IP is infected with malware

[rodrigs]

Hi,
I was about to register a new email account when the email service showed a message saying that my IP address was blacklisted in Spamhaus. In the Spamhaus website the details say:

Why was this IP listed?

A device using 77.133.250.153 is infected with malware:
77.133.250.153 initiated a connection to a apk.hydra command and control server, with contents unique to apk.hydra C&C command protocols.
Technical details of the apk.hydra detection

77.133.250.153 initiated a tcp connection from 77.133.250.153 using source port 58024, to the sinkhole IP address unknown on destination port 80.

When I searched for apk.hydra in duckduckgo I get plenty of results related to a Hydra software used to cracking passwords.
Can you advise me on this? Could my laptop have been hacked? Could I have installed something that I shouldn't? How can I solve this issue before finding out how to remove my IP from the spamhaus list?

Thanks in advance,
Rodrigo

[TheFu]

Do you have a static public IP?
Are you running an email server?
Did you specifically ask for this IP and forgot to check email blacklists before agreeing to use it?

If so, tell your service provider and let them handle it. If they refuse, that's a good hint that they support spammers and if you want to use email on that subnet (77.128.0.0/13), it will be nearly impossible. Find a better provider. When I block email spam subnets, I block not just 1 IP, but the entire registered subnet for that company.

Getting your IP off email blacklists if they are already on it before you start is nearly impossible, since you probably didn't do anything to get there. OTOH, if you just got the IP and installed the OS and the apk.hydra detection is only since you did this, then your system could easily be hacked. Running a server isn't for people new to Linux.

OTOH, if you aren't running an email server on that IP, then it seems strange that any email service provider would block it. Blocks are only for the most abusive IPs (or highly abusive neighbor IPs).

[rodrigs]

I have no idea if it is a static por dynamic IP address. It is on my laptop and I use the internet shared by my smartphone.

I am not running an email server. I didn't choose the IP address either.


I ran clamTk and did got a list of PUA.Win.Trojan or PUA.Win.Exploit files. Could it be the cause?

UPDATE: After some research, those seem all false positives.


Does apk.hydra ring a bell to anyone? How could I protect from this?

[coffeecat]

I have no idea if it is a static por dynamic IP address.

The forum software records the IP addresses used for all posts and for initial account registration. These records are not visible to anyone except forum staff. According to a whois, the IP you quote and which you checked on Spamhaus, and the IP you are posting from today are different but from the same service provider. Therefore it is logical to assume that you have a dynamic IP address.

[DuckHook]

…I use the internet shared by my smartphone.

This means that your IP address will switch multiple times a day. When cell phones switch towers, the IP address will frequently switch as well if no data is being exchanged. This is just the way the cell system works and there's nothing that anyone can do about it.

Cell IPs are a known reservoir for spammers. It is precisely because they are so dynamic and change so frequently that the scumbags exploit them. The IPs switch often enough to deter effective tracing. This will cause the sort of blacklisting that you experienced with Spamhaus. In your case, a previous user of that IP address may indeed have been infected with malware, acting as a bot or a C&C server. This is depressingly common these days, especially among the general population conditioned to practising poor computing hygiene. If you are certain that you are malware‑free (a big separate topic of its own), then unfortunately, it is likely that when you inherited the IP address, you also inherited the bad rep.

If your IP is now a different one, the problem may have simply gone away. If so, you don't have any further problems (for now). If your IP is the still the problematic one, try powering off your phone completely then rebooting it. If the IP has changed but you are still blocked, then Spamhaus may have blocked an entire address range. As an ordinary sinner like the rest of us, there's little that you can do to get off that list. You will have to contact your telecom and inform them of this problem. Then it will be up to them to straighten things out with Spamhaus.

As TheFu advises, you may wish to either change ISPs or connect through something less flimsy than your cell phone (I know — easier said than done). Unfortunately, more and more IP addresses are now running into this same issue. When the world fully moves on to IPv6, things may improve, but until then, the continual recycling of the limited set of IPv4 addresses means that we are all increasingly getting smeared by the activities of society's predators and parasites.

[TheFu]

I know that cell phone providers have a way they can make an IP static on a per-user basis. This has been available at least since 2005. I've deployed it in a corporate environment on IPv4.

However, it wasn't the default and I don't think it was available to any consumer plan.

IPv6 has a built-in method of retaining a static IP, effectively, forever, but I have doubts that anyone would use or want that outside a corporate environment OR in a country that wants to track all internet use.

Currently, I don't have a cell phone with any provider and I've never tethered a computer through a cell phone, so I don't have any more to share. Where I worked, we had cell plans connected to our laptops. These were data-only plans and they only connected into our corporate network and didn't have general internet access, unless we authenticated to the corporate web proxy server while connected.

Alas, none of this is use full for solving the "spamlist" issue. My home static IP was on a spam list for a huge ISP in my country, but not on any other spam lists. I tried hard to get off that list, since lots of local people used that ISP and the email addresses it provided. About once a year, I'd try to send email to a friend there and it would bounce. After 5 years, it started working. I didn't do anything. I was running an email server, which is very different than connecting to an email server to send/receive emails. I'd never heard of client machines being banned before today. That is interesting.

[rodrigs]

Wow! Thank you so much for your explanations. It brought me much more clarity into all this.

Rebooting my phone and finding out that Spamhaus blocked the new IP also, so it may have blocked an entire address range, as DuckHook suggested.

I guess the conclusion is that my laptop might not have been hacked or at risk of being in the future, more than it was last week. And it is good to know that I can do something about the incident of being listed in spamhaus: a wired connection instead of a mobile connection. Fiber connection will arrive chez nous (french countryside) in about a month.

Gratitude and cheers,
Rod

[TheFu]

If you want to sign up for an email provider, perhaps visiting a public library in your town would allow that? Public libraries here usually have both computers and free wifi for use by locals. I think the wifi is free to everyone, always, but the computers require a library card which is limited to people who actually live in the county and have signed up to get a card.

Or perhaps take a laptop to a local cafe and sign up for the cost of a danish + coffee?

You just need to appear to be from a different subnet during the sign up process, at least that's what I suspect.

[DuckHook]

There is one further exposure that you should look into:

You've stated that you have checked out your laptop and are satisfied that it is clean, but what about your phone?

It is unlikely that scumbags will use phones as C&C servers, but they're not particularly discriminating either. Before taking complete comfort in the assumption that the problem is at the ISP end, you should take steps to verify that your phone is clean. It is difficult to advise you on specifics. Due to the fragmentation in the market, every brand is different and, speaking only for myself, such expertise as I have is mostly restricted to Ubuntu/Linux. I can't advise you on phones. However, there are lots of videos and websites that show you how to protect your phone, or how to test whether you have been compromised.

Since this is a public forum, here are some thoughts about basic phone hygiene. Please excuse my going over the obvious if you already know this stuff:

Almost every month, security blogs report stories of proprietary app stores getting hit with malware. This is an ongoing danger that will never go away and is a consequence of the way proprietary software works. The proprietary business model is based on secret code. That's the whole point of their existence. Keep the source code secret so that the app/platform will remain proprietary to make money. The Achilles heel in this model is that it's easy for bad guys to leverage this secrecy to foist malware on such stores. No matter how big the army of testers these stores employ, they cannot keep out all malware because, without the transparency of open source code, these poor souls must hold back the barbarian hordes with both hands tied behind their backs.

Most of my friends indiscriminately download apps from these proprietary stores as if they are free candy. They've been lulled into a false sense of security by the phony "protected silo" marketing garbage of the those massive marketing machines. I have no doubt that many of them are hosting malware that they have no suspicion of.

My workarounds for this danger are as follows:

1. Install as few proprietary apps as possible. Restrict yourself to only the major ones like Firefox and Brave.
2. Install the F-Droid repository and opt for FOSS apps whenever possible (Apple users are on their own here. I have no idea what FOSS repos are available on that platform).
3. Install Aurora (available on F-Droid) and use it instead of the Google store app. Aurora shows you how many trackers proprietary apps have and what permissions they need. You can make informed choices instead of having to put up with the carefully calculated obscurity of the the proprietary installers.
4. Use ClassyShark (also available on F-Droid) to check all trackers and permissions on currently installed apps. I'll caution you now that the results will be scary and will motivate you to delete proprietary apps that you thought were okay.
5. Most new phones come with their own anti-malware suites. Make sure yours has one. If it doesn't, then install one, but even here, it is tricky: in the mother of all ironies, anti‑malware suites are steadily being taken over by malware mills. The scumbags are leveraging their ill‑gotten gains to corrupt the anti‑malware ecosystem. Make sure that you do your research and aren't installing a suite that will make things worse.
6. Use a good VPN. Public WIFI is not safe, but advising people to never use it is unrealistic. Most people have no practical choice because they can't afford massive data plans. A reputable VPN is critical for protection in a public setting. But beware. VPN firms are going through the same takeover corruption as anti‑malware suites.

There are a lot of other measures that one can take, but I consider the above to the the main ones. Hope this helps some lurkers out there.