+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Enterprise Software Thread, My IP Address Blacklisted (EXternal Exchange) in Technical; Hi Just about to jump off a cliff! With all the flood in the server room, destroyed DPM and Exchange..got ...
  1. #1

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14

    My IP Address Blacklisted (EXternal Exchange)

    Hi

    Just about to jump off a cliff!

    With all the flood in the server room, destroyed DPM and Exchange..got it all going for a few days and today starting to get email delay probs. the New Exchange Server was rebuilt with Setup /m:RecoverServer so setting should be the same.

    We use smart host for SMTP and we were never blacklisted before...

    Just did a look up and got this:

    Untitled.jpg

    Help would be greatly appreciated, havent had much sleep with the flood in the server room stitching things back together and my brain is mush...

    Thank you

  2. #2

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    oh bugger...

    IP Address 109.204.98.18 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-11-04 09:00 GMT (+/- 30 minutes), approximately 4 days, 9 hours ago.

    This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".

    ZeuS is a malicious software (malware) used by cybercriminals to commit ebanking fraud and steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.).

    The infection was detected by observing this IP address attempting to make contact to a ZeuS Command and Control server (C&C), a central server used by the criminals to control with ZeuS infected computers (bots).

    More information about the ZeuS Trojan can be found here:


    Microsoft Malware Protection Center: Win32/Zbot
    Symantec: Trojan.Zbot
    McAfee Labs Threat Advisory: PWS-Zbot

    You can try Kaspersky's Zbot killer to get this infection detected/removed. However, we strongly recommend you to do completely re-install your operation system to get this infection removed permanently.

    This was detected by a TCP/IP connection from 109.204.98.18 on port 55750 going to IP address 87.255.51.229 (the sinkhole) on port 80.

    The botnet command and control domain for this connection was "eayempjnqkbursljflgalbvs.info".

    Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name eayempjnqkbursljflgalbvs.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or eayempjnqkbursljflgalbvs.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

    This detection corresponds to a connection at 2013-11-04 08:50:10 (GMT - this timestamp is believed accurate to within one second).

    These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

    You will need to find and eradicate the infection before delisting the IP address.

    Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

    We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

    If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

    We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

    Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

    This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.

    The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

    Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

    Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.

    While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.


    --------------------------------------------------------------------------------
    WARNING: If you continually delist 109.204.98.18 without fixing the problem, the CBL will eventually stop allowing the delisting of 109.204.98.18.
    If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

    Click on this link to delist 109.204.98.18.

  3. #3


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,706
    Thank Post
    354
    Thanked 807 Times in 722 Posts
    Rep Power
    348
    Had this with a customer recently who had a couple of infected PCs.

    Firstly, you have the best clue at your disposal:

    The botnet command and control domain for this connection was "eayempjnqkbursljflgalbvs.info".
    Get onto your filtering and see who has accessed that domain and that'll tell you who is infected. (recently managed to nail this in a few minutes using a LightSpeed Rocket report, though I'm sure Smoothwall et all will be just as easy)

    Do not request removal until you are confident you are clean as per the warning at the bottom, they'll stop listening to you if it keeps happening.

    Also, you really should have your exchange using it's own outbound IP to stop this happening if a PC(s) is infected it shouldn't stuff your email service.

  4. Thanks to kmount from:

    MrWu (8th November 2013)

  5. #4

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    Many thanks kmount

    I suppose when I saw that log the good thing is the timestamp was Monday and I did not sort the Exchange server till Wednesday, so eliminated Exchange

    I did nail a PC infection after Monday with a Trojan so might have nipped it in the bud ( since last contact was 4/11/2013 - would have thought the PC would have contacted again since then,

    But taking no chances, early Monday morning will get ISP to look at any logs for me(it could be the teacher with the PC infected hasn't turned the thing on yet)

    How do I go about putting Exchange in its own outbound IP? Our ISP looks after our firewall and as far as I know Exchange is just mapped to that IP

    Incidentally I use Forefront, whet do you recommend as a anti malware for PCs? Is there a edu licence for those?

    Thank you for putting my mushed brain in some form of order...now going for a beer....

  6. #5
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    1,002
    Thank Post
    190
    Thanked 199 Times in 159 Posts
    Rep Power
    48
    Had this on our network a few weeks ago, I temporarily blocked the ip mentioned to get us delisted and monitored connections via our Isa server. Turned out to be a single workstation. Not sure why vipre let it through though

  7. Thanks to Jamman960 from:

    MrWu (8th November 2013)

  8. #6


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,706
    Thank Post
    354
    Thanked 807 Times in 722 Posts
    Rep Power
    348
    Hi MrWu,

    If you nailed an infected PC it may well be worth requesting a delisting (I did this with my customer to make sure it was a 'current' infection too) and once it clears keep an eye on it daily though you do want to make sure you have your ISP/filtering ready to provide you logs when needed.

    If your ISP look after your firewall it would be worth asking them if all of your outbound internet traffic is sharing one IP or whether your exchange could possibly be moved off onto its own (or more likely, everything else moved and leave exchange on it to save reconfigurations!)

    Enjoy your beer, sounds like you've had a hell of a week and a good break is due.

    Cheers,

    Kim

  9. Thanks to kmount from:

    MrWu (8th November 2013)

  10. #7

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    Many thanks again Kim,

    Weeks like this really test your skills and how quick you have to learn.

    Today a chunk of ceiling collapsed a few feet from a myself and a music technician with all the water weight, it really has been an extraordinary working day....

  11. #8


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,706
    Thank Post
    354
    Thanked 807 Times in 722 Posts
    Rep Power
    348
    Add more beer!

  12. Thanks to kmount from:

    MrWu (8th November 2013)

  13. #9

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    Unfortunately I'm a lightweight, so probably be 2 pints :-)!

  14. #10

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    hi guys,

    good night and now sombering up!

    i managed to look at the logs on Exchange in Security yesterday and noticed a lot of failed logins from one user, i disabled her but it still seems to show up audit failed with source address of my external IP, looks like its still around then? and that PC must be on over the weekend? initail thoughts it is my Exchange server, but since it was rebuilt on 6/11/2013 and the blacklist CBL was detected on 4/11/2013 then it must be something else?

    will invoke impero this weekend and scan all turned on PCs using Norton Power Eraser as a first step...



    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 09/11/2013 08:01:05
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: SRV-EXCHANGE.hinchleyw.sch
    Description:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: SRV-EXCHANGE$
    Account Domain: HINCHLEYW
    Logon ID: 0x3e7

    Logon Type: 8

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: yolanipekun
    Account Domain: hinchleyw

    Failure Information:
    Failure Reason: Account currently disabled.
    Status: 0xc000006e
    Sub Status: 0xc0000072

    Process Information:
    Caller Process ID: 0x1750
    Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

    Network Information:
    Workstation Name: SRV-EXCHANGE
    Source Network Address: 109.204.98.19
    Source Port: 25591

    Detailed Authentication Information:
    Logon Process: Advapi
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-09T08:01:05.852Z" />
    <EventRecordID>214019</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="6332" />
    <Channel>Security</Channel>
    <Computer>SRV-EXCHANGE.hinchleyw.sch</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SRV-EXCHANGE$</Data>
    <Data Name="SubjectDomainName">HINCHLEYW</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">yolanipekun</Data>
    <Data Name="TargetDomainName">hinchleyw</Data>
    <Data Name="Status">0xc000006e</Data>
    <Data Name="FailureReason">%%2310</Data>
    <Data Name="SubStatus">0xc0000072</Data>
    <Data Name="LogonType">8</Data>
    <Data Name="LogonProcessName">Advapi </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">SRV-EXCHANGE</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x1750</Data>
    <Data Name="ProcessName">C:\Windows\System32\inetsrv\w3w p.exe</Data>
    <Data Name="IpAddress">109.204.98.19</Data>
    <Data Name="IpPort">25591</Data>
    </EventData>
    </Event>
    Last edited by MrWu; 9th November 2013 at 09:25 AM.

  15. Thanks to MrWu from:

    russdev (11th November 2013)

  16. #11

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    Odd however that checking the Blacklist check with the CBL directly it seems to have cleared this morning without asking for a delist...so will carry on with mass malware check this weekend..

    edit: scrap that it depends on which site you check your blackist...still there...
    Last edited by MrWu; 9th November 2013 at 09:57 AM.

  17. #12

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by MrWu View Post
    edit: scrap that it depends on which site you check your blackist...still there...
    You're probably off the actual blacklists, but the various checking utilities might only update every so often - it sounds like you should be okay by the end of the weekend.
    @sukh is the chap to ask about this kind of thing, he's given us very useful advice in the past with Exchange problems.

    If you are planning to switch to sending emails directly from your own Exchange server rather than via a smarthost, don't forget to set up SPF records for your domain before you make the switch (24-48 hours to allow for DNS propagation). Especially if you've been on a blacklist before, you find you need correct SPF details set up or Yahoo, Hotmail and so on will bounce your emails. They also might not update their blacklists at the same rate as other services - Yahoo has many servers in their email service infrastructure, and blacklist updates seem to take a while to work their way through.

  18. Thanks to dhicks from:

    MrWu (10th November 2013)

  19. #13

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    exchange will use the firewall IP which is provided unless your ISP can allocate anow which they can do but will obviously charge.

    You can have exch going out bypassing the firewall using a public ip address, same for incoming.

    depending on which black list you're on either you will get removed automatically or you will have to request removal.

    had a quick sca through the post. ...were they using exchange as a relay? did a user Name and password get compromised?

  20. Thanks to sukh from:

    MrWu (10th November 2013)

  21. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    We have the firewall setup so that only the exchange server can access port 25 as you can't trust teachers as far as you can throw them with tech. This cuts down on stacks of issues and given how useless the 'good guys' at sorbs.net can be a smarthost can be much easier as some of them (SORBS) would rather scuttle the whole internet than follow their own policies.

  22. Thanks to SYNACK from:

    MrWu (10th November 2013)

  23. #15

    Join Date
    Dec 2011
    Posts
    408
    Thank Post
    372
    Thanked 45 Times in 33 Posts
    Rep Power
    14
    Hi sukh

    No relay to new Exchange server as far as I know, best practice analyser and SMTP were ok
    CBL blacklist site indicated that the last connection from infected machine was 4/11/13 (day when we came back from half term)
    New Exchange Server came online 6/11/13 ..check all external emails then all ok
    8/11/13 I zapped a PC that had malware
    8/11/13 has email delays to yahoo and gmail, although this could be smart host from ISP, we have had trouble before
    I check Exchange security logs that indicated:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 09/11/2013 08:01:05
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: SRV-EXCHANGE.hinchleyw.sch
    Description:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: SRV-EXCHANGE$
    Account Domain: HINCHLEYW
    Logon ID: 0x3e7

    Logon Type: 8

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: yolanipekun
    Account Domain: hinchleyw

    Failure Information:
    Failure Reason: Account currently disabled.
    Status: 0xc000006e
    Sub Status: 0xc0000072

    That user was legit, she left after summer but we did not disable her before(my bad) she did have active sync setup on an Andriod tablet before, I have disabled her account but those event entries still come in (however, this could have appeared on the dead exchange server also. The source IP machine in that event viewer is the IP address that we have been Blacklisted with.

    Checked external emails Saturday and external mail is being sent out straight away, so could have been a smart host issue instead

    I will still need to check any PC with spyware and get firewall access logs from my ISP.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Exchange 2010 IP address and mx records
    By superaz300 in forum Enterprise Software
    Replies: 3
    Last Post: 29th June 2012, 11:37 AM
  2. Replies: 5
    Last Post: 7th September 2010, 11:27 AM
  3. Replies: 7
    Last Post: 25th March 2009, 10:38 AM
  4. ISA server 2006 external IP addressing
    By nicholab in forum Windows
    Replies: 1
    Last Post: 12th March 2009, 05:01 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •