bob-13
(Bob_13)
1
So yesterday I get stopped in the hall and told “A few days ago my computer started giving me a message…”
No real details only a vague description. So I told her to call me the next time it was up on the screen so I could see it. A little while later she called. The error showed a certificate error going to google maps. I wasn’t too concerned, but I began poking around.
Malware bytes found and removed 2 risks that seemed to be responsible.
Edit:
Turns out the IP is actually a small office of ours. Now it is possible that the computer routed though there as a legit “policy misfire” but … why did it fix when malware bytes finished its work?
Truly odd. but now less relevant. LOL
6 Spice ups
Sounds like that IP is a hacked machine being used an an open relay or something similar. A scan shows no open ports (top 1000 scanned.)
Get that user’s machine cleaned (nuke preferred) and you should be good.
3 Spice ups
tobywells
(toby wells)
3
I would nuke that PC but be more concerned about how your users device got hijacked
How did the web filtering miss the compromised site, your AV heuristics not pickup the infection etc
Check you haven’t got a user running with elevated privileges
Also look at your outbound firewall rules for your client networks. Her PC should not be able to connect directly out to hosts except those you have whitelisted such as the proxy.
I would outbound filter that IP too.
Some poor sap in Chicago probably doesn’t even know hes running part of a botnet at his business.
Looks like some kind of botnet, the owner may not be aware of it.
You may be better off wiping that machine and rebuilding it.
Make sure to do a clean wipe it still maybe there undetected.
