+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, CBL Block in Technical; Hi Folks We've had our external IP address added to the CBL blocklist and I am really struggling to find ...
  1. #1
    truebluesteve's Avatar
    Join Date
    Jan 2008
    Posts
    396
    Thank Post
    51
    Thanked 49 Times in 41 Posts
    Rep Power
    24

    CBL Block

    Hi Folks

    We've had our external IP address added to the CBL blocklist and I am really struggling to find the source of the problem. The activity is fairly infrequent and seems to come from a different port each time. It appears the infection is a Gameover Zeus bot

    The lastest list from 1700 GMT yesterday shows the source port as 57770 to a destination port of 80. It gives no destination IP

    I have searched the Smoothwall logs for activity on that port at that time plus or minus a couple of hours and there is nothing. There is also no activity to any of the sinkhole IP addresses that are listed.


    Does anyone have any suggestions on how to resolve this particularly in relation to searching the Smoothwall logs or port blocking. Actually any suggestions really!

    Cheers

    Steve

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,633
    Thank Post
    734
    Thanked 1,693 Times in 1,507 Posts
    Rep Power
    435

  3. Thanks to plexer from:

    truebluesteve (7th June 2014)

  4. #3
    truebluesteve's Avatar
    Join Date
    Jan 2008
    Posts
    396
    Thank Post
    51
    Thanked 49 Times in 41 Posts
    Rep Power
    24
    Quote Originally Posted by plexer View Post
    Hi Ben

    Yes I did, and I may use that although it doesnt help that I dont know the destination IP address.

    It hasnt appeared since yesterday so I suspect the rogue PC is turned off. I am going to try and turn a few on and see what happens over the weekend, starting with the Bursars office who have previous for this sort of thing. With 800 PCs it might take a while simply because the blocklist isn't updated that frequently

    Steve

  5. #4

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,256
    Thank Post
    604
    Thanked 1,111 Times in 850 Posts
    Blog Entries
    15
    Rep Power
    489
    without wishing to join hands with the daily mail or BBC scaremongering brigade, for that particular infection I hope you've removed network access from every station until it's resolved?

  6. #5

    Join Date
    Jun 2014
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Have you checked the CBL lookup page again? It has a list of IPs to look for now.

  7. #6
    truebluesteve's Avatar
    Join Date
    Jan 2008
    Posts
    396
    Thank Post
    51
    Thanked 49 Times in 41 Posts
    Rep Power
    24
    Quote Originally Posted by synaesthesia View Post
    without wishing to join hands with the daily mail or BBC scaremongering brigade, for that particular infection I hope you've removed network access from every station until it's resolved?
    Yep, after all nobody really needs access to the network!

    I think I may have found the offending device now - a staff laptop, surprise surprise. It has been a real pain to find though and some of the info supplied by the CBL page doesn't really help.

    Neither the IP address or port provided by them has been used by any devices on the network according to the Smoothwall logs however one piece of useful advice was to turn on DNS logging and look for requests to strange domains like "zlmfxgwgqdieahvsgtfylrcgufy.com"

    I did this and bingo I found this address "ZDEYMFMVJRTQCTNZGUUSPLWSNZ.BIZ " and doing a whois on it brought back an IP address identified as a C & C server for GameOver Zeus.

    The other things worth noting are that it doesn't do anything until someone logs onto the computer, and it has been estimated that even up to date AV is only 23% effective against it.

    Another learning curve completed

  8. #7

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,256
    Thank Post
    604
    Thanked 1,111 Times in 850 Posts
    Blog Entries
    15
    Rep Power
    489
    Indeed. However important you think network access is though, data security is 100% more important. I would not hesitate in shutting down everything on site to ensure a nasty of that type is isolated before anything's powered back up again.

  9. #8
    truebluesteve's Avatar
    Join Date
    Jan 2008
    Posts
    396
    Thank Post
    51
    Thanked 49 Times in 41 Posts
    Rep Power
    24
    Yes I did but it seems that the infected PCs don't always use them directly as was proved when I found the infected machine!

  10. #9
    truebluesteve's Avatar
    Join Date
    Jan 2008
    Posts
    396
    Thank Post
    51
    Thanked 49 Times in 41 Posts
    Rep Power
    24
    I agree, however I knew the servers were unaffected and clean otherwise I would certainly considered that option. The nature of Zeus (from what I've read) is that it doesn't gather data from across a network, rather personal data that would be used for banking and so on, from a single computer.

    Still a nasty piece of code though



SHARE:
+ Post New Thread

Similar Threads

  1. block hotmail?
    By adamyoung in forum Windows
    Replies: 32
    Last Post: 16th March 2006, 11:00 AM
  2. New centre block
    By Dos_Box in forum General EduGeek News/Announcements
    Replies: 8
    Last Post: 11th October 2005, 03:45 PM
  3. Allow staff to see a website but block students
    By adamyoung in forum How do you do....it?
    Replies: 9
    Last Post: 7th October 2005, 09:58 AM
  4. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 06:28 PM
  5. Replies: 0
    Last Post: 26th August 2005, 02:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •