Wij hebben op de zaak een 6 tal computers en nu is het probleem dat we steeds op de blocklist komen van cbl.
We kunnen dan geen mail meer versturen.
Echter heb ik alles gescand met Norton anti virus, malwarebites en met Kaspersky's TDSSKiller Antirootkit Utility. ook heb ik overal ad awre op gedraaid.
Volgens cbl maakt de computer een verbinding met een bepaald ip adres misschien dat ik iets met een scanner kan vinden welke computer ene verbinding maakt met het ip adres wat in blacklist staat.
In windows firewall kan ik niet terug zien of er een pc daar verbinding mee maak. Ook heb ik het register gecontroleerd en kom nergens tegen wat er beschreven staat wat ik zou moeten vinden
En toch komen we elke keer op de blacklist als ik dan het ip scan krijg ik de volgende meldig :
IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-09-07 13:00 GMT (+/- 30 minutes), approximately 3 hours ago.
It has been relisted following a previous removal at 2013-09-04 10:17 GMT (3 days, 5 hours, 58 minutes ago)
This IP address is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
The infection was detected by observing this IP address attempting to make contact to a Torpig Command and Control server (C&C), a central server used by the criminals to control with Torpig infected computers (bots).
Torpig is a malicious software (malware) used by cybercriminals to commit ebanking fraud and steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.).
If you are running Windows XP, Torpig was likely dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record). If you are running a newer Windows operating system, Torpig has been likely dropped by a second Trojan such as Andromeda/Gamarue or similar malware droppers.
With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible for this listing is to look for connections to the Torpig C&C sinkhole. This detection was made through a connection to "108.61.18.43" on port "80" TCP. This detection corresponds to a connection at 2013-09-07 13:14:14 (GMT - this timestamp is believed accurate to within one second).
You can try Kaspersky's TDSSKiller Antirootkit Utility to get this infection detected/removed. However, we strongly recommend you to do completely re-install your operation system to get this infection removed permanently.
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.
We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.
If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.
The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.
Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.
Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.
While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.
We kunnen dan geen mail meer versturen.
Echter heb ik alles gescand met Norton anti virus, malwarebites en met Kaspersky's TDSSKiller Antirootkit Utility. ook heb ik overal ad awre op gedraaid.
Volgens cbl maakt de computer een verbinding met een bepaald ip adres misschien dat ik iets met een scanner kan vinden welke computer ene verbinding maakt met het ip adres wat in blacklist staat.
In windows firewall kan ik niet terug zien of er een pc daar verbinding mee maak. Ook heb ik het register gecontroleerd en kom nergens tegen wat er beschreven staat wat ik zou moeten vinden
En toch komen we elke keer op de blacklist als ik dan het ip scan krijg ik de volgende meldig :
IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-09-07 13:00 GMT (+/- 30 minutes), approximately 3 hours ago.
It has been relisted following a previous removal at 2013-09-04 10:17 GMT (3 days, 5 hours, 58 minutes ago)
This IP address is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
The infection was detected by observing this IP address attempting to make contact to a Torpig Command and Control server (C&C), a central server used by the criminals to control with Torpig infected computers (bots).
Torpig is a malicious software (malware) used by cybercriminals to commit ebanking fraud and steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.).
If you are running Windows XP, Torpig was likely dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record). If you are running a newer Windows operating system, Torpig has been likely dropped by a second Trojan such as Andromeda/Gamarue or similar malware droppers.
With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible for this listing is to look for connections to the Torpig C&C sinkhole. This detection was made through a connection to "108.61.18.43" on port "80" TCP. This detection corresponds to a connection at 2013-09-07 13:14:14 (GMT - this timestamp is believed accurate to within one second).
You can try Kaspersky's TDSSKiller Antirootkit Utility to get this infection detected/removed. However, we strongly recommend you to do completely re-install your operation system to get this infection removed permanently.
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.
We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.
If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.
The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.
Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.
Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.
While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.
/u/234056/stampedeicon.JPG?f=community)
/u/169878/crop60f2c3c12a642_cropped.png?f=community)