Community Forum

IP BLOCKLIST

Highlighted
New Poster

IP BLOCKLIST

Hi,

In my Comcast email inbox, this is the message I get. What on earth does this mean?Screen Shot 2019-12-13 at 11.04.08 AM.png

Highlighted
Gold Problem Solver

Re: IP BLOCKLIST

The image you posted isn't visible. It looks like this:

 

HfImgPlcHldr.gif

This is probably because you are a new poster and the image requires moderator approval. That could take a while. If you don't want to wait you could upload the image to a file sharing site and post a link to it here, or post text instead of an image.

Highlighted
Valued Contributor

Re: IP BLOCKLIST


@cjansson wrote:

Hi,

In my Comcast email inbox, this is the message I get. What on earth does this mean?Screen Shot 2019-12-13 at 11.04.08 AM.png


@cjansson 

 

Based on your picture it is telling you to go to a certain site to see why your IP is being blocked. Have you done this?

 

When I went to the site this is what I saw:

 

"RESULTS OF LOOKUP

193.36.224.51 is listed

This IP address was detected and listed 3 times in the past 28 days, and 0 times in the past 24 hours. The most recent detection was at Sun Dec 15 07:55:00 2019 UTC +/- 5 minutes

This IP address is infected with, or is NATting for a machine infected with the "nymaim" malicious botnet.

"nymaim" is also known as "Gamarue".

More information about Gamarue can be obtained from Proofpoint, and Microsoft.

Gamarue is involved with a variety of malicious things, including backdoor downloads, Banking Trojans and Ransomware.

This was detected by a TCP connection from "193.36.224.51" on port "8379" going to IP address "216.218.185.162" (the sinkhole) on port "443".

The botnet command and control domain for this connection was "jbietzyrb.net".

This detection corresponds to a connection at Sun Dec 15 07:52:59 2019 UTC (this timestamp is believed accurate to within one second).

Detection Information Summary
Destination IP 216.218.185.162
Destination port 443
Source IP 193.36.224.51
Source port 8379
C&C name/domain jbietzyrb.net
Protocol TCP
Time Sun Dec 15 07:52:59 2019 UTC

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address "216.218.185.162" or host name "jbietzyrb.net" on any port with a network sniffer such as Wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to "216.218.185.162" or "jbietzyrb.net". See Advanced Techniques for more detail on how to use Wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

Please note that some of the above quoted information may be empty ("") or "na" or "-". In those cases, the feed has declined or is unable to give us that information. Hopefully enough information will be present to allow you to pinpoint the connections. If not, the destination ports to check are usually port 80, 8080, 443 or high ports (around 16000) outbound from your network. Most of these infections make very large numbers of connections; they should stand out.

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address."

 

I recommend that you do not use this IP as it appears to be infected and that is why you are being blocked. Comcast will never allow you to use an IP address that could be infected. You can read more about this IP address and what to do now here: https://www.abuseat.org/lookup.cgi?ip=193.36.224.51

Highlighted
New Poster

Re: IP BLOCKLIST

I restarted my computer and all went back to normal. I have never seen that before or after.