US-CERT Received a report from a trusted third party of a possible malicious activity involving one or more host under your control. 
US-CERT would greatly appreciate your assistance in investigating this matter.  The following information is provided to help resolve this issue: 

Host information under your control: 

***CENSORED***	Leaseweb USA [ARIN,US,,]								
***CENSORED***	Leaseweb USA [ARIN,US,,]								
***CENSORED***	Leaseweb USA [ARIN,US,,ISP]								
***CENSORED***	Leaseweb USA [ARIN,US,,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US, VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US, VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US, VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US, VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US, VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,,]	Leaseweb USA, Manassas Va [ARIN,US,,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,,]								
***CENSORED***	Leaseweb USA, manassas Va [ARIN,US,VA,]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
***CENSORED***	Leaseweb USA, Manassas Va [ARIN,US,VA,ISP]								
The potential malicious activty took place between December 4, 2015 through December 16, 2015. There are 12 destination IPs tied to the potential malicious activity found below.

National Cyber Awareness System: 
Technical advisory:   TA15-337A: Dorkbot 
Technical advisory URL location:   <hxxps//www[dot]> 

Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victims’ computers. According to Microsoft, the family of malware used in this botnet “has infected more than one million personal computers in over 190 countries over the course of the past year.” The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot. 

Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to victims’ computers. Dorkbot is commonly spread via malicious links sent through social networks instant message programs or through infected USB devices. 
In addition, Dorkbot’s backdoor functionality allows a remote attacker to exploit infected system. According to Microsoft’s analysis, a remote attacker may be able to: 
*       Download and run a file from a specified URL; 
*       Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or 
*       Block or redirect certain domains and websites (e.g., security sites). 

A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users' credentials for online services, including banking services. 

Users are advised to take the following actions to remediate Dorkbot infections: 

*       Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software <hxxp//www[dot]>  for more information.) 
*       Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords <hxxp//www[dot]>  for more information.) 
*       Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches <hxxp//www[dot]>  for more information.) 
*       Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems. 
*       Disable Autorun­ – Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun to stop the threat from spreading. 
The above example does not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor. 
If your investigation confirms this activity, US-CERT would greatly appreciate your assistance in suspending this host until corrective measures are taken. 

The US-CERT incident number above has been assigned for future reference. Please refer to this number in the subject line of any email correspondences to ensure proper tracking.  We greatly appreciate your assistance in resolving this matter and look forward to your continued cooperation. 

If you need assistance in this matter or have any questions please contact US-CERT at 888-282-0870 or at  US-CERT can assist with log analysis, digital media analysis, mitigation and recovery strategy development. To submit samples of malicious code for analysis, visit hxxp// Our information sharing portal for trusted partners is available at hxxps// 


US-CERT Security Operations Center (US-CERT SOC) National Cybersecurity & Communications Integration Center (NCCIC) Department of Homeland Security 
703-235-8832 / 888-282-0870 
Twitter: @USCERT_gov 

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

Added new firewall rules to detect and drop the abusive behavior.

Also Read

Brute Force Attempt
Dear Client, We have received the below abuse message regarding your services. Please deal with...
UK SPAM Complaints
Received: from [] (HELO (CommuniGate Pro...
NJ Port Scanning
We have blocked someone from your IP space for abuse. Reason: Port Scanning. Log lines are below....
NJ Hacking - 09/Oct/2014
A site was recently compromised from an IP in your allocation. Here is the log...
Attack on Mod Security
The IP address (DE/Germany/) was found attacking mod_security on 10 times in the...

Powered by WHMCompleteSolution