CBL Blacklisting continues to happen

On Sunday 10/6/2013 at 4:00 p.m. CST our IP was blacklisted by CBL and they indicated we were infected with the ZeroAccess bot.

I ran the basic scans and found nothing.

I delisted our IP address and all was fine until today at 12:00 p.m. CST.  Again we were blacklisted (1 day, 23 hours later) and again we were told it was the ZeroAccess bot.

I went to each machine physically (there are only 9 machines including two servers).  I ran:

Norton Power Eraser
FixZeroAccess by Norton
Remove Rootkit by McAfee
Deep Scan by the installed VIPRE

Not one of them found ANY problem.

In addition I have a Cisco ASA firewall between the world and us and it is configured to ONLY allow SMTP port 25 traffic from the mail server - so no individual machine could be sending out mail by themselves.

I can understand one false positive, but two?  I have delisted us again but if I keep doing this we will be permanently blacklisted.

I also cannot seem to find CBL's email address to contact them directly.

Thoughts?

Thanks.
LVL 1
Adam DIT Solutions DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
Enable the SMTP log and check the IP which is consistently hitting the server.
Block 25 port for the the machines/server execpt Exchange server. Only exchange server should have access to 25 on firewall.

If you have exchange 2007/2010 then enable receive connector log and send connector log and check the IP.
0
Simon Butler (Sembee)ConsultantCommented:
This one seems to be getting on the blacklist because the bot has been detected, not because it has sent spam.
I found it by watching the firewall traffic for hits to odd IP addresses.

Simon.
0
TMekeelCommented:
Just went through nearly the exact same situation yesterday and today.
My differences are I used ESET's tool to find it, and there were other malware found using Malwarebytes.

Have you tried telnetting out to another server on 25 from a non-mailserver to verify that the ASA is configured correctly?  It should time out from any other internal machine, but work from your mail server.

Run TDSSKiller from Kaspersky and ESET's sirefef removal tool on each machine (both are quick to download and also quick to scan.)  Do this on all machines, not just clients, but servers too!

The ZeroAccess isnt going to use your mailserver to go out, it has its own so Exchange logs arent going to be terribly helpful.

Do you have more than 1 IP?  If so direct all mail traffic out the other IP while you sort out the issue.

Do you have wifi and are there laptops on site that come and go?  Any guest wireless?  Standalone office or shared building space?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

Adam DIT Solutions DeveloperAuthor Commented:
Thank you for your replies.

There are laptops that come and go, no guest wireless so it could be a private employee machine. I had not tried telnetting from another machine previously and I found out the ACL I created was apparently incorrect because I was able to telnet.

This is an ASA 5505 and here is my current ACL.  Please advise on the proper command to block anyone but the Exchange server IP, which is:  192.168.168.2  Unfortunately the ACL I just created blocks EVERYONE - so I am missing something.

=====================================
x.x.x.x = outside public ip

access-list 101 extended permit tcp any host x.x.x.x eq www
access-list 101 extended permit tcp any host x.x.x.x eq smtp
access-list 101 extended permit tcp any host x.x.x.x eq pop3
access-list 101 extended permit tcp any host x.x.x.x eq 14238
access-list 101 extended permit tcp any host x.x.x.x eq 50000
access-list 101 extended permit tcp any any eq ftp
access-list acl_Outbound extended permit tcp host 192.168.168.2 eq smtp any eq smtp
access-list acl_Outbound extended deny tcp any eq smtp any eq smtp

access-group acl_Outbound out interface inside
access-group 101 in interface outside
access-group acl_Outbound out interface outside
=====================================

As for the TDSS and ESET I will run those as well.

Thanks.
0
Adam DIT Solutions DeveloperAuthor Commented:
Any comments?
0
TMekeelCommented:
You would want to allow both smtp and 587 to the Exchange server.  And also, block 25 on the "in" side of the inside interface.  It's the local clients you do not want going out.  Unless they need to go through ASA to get to your Exchange server.

https://supportforums.cisco.com/thread/2196114
0
Adam DIT Solutions DeveloperAuthor Commented:
Thanks TMekeel.  I modifed my acl_Outbound to the following

=======================
access-list acl_Outbound line 1 extended permit tcp host <allowed IP> eq smtp any eq smtp
access-list acl_Outbound line 2 extended deny tcp any eq smtp any eq smtp
access-list acl_Outbound line 3 extended permit ip any any

access-group acl_Outbound in interface inside

=======================

If I run "packet-tracer" on the firewall it shows the packet being dropped if not from the allowed IP and allowed from the allowed IP.

But if I run a command prompt on a non-authorized machine and enter:  

telnet <outside smtp machine> 25

the outside smtp machine will answer.

So, is the rule working and if so why does the outside smtp machine answer my query on port 25?

Thanks.
0
TMekeelCommented:
You are blocking smtp not port 25. So tcp over 25 works.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.