91.220.131.66    We are a large network of 20+ k  pc's.
We just loaded Malware Bytes Management Console and pushed the client to most of our computers.
A bunch of our systems is reaching out to this address scanning for available ports. Mbam and other tools is not finding anything on them .. Running Sophos' virus removal tool finds "vawmem-a" as a memory process and removes it.  I am just not sure it is associated with this ip or not.

The PC's are reaching to it so frequently that the log files are filling my SQL databases very quickly.  I have been in contact with MBAM but its got us scratching our heads.    All i know is the IP is Russian from a whois search..

Any ideas?

According to RIPE, that IP belongs to rivethost.com in Russia.
None of the major RBLs for spam have it listed.

The way it reads to me someone is using your network to hack Russians you better put stop to that quickly.

I agree.  

A couple questions..



1) Do you have a default route off of your network? ie., can someone ping google.com (and get replies)? A networking guy worth his salt will NOT have a default route. It's in the routing table or it does't go anywhere.

2) Are people forced to use a proxy? This is the best way to monitor and control web traffic.

First, log attempts to talk to those IPs at your firewall.  Tie the IP address back to specific machines.  Then use netstat and/or other common tools to find which program is making the attempt.

It sounds like you've got 20,000+ PCs.  If so, do you really not have any network guys that can track down the problem?

Funny, I read it exactly the opposite - you'v been hacked/infected by the Russians, and your computers are reporting something back... may just be "still part of your DDOS botnet, standing by, Comrade."

Personally I'd like a list of all the Class A networks assigned to Russia and China, so I can just packet drop those bastards.  I have no reason to have any network comms with them.

Well, here and here are two places where you can get such lists.  They're not perfect, but they are pretty good.

As for blocking China, it's initially tempting to block all of APNIC.  But, Japan, Australia, and NZ are part of APNIC, too.

The list can get quite long, so hopefully your firewall has more efficient mechanisms (like Linux's ipsets) than just looking sequentially through ACLs.   Null-routing the networks, instead of firewalling, may be an option for you.