ANY
software on the infected computer.

You will need to nd and eradicate the infection before delisting

the IP address.

Norton Power Eraser

(http://security.symantec.com/nbrt/npe.aspx) is a free tool and
doesn't require installation. It just needs to be downloaded and
run. One of our team has tested the tool with Zeus, Ice-X,
Citadel, ZeroAccess and Cutwail. It was able to detect and clean
up the system in each case. It probably works with many other
infections.

If Microsoft Windows Defender

(https://www.microsoft.com/en-us/safety/pc-
security/windows-defender.aspx) is available to you, use it!
We strongly recommend that you DO NOT simply rewall o
connections to the sinkhole IP address[es] given above. These IP
address[es] are of sinkholes operated by malware researchers. In
other words, they are "sensors" (only) run by "the good guys".
The bot "thinks" its a command and control server run by the
spambot operators but it isn't. It DOES NOT actually download
anything, and is not a threat. If you rewall the sinkhole
addresses, your IPs will remain infected, will still be able to
connect to command and control servers under the botnet
owner's control, and they will STILL be stealing your
users/customers personal information, including banking
information to the criminal bot operators.

If you do choose to rewall these IPs, PLEASE instrument your

rewall to tell you which internal machine is connecting to them
so that you can identify the infected machine yourself and x it.

We are enhancing the instructions on how to nd these

infections, and more information will be given here as it
becomes available.

Virtually all detections made by the CBL are of infections that do

NOT leave any "tracks" for you to nd in your mail server logs.
This is even more important for the viruses described here -
these detections are made on network-level detections of
malicious behaviour and may NOT involve malicious email being
sent.

For more information on this botnet, and mitigation strategies,

please see:

1. Andromeda Takedown
(https://www.europol.europa.eu/newsroom/news/andromeda-
botnet-dismantled-in-international-cyber-operation)
2. Trend Micro on Gamarue:
(http://blog.trendmicro.com/trendlabs-security-
intelligence/avalanche-thwarting-cybercriminal-hazards-
with-law-enforcement):
3. Microsoft
(https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Win32%2fDofoil)
4. FortiGuard (https://fortiguard.com/encyclopedia/botnet/61)
5. Malwarebytes Labs Smoke loader still alive
(https://blog.malwarebytes.com/threat-
 analysis/2016/08/smoke-loader-downloader-with-a-
smokescreen-still-alive/)
6. Microsoft on Gamarue
(https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?
Name=Win32%2FGamarue)
7. Data Security Blog on possible recurrence
(https://blog.gdatasoftware.com/2015/03/24274-the-
andromeda-gamarue-botnet-is-on-the-rise-again)

SELF REMOVAL:
Normally, you can remove the CBL listing yourself. If no removal
link is given below, follow the instructions, and come back and
do the lookup again, and the removal link will appear.

I have veri ed that all of my computers and

services accessible from the Internet through
this IP address (computers, such as external
router admin interfaces, web servers, Internet
REMOVE
of Things devices such as DVRs, webcams and
Baby Cameras) all have inwards Internet access
turned o , OR, have had their passwords
changed from the default factory setting.