what ports do I block to stop spam/virus sending out over my network

Posted on 2008-10-22
Medium Priority
Last Modified: 2012-05-05
Hi guys,

I have a VoIP Trixbox server on its own internet connection, recently it's connection was blocked from the ISP for distributing Spam/Virus, I know that I must find the source of this and remove it, but every time the connection is unblocked it is quickly blocked again for spam/virus.

I was wondering if there are any outgoing ports other than SMTP that should be blocked on the firewall.

I just need the connection to be up while I find the source of the spam.

any ideas on locating the source of the spam on a linux box would be a great help too, I only have a fairly basic linux knowledge.  I have run chkrootkit on it and this didnt solve the problem, I tried to install an anti virus program through the command line but could not get it to function.

any help would be great
Question by:SM17CH

Accepted Solution

emce earned 500 total points
ID: 22782208
try blocking all outgoing ports except the ones you need to use while dealing wih the problem

Author Comment

ID: 22782648
because it is a phone server I can't block all outgoing ports, would ruin their phone system.

I'm more looking for the main ports that could be used to transfer anything an ISP could perceive as a virus or spam
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 500 total points
ID: 22783009
My opinion is also to block all ports and then open the required ports after controlling. You should consult your software to see what ports it needs. Generally the ports you need to keep open are originating form inside but not the other way around. So you need only a limited number of ports to listen if somebody connects to the VoIP server. You may further limit the access to these ports so that people only reach them form specific IP addresses. If you cant you might consider placing the VoIP server accessible via a  VPN server. Failure to ensure secure communication to your VoIP server causes hackers to gain unauthorized access to it and make thousands of dollars worth of VoIP communication and harming you a great deal. This has actually has happened to a client of mine which is a Global Company.

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

LVL 20

Expert Comment

ID: 22785214

1. Pull your self off the internet
2. Block firewall for incoming and outgoing except for known ports.
    by over secure... you can always open them up later
3. Run virus / malware scans on botht he phone system and all other pcs.
4. Check for open proxies that would allow spammers to just off this system
5. clean it
6. check it all again
7. put yourself back on internet


Assisted Solution

yurisk earned 500 total points
ID: 22796332
It is hard to find something when you don't know what you are looking for.
So first I'd recommend finding out what is going on on the Linux box -
1) #netstat -an - To see open connections
2) #lsof -i -n | grep LIST   - to see open and listening ports
3) #lsof -i -n | grep EST  - to see established connections
4) more elaborate set up a IPtables on the box allowing everything but using accounting as well so most used ports.IPs etc.
LVL 38

Expert Comment

by:Rich Rumble
ID: 22796693
If your sure it's coming from a linux box, try to install ClamAv, download the latest as of today 0.94.1RC1, http://linuxsagas.wordpress.com/2007/11/29/how-to-scan-a-hard-drive-with-fedora-8-live-cd/ (very similar to the instructions I give, only they automate commenting two files)
tar -xzf clamav-0.94.1rc1.tar.gz  
cd clamav-0.94.1rc1
make install
useradd clamav
   comment out the word example in /usr/local/etc/clamd.conf and in the same dir freshclam.conf
then run
freshclam -v

clamscan /* -r --detect-pua --infected
or you list all the dirs you want to scan, because you will get errors scanning /sys/bus... and others
clamscan -r /root /usr /var /home /tmp --detect-pua --infected  should be good enough
That will scan the entire filesystem for potentially unwanted applications (pua) and only list files that are infected that it detects. Failing that, you need to begin to sniff traffic using wireshark or tcpdump to find the suspected traffic. You should also ask for more information about what virus/spam they are seeing...

Assisted Solution

DevMatrix earned 500 total points
ID: 22800511
If all else fails, it might be worth it to call your ISP to see if you can determine the criteria by which they are flagging your traffic. Some viruses use 'common' ports to transmit data, for example (albeit an old one), MyDoom.B and later variants had a tendency to use port 1080, which is widely used for SOCKS proxies. The opposite could be true in your case. Perhaps the port range(s) that your VOIP software is using is being incorrectly flagged, due to port number(s) and traffic volumes.
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 22800851

If you suspect that they might already hacked your system, nnetstat would not do if they have hid their processes using a rootkit. A virus scanning might not be appropriate either because ClamAV only scans for PC viruses.

The best thing to do is:
- Remove the PC from the net
- Place it in an internal network
- Check for a rootkit you can find one of the good ones here:
- I2ll suggest you to scan your sytem from outside and see if they've planted any remotee access programs like rootsheel from another host. Because if you have rootkit you can't see hacker's processes or their listening ports through netstat.
- I also suggest that don't reeneable the system before you're sure there are no backdoors installed over your system.
- Also try to use one of the server platforms offering SELinux
- Keep their IPTables firewall running all the time.
- Use a firewall on the border of your network and start with closing down all ports and openeing only the necessary ports.


LVL 38

Expert Comment

by:Rich Rumble
ID: 22801061
It could also be that your server is simply own'd, through exploit or poor administration, they gained access and if you can determine that it's actually sending mail/spam out using a netstat or tcpdump, you'll want to back up your data, and reinstall. Linux hardly ever get viri, but they do get "hacked" albeit far less than M$ typically, and these days it's typically through a web app like PHPbb forums and their ilk.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Welcome back to our beginners guide of the popular Unix tool, cron. If you missed part one where we introduced this tool, the link is below. We left off learning how to build a simple script to schedule automatic back ups. Now, we’ll learn how to se…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month3 days, 22 hours left to enroll

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question