Our IP keeps getting listed to CBL
Posted on 2011-09-23
Hello, We are running an MS Windows SBS 2008 Network with about 50 Workstations...plus a few remote users. Some remote users RWW in to the network. Plus, we also had a seperate Windows 2003 Terminal Server for other users. I say 'had' because recently I realized that we were hacked on the TS and security compromised by a program called 'Frae Raper'. Once it gained access, it installed a program called MASS SENDER (AMS) and started spamming. Once I found the program and saw the logs there of the hack attack, I immediately pulled the TS off the network and also ran the uninstall program on it. It's powered off and is in line to be rebuilt. I then removed our IP from the CBL list. Next day, I came in and once again...we were on the CBL list. I thought that possibly messages were 'queued' and already sent relisting us. But I continued to hunt. No sign of Mass Sender (or any hack on our SBS server/Mail Server) and I checked each machine on our network myself for it, plus ran TSVIEW on them all to see if I would see any weird traffic... I did not. Day 3...we're listed again! I unlisted us and continued to hunt...running scans on the server with fresh copies of both MALWAREBYTES and SBS AVG... no malware found. We also changed firewall rules around (SonicWall TZ190) to lockdown SMTP traffic and only allow pass with our domain. Day 4 we were NOT listed... and so I thought we were out of the woods. But today (Day 5) I came in and we were once again listed. I'm not sure what to do with this thing...can't find it, to fix it. Any help would be greatly appreciated!