REPUTATION PORTAL

18.207.160.97 has 1 listing

eXploits Blocklist (XBL) - Why was this IP address listed?

The machine using this IP is infected with malware that is emitting spam, or is sharing a connection with an infected device.

As a result, this IP address is listed in the eXploits Blocklist (XBL)

Why was this IP listed?

A machine using 18.207.160.97 is infected with malware associated with the avalanche/andromeda family.

18.207.160.97 initiated contact with a nymaim command and control server, using contents unique to nymaim C&C command protocols.

Technical details of the nymaim detection

18.207.160.97 initiated a tcp connection from 18.207.160.97 using source port 55232, to the sinkhole IP address 216.218.185.162 on destination port 80.

The most recent detection was on: December 9 2023, 13:31:45 UTC.

Information about the nymaim botnet

The Andromeda/Avalanche botnet was associated with 80 different malware families: Andromeda, Win3/Dofoil, Gamarue, Smoke Loader, W32/Zurgop.BK!tr.dldr, and many others. The Avalanche network also provided the Command & Control communications for these other botnets: TeslaCrypt, Nymaim, Corebot, GetTiny, Matsnu, Rovnix, Urlzone, QakBot, etc. This botnet was taken down in 2016 but malware associated with it remains active.

Additional information on nymaim can be found on Wikipedia.

What should be done about it?

If this is a shared server, please call your hosting company or ISP!

This listing is the result of what we believe to be a security issue. Your machine is still infected, and it is probable that there is more than one type of malware present. To stop ongoing listings and to secure your network, websites, devices and data we recommend both prevention and remediation of the issue.

Prevention

Spamhaus has an FAQ about general security best practices that should be followed.

Remediation

  • If this is a server, please set up logging to find the source of the problem. Check for compromised websites and follow the directions on our FAQ
  • If you have a Windows machine; To find and remove the malware please see the Microsoft website and run Microsoft Defender to catch any other related malware that may be present.

Removal from XBL

XBL listings expire automatically some time after the last detection. If necessary, once the security issue is solved, you can request removal.