what ports do I block to stop spam/virus sending out over my network

Hi guys,

I have a VoIP Trixbox server on its own internet connection, recently it's connection was blocked from the ISP for distributing Spam/Virus, I know that I must find the source of this and remove it, but every time the connection is unblocked it is quickly blocked again for spam/virus.

I was wondering if there are any outgoing ports other than SMTP that should be blocked on the firewall.

I just need the connection to be up while I find the source of the spam.

any ideas on locating the source of the spam on a linux box would be a great help too, I only have a fairly basic linux knowledge.  I have run chkrootkit on it and this didnt solve the problem, I tried to install an anti virus program through the command line but could not get it to function.

any help would be great
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

try blocking all outgoing ports except the ones you need to use while dealing wih the problem

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SM17CHAuthor Commented:
because it is a phone server I can't block all outgoing ports, would ruin their phone system.

I'm more looking for the main ports that could be used to transfer anything an ISP could perceive as a virus or spam
Kerem ERSOYPresidentCommented:
My opinion is also to block all ports and then open the required ports after controlling. You should consult your software to see what ports it needs. Generally the ports you need to keep open are originating form inside but not the other way around. So you need only a limited number of ports to listen if somebody connects to the VoIP server. You may further limit the access to these ports so that people only reach them form specific IP addresses. If you cant you might consider placing the VoIP server accessible via a  VPN server. Failure to ensure secure communication to your VoIP server causes hackers to gain unauthorized access to it and make thousands of dollars worth of VoIP communication and harming you a great deal. This has actually has happened to a client of mine which is a Global Company.

What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!


1. Pull your self off the internet
2. Block firewall for incoming and outgoing except for known ports.
    by over secure... you can always open them up later
3. Run virus / malware scans on botht he phone system and all other pcs.
4. Check for open proxies that would allow spammers to just off this system
5. clean it
6. check it all again
7. put yourself back on internet

It is hard to find something when you don't know what you are looking for.
So first I'd recommend finding out what is going on on the Linux box -
1) #netstat -an - To see open connections
2) #lsof -i -n | grep LIST   - to see open and listening ports
3) #lsof -i -n | grep EST  - to see established connections
4) more elaborate set up a IPtables on the box allowing everything but using accounting as well so most used ports.IPs etc.
Rich RumbleSecurity SamuraiCommented:
If your sure it's coming from a linux box, try to install ClamAv, download the latest as of today 0.94.1RC1, http://linuxsagas.wordpress.com/2007/11/29/how-to-scan-a-hard-drive-with-fedora-8-live-cd/ (very similar to the instructions I give, only they automate commenting two files)
tar -xzf clamav-0.94.1rc1.tar.gz  
cd clamav-0.94.1rc1
make install
useradd clamav
   comment out the word example in /usr/local/etc/clamd.conf and in the same dir freshclam.conf
then run
freshclam -v

clamscan /* -r --detect-pua --infected
or you list all the dirs you want to scan, because you will get errors scanning /sys/bus... and others
clamscan -r /root /usr /var /home /tmp --detect-pua --infected  should be good enough
That will scan the entire filesystem for potentially unwanted applications (pua) and only list files that are infected that it detects. Failing that, you need to begin to sniff traffic using wireshark or tcpdump to find the suspected traffic. You should also ask for more information about what virus/spam they are seeing...
If all else fails, it might be worth it to call your ISP to see if you can determine the criteria by which they are flagging your traffic. Some viruses use 'common' ports to transmit data, for example (albeit an old one), MyDoom.B and later variants had a tendency to use port 1080, which is widely used for SOCKS proxies. The opposite could be true in your case. Perhaps the port range(s) that your VOIP software is using is being incorrectly flagged, due to port number(s) and traffic volumes.
Kerem ERSOYPresidentCommented:

If you suspect that they might already hacked your system, nnetstat would not do if they have hid their processes using a rootkit. A virus scanning might not be appropriate either because ClamAV only scans for PC viruses.

The best thing to do is:
- Remove the PC from the net
- Place it in an internal network
- Check for a rootkit you can find one of the good ones here:
- I2ll suggest you to scan your sytem from outside and see if they've planted any remotee access programs like rootsheel from another host. Because if you have rootkit you can't see hacker's processes or their listening ports through netstat.
- I also suggest that don't reeneable the system before you're sure there are no backdoors installed over your system.
- Also try to use one of the server platforms offering SELinux
- Keep their IPTables firewall running all the time.
- Use a firewall on the border of your network and start with closing down all ports and openeing only the necessary ports.


Rich RumbleSecurity SamuraiCommented:
It could also be that your server is simply own'd, through exploit or poor administration, they gained access and if you can determine that it's actually sending mail/spam out using a netstat or tcpdump, you'll want to back up your data, and reinstall. Linux hardly ever get viri, but they do get "hacked" albeit far less than M$ typically, and these days it's typically through a web app like PHPbb forums and their ilk.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.