Solved

what ports do I block to stop spam/virus sending out over my network

Posted on 2008-10-22
12
938 Views
Last Modified: 2012-05-05
Hi guys,

I have a VoIP Trixbox server on its own internet connection, recently it's connection was blocked from the ISP for distributing Spam/Virus, I know that I must find the source of this and remove it, but every time the connection is unblocked it is quickly blocked again for spam/virus.

I was wondering if there are any outgoing ports other than SMTP that should be blocked on the firewall.

I just need the connection to be up while I find the source of the spam.

any ideas on locating the source of the spam on a linux box would be a great help too, I only have a fairly basic linux knowledge.  I have run chkrootkit on it and this didnt solve the problem, I tried to install an anti virus program through the command line but could not get it to function.

any help would be great
0
Comment
Question by:SM17CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 3

Accepted Solution

by:
emce earned 125 total points
ID: 22782208
Hi,
try blocking all outgoing ports except the ones you need to use while dealing wih the problem
0
 
LVL 2

Author Comment

by:SM17CH
ID: 22782648
because it is a phone server I can't block all outgoing ports, would ruin their phone system.

I'm more looking for the main ports that could be used to transfer anything an ISP could perceive as a virus or spam
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 125 total points
ID: 22783009
My opinion is also to block all ports and then open the required ports after controlling. You should consult your software to see what ports it needs. Generally the ports you need to keep open are originating form inside but not the other way around. So you need only a limited number of ports to listen if somebody connects to the VoIP server. You may further limit the access to these ports so that people only reach them form specific IP addresses. If you cant you might consider placing the VoIP server accessible via a  VPN server. Failure to ensure secure communication to your VoIP server causes hackers to gain unauthorized access to it and make thousands of dollars worth of VoIP communication and harming you a great deal. This has actually has happened to a client of mine which is a Global Company.

Cheer,
K.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 20

Expert Comment

by:edster9999
ID: 22785214
steps

1. Pull your self off the internet
2. Block firewall for incoming and outgoing except for known ports.
    by over secure... you can always open them up later
3. Run virus / malware scans on botht he phone system and all other pcs.
4. Check for open proxies that would allow spammers to just off this system
5. clean it
6. check it all again
7. put yourself back on internet

0
 
LVL 4

Assisted Solution

by:yurisk
yurisk earned 125 total points
ID: 22796332
It is hard to find something when you don't know what you are looking for.
So first I'd recommend finding out what is going on on the Linux box -
1) #netstat -an - To see open connections
2) #lsof -i -n | grep LIST   - to see open and listening ports
3) #lsof -i -n | grep EST  - to see established connections
4) more elaborate set up a IPtables on the box allowing everything but using accounting as well so most used ports.IPs etc.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22796693
If your sure it's coming from a linux box, try to install ClamAv, download the latest as of today 0.94.1RC1, http://linuxsagas.wordpress.com/2007/11/29/how-to-scan-a-hard-drive-with-fedora-8-live-cd/ (very similar to the instructions I give, only they automate commenting two files)
tar -xzf clamav-0.94.1rc1.tar.gz  
cd clamav-0.94.1rc1
./configure
make
make install
ldconfig
useradd clamav
   comment out the word example in /usr/local/etc/clamd.conf and in the same dir freshclam.conf
then run
freshclam -v

clamscan /* -r --detect-pua --infected
or you list all the dirs you want to scan, because you will get errors scanning /sys/bus... and others
clamscan -r /root /usr /var /home /tmp --detect-pua --infected  should be good enough
That will scan the entire filesystem for potentially unwanted applications (pua) and only list files that are infected that it detects. Failing that, you need to begin to sniff traffic using wireshark or tcpdump to find the suspected traffic. You should also ask for more information about what virus/spam they are seeing...
-rich
0
 
LVL 1

Assisted Solution

by:DevMatrix
DevMatrix earned 125 total points
ID: 22800511
If all else fails, it might be worth it to call your ISP to see if you can determine the criteria by which they are flagging your traffic. Some viruses use 'common' ports to transmit data, for example (albeit an old one), MyDoom.B and later variants had a tendency to use port 1080, which is widely used for SOCKS proxies. The opposite could be true in your case. Perhaps the port range(s) that your VOIP software is using is being incorrectly flagged, due to port number(s) and traffic volumes.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 22800851
Hi,

If you suspect that they might already hacked your system, nnetstat would not do if they have hid their processes using a rootkit. A virus scanning might not be appropriate either because ClamAV only scans for PC viruses.

The best thing to do is:
- Remove the PC from the net
- Place it in an internal network
- Check for a rootkit you can find one of the good ones here:
http://www.rootkit.nl/projects/rootkit_hunter.html
- I2ll suggest you to scan your sytem from outside and see if they've planted any remotee access programs like rootsheel from another host. Because if you have rootkit you can't see hacker's processes or their listening ports through netstat.
- I also suggest that don't reeneable the system before you're sure there are no backdoors installed over your system.
- Also try to use one of the server platforms offering SELinux
- Keep their IPTables firewall running all the time.
- Use a firewall on the border of your network and start with closing down all ports and openeing only the necessary ports.

Cheers,
K.


-
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22801061
It could also be that your server is simply own'd, through exploit or poor administration, they gained access and if you can determine that it's actually sending mail/spam out using a netstat or tcpdump, you'll want to back up your data, and reinstall. Linux hardly ever get viri, but they do get "hacked" albeit far less than M$ typically, and these days it's typically through a web app like PHPbb forums and their ilk.
-rich
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question