Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » problems with CBL
  •  
Pavel1984

Messages: 13
Karma: -1
Send a private message to this user
Recently my domain is hit in the black list CBL. I can not cure it. Viruses on the server and client I have not found.

Help

  • Attachment: kerio_2.jpg
    (Size: 120.41KB, Downloaded 320 times)
  • Attachment: kerio_1.jpg
    (Size: 122.23KB, Downloaded 384 times)
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
Your IP address can get listed in CBL when one of your clients or one of your servers that use this IP address for outgoing traffic is infected and sending botnet traffic to one of the CBL's sinkholes.

When you do an IP address lookup on CBL, you normally see detailed instructions on how to cure the problem. Have you done all this? (This might include sniffing your network traffic).

You can also send me your IP address/domain name in a PM and I can have a quick look.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Pavel1984

Messages: 13
Karma: -1
Send a private message to this user
the cbl writes:
Quote:
Your IP was observed making connections to TCP/IP IP address 216.66.15.109 (the conficker command and control server address) with a destination port 80, source port (for this detection) of 47559 at exactly 2014-06-17 08:40:22 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.

If you don't have full firewall logging, perhaps you can set up a firewall block/log of access to IP address 216.66.15.109 and keep watch for hits.


216.66.15.109 - this is not my ip

[Updated on: Tue, 17 June 2014 12:36]

  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
This says that one of your servers or clients is making a connection to

216.66.15.109

which indicates that you have Conficker on one of your machines. You have to follow the exact instructions given on abuse.at to get rid of Conficker:

Quote:


This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.

More information about Conficker can be obtained from Wikipedia

Remember: Conficker is not a spam sending botnet. It does not send email or spam. It does not use port 25.

Please follow these instructions.

Dshield has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc.

One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected.

There are several ways to identify Conficker infections remotely. For a fairly complete approach, see Sophos.

If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT:

Your IP was observed making connections to TCP/IP IP address 216.66.15.109 (the conficker command and control server address) with a destination port 80, source port (for this detection) of 47559 at exactly 2014-06-17 08:40:22 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.

If you don't have full firewall logging, perhaps you can set up a firewall block/log of access to IP address 216.66.15.109 and keep watch for hits.

Recent versions of NMap can detect Conficker, but it's not 100% reliable at finding every infection. Nmap is available for Linux, xxxBSD, Windows and Mac. Nessus can also find Conficker infections remotely. Several other scanners are available here.

Enigma Software's scanner is apparently good at finding Conficker A.

University of Bonn has a number of scan/removal tools.

If you're unable to find the infection, consider:

If you used a network scanner, make sure that the network specification you used to check your network was right, and you understand how to interpret a conficker detection.
Some network conficker scanners only detect some varieties of conficker. For example, nmap misses some. If you can't find it with nmap, try other scanners like McAfee's. In other words, try at least two.
Are you sure you have found _all_ computers in your network? Sometimes there are machines quietly sitting in back rooms somewhere that got forgotten about. It would be a good idea to run

nmap -sP <ALL of your network specifications>

which should list all your computers, printers and other network devices. Did you see all the computers you expected to see?
The infected computer may be turned off at the time you ran the scan or not on the network. Double-check everything was turned on during the scan.
If you have wireless, make sure it's secured with WPA or WPA2, and that "strangers" can't connect. WEP security is NOT good enough.
Many versions of Conficker propagate via infected thumbdrives/USB keys. When an infected machine is found, ALL such devices associated with the machine should be considered suspect, and either destroyed or completely reformatted.
Conficker also propagates by file and printer shares.

If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
How to resolve future problems and prevent relisting

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

Is this IP address a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Pavel1984

Messages: 13
Karma: -1
Send a private message to this user
freakinvibe wrote on Tue, 17 June 2014 14:56
This says that one of your servers or clients is making a connection to

216.66.15.109

which indicates that you have Conficker on one of your machines. You have to follow the exact instructions given on abuse.at to get rid of Conficker:

yes, I understand. I asked users to check their PC and sent all report that they are clean. How to use the Nmap can calculate Conficker?
  •  
Pavel1984

Messages: 13
Karma: -1
Send a private message to this user
Pavel1984 wrote on Tue, 17 June 2014 15:49
How to use the Nmap can calculate Conficker?

nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 host Cool
  •  
Pavel1984

Messages: 13
Karma: -1
Send a private message to this user
Previous Topic: Outlook restarts when trying to book a meeting
Next Topic: Maximum folder size
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 09:53:43 CEST 2017

Total time taken to generate the page: 0.00444 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.