what ports do I block to stop spam/virus sending out over my network

Posted on 2008-10-22
Last Modified: 2012-05-05
Hi guys,

I have a VoIP Trixbox server on its own internet connection, recently it's connection was blocked from the ISP for distributing Spam/Virus, I know that I must find the source of this and remove it, but every time the connection is unblocked it is quickly blocked again for spam/virus.

I was wondering if there are any outgoing ports other than SMTP that should be blocked on the firewall.

I just need the connection to be up while I find the source of the spam.

any ideas on locating the source of the spam on a linux box would be a great help too, I only have a fairly basic linux knowledge.  I have run chkrootkit on it and this didnt solve the problem, I tried to install an anti virus program through the command line but could not get it to function.

any help would be great
Question by:SM17CH

Accepted Solution

emce earned 125 total points
Comment Utility
try blocking all outgoing ports except the ones you need to use while dealing wih the problem

Author Comment

Comment Utility
because it is a phone server I can't block all outgoing ports, would ruin their phone system.

I'm more looking for the main ports that could be used to transfer anything an ISP could perceive as a virus or spam
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 125 total points
Comment Utility
My opinion is also to block all ports and then open the required ports after controlling. You should consult your software to see what ports it needs. Generally the ports you need to keep open are originating form inside but not the other way around. So you need only a limited number of ports to listen if somebody connects to the VoIP server. You may further limit the access to these ports so that people only reach them form specific IP addresses. If you cant you might consider placing the VoIP server accessible via a  VPN server. Failure to ensure secure communication to your VoIP server causes hackers to gain unauthorized access to it and make thousands of dollars worth of VoIP communication and harming you a great deal. This has actually has happened to a client of mine which is a Global Company.

LVL 20

Expert Comment

Comment Utility

1. Pull your self off the internet
2. Block firewall for incoming and outgoing except for known ports.
    by over secure... you can always open them up later
3. Run virus / malware scans on botht he phone system and all other pcs.
4. Check for open proxies that would allow spammers to just off this system
5. clean it
6. check it all again
7. put yourself back on internet

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!


Assisted Solution

yurisk earned 125 total points
Comment Utility
It is hard to find something when you don't know what you are looking for.
So first I'd recommend finding out what is going on on the Linux box -
1) #netstat -an - To see open connections
2) #lsof -i -n | grep LIST   - to see open and listening ports
3) #lsof -i -n | grep EST  - to see established connections
4) more elaborate set up a IPtables on the box allowing everything but using accounting as well so most used ports.IPs etc.
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
If your sure it's coming from a linux box, try to install ClamAv, download the latest as of today 0.94.1RC1, (very similar to the instructions I give, only they automate commenting two files)
tar -xzf clamav-0.94.1rc1.tar.gz  
cd clamav-0.94.1rc1
make install
useradd clamav
   comment out the word example in /usr/local/etc/clamd.conf and in the same dir freshclam.conf
then run
freshclam -v

clamscan /* -r --detect-pua --infected
or you list all the dirs you want to scan, because you will get errors scanning /sys/bus... and others
clamscan -r /root /usr /var /home /tmp --detect-pua --infected  should be good enough
That will scan the entire filesystem for potentially unwanted applications (pua) and only list files that are infected that it detects. Failing that, you need to begin to sniff traffic using wireshark or tcpdump to find the suspected traffic. You should also ask for more information about what virus/spam they are seeing...

Assisted Solution

DevMatrix earned 125 total points
Comment Utility
If all else fails, it might be worth it to call your ISP to see if you can determine the criteria by which they are flagging your traffic. Some viruses use 'common' ports to transmit data, for example (albeit an old one), MyDoom.B and later variants had a tendency to use port 1080, which is widely used for SOCKS proxies. The opposite could be true in your case. Perhaps the port range(s) that your VOIP software is using is being incorrectly flagged, due to port number(s) and traffic volumes.
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility

If you suspect that they might already hacked your system, nnetstat would not do if they have hid their processes using a rootkit. A virus scanning might not be appropriate either because ClamAV only scans for PC viruses.

The best thing to do is:
- Remove the PC from the net
- Place it in an internal network
- Check for a rootkit you can find one of the good ones here:
- I2ll suggest you to scan your sytem from outside and see if they've planted any remotee access programs like rootsheel from another host. Because if you have rootkit you can't see hacker's processes or their listening ports through netstat.
- I also suggest that don't reeneable the system before you're sure there are no backdoors installed over your system.
- Also try to use one of the server platforms offering SELinux
- Keep their IPTables firewall running all the time.
- Use a firewall on the border of your network and start with closing down all ports and openeing only the necessary ports.


LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It could also be that your server is simply own'd, through exploit or poor administration, they gained access and if you can determine that it's actually sending mail/spam out using a netstat or tcpdump, you'll want to back up your data, and reinstall. Linux hardly ever get viri, but they do get "hacked" albeit far less than M$ typically, and these days it's typically through a web app like PHPbb forums and their ilk.

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now