Nymaim botnet - ISP Alerts

Dear Team,

Since last week we receive some notifications from our ISP for two public IP addresses which are used to access two openwrt systems under lab and dev environment we have and their are black listed as a spam addresses. Openwrt devices are NATed both for incoming and outgoing traffic on the respective public and they are using private IPs since they are in a lan network and not facing the internet directly.

Openwrt systems are hosted as VM in a ProxMox server since February.

From the SPAMHAUS Project both IPs are listed blocked and and they are related to "nymaim botnet" and " matsnu botnet" which are both affecting Windows operating systems. The last packages which were installed in April were "libcurl4 - 7.82.0-2" and "php7-mod-curl - 7.4.28-1".

I am now sure what has been changed suddenly last two weeks and we receive such notifications from our ISP. Can you please point me to something because I am completely lost right now.

Thank you,


what's the actual question ?

frollic you are right. The question was about coaching because I had no such incident related to openwrt before and I couldn't find something suspicious related to a package or on our dev files.

However, I found the root cause. A default password that has never changed was brute forced or dictionary attacked giving access on some IPs in Netherlands and both hosts were used as relay to attack other systems.

Since I change the passwords I receive so many bad login attempts and our ISP has no logs from pointing the same issue, so I am sure now that was the issue however I am not sure on which level those hosts has been affected or infected with something that I cannot recognize.

In any case that is minor because the hosts are in independent lab environment and we can have a clean installation.

One question that arise from this incident is : Is there any way to permit the failed login attempts with a timer?

permit, or ban, with a timer ?
there's the fail2ban package.

1 Like

well not ban the ip for ever just disable the login for that source IP for 5 minutes lets say.

I need to do that for web access mostly and sshd. I am using lighttpd for web server.

5 mins won't cut it, you remove the ban, and they'll be right back again.
Some IPs only make one attempt every hour, to avoid discovery.
My F2B was set to 1 day discovery time, to catch those, and banned
them for 120 days.

block everything, and create a white list instead.

there's also https://www.blocklist.de/en/export.html and others.

1 Like

Thank you frollic. You really helped me a lot. I will close the topic.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.