Solved

Sonicwall : Find infected machine(s) causing us to be blacklisted

Posted on 2014-04-03
22
3,325 Views
Last Modified: 2014-04-23
We have started to get a lot of undelivered emails. I notice that we are blacklisted on a couple of blacklist servers.

We have a Sonicwall TZ210 at the edge of our network.

I am trying to get to the bottom of the problem by tracing which machines are sending out spam on the network. The blacklist website provided the following details to assist me.

Can someone explain how I can use the sonicwall to find which machine(s) is infected.

Thanks

***********************************************************************
IP Address *.*.*.* is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-04-03 11:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.

This IP address is infected with, or is NATting for a machine infected with a Trojan called Win32/Zbot (Microsoft), also known as "ZeuS" or "WSNPoem".

In this particular case, this host is infected with ZeuSv3, one of the most recent versions of ZeuS that is using peer-to-peer (P2P) command and control mechanisms. This version of Zeus is also known as "P2P ZeuS" or "Gameover malware".

ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).

To find an infected computer on a NATted network you will have to search through your firewall logs for connections from/to UDP port 82.165.38.206. However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports (10,000 and higher) should be looked at closely.
***********************************************************************
0
Comment
Question by:roy_batty
  • 9
  • 5
  • 5
  • +1
22 Comments
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 150 total points
Comment Utility
You can examine a trace log, to see what IP addresses are attempting to send traffic on port 25- which is what email uses for SMTP communication between severs.

I would also suggest you use the sonicwall to close down all port 25 traffic from any local source other than your email server's IP address.

Note: regardless of all that crazy peer to peer stuff the trojan is doing, to get blacklisted, something on your network is send out spam on port 25.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
OK.

First how do I examine the trace log. I cant see it under logs.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
On the Sonicwall you can go to System -> Diagnostics and then under Diagnostic Tolls select the Connections Monitor. Look for any ip that is sending a large amount of traffic.

You should also check the Sonicwall logs for a large amount of traffic on a high number UDP or TCP port as indicated in the advice you received.
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
To prevent the spam flowing while you investigate, block port 25 traffic for every device on the LAN except for your mail server.

This will also make it easier to find which machine has been compromised, as the Sonicwall logs will show which LAN IP is generating the traffic.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
I thought that a firewall would deny any kind of traffic unless I specifically allow it.

Is that correct ?

Or do I need to add a deny all item at the bottom?
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
The default for most firewalls is to deny incoming traffic inititated from outside the LAN and to allow traffic out that's been initiated from inside the LAN.

What I suggested was to block outgoing SMTP traffic that comes from any device on the LAN except your mail server. I'm sorry I wasn't clearer.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Chances are you set up an smtp service on the Sonicwall using the wizard. If so, and depending upon how you answered the questions, any pc on you network may be able to send email directly, and hence spam. If you have a mail server (like exchange) then the pc's on your network should be directing email to it. If so, then you can add two rules to the Sonicwall. One is a permit rule for the ip address of the mail server tothe  smtp service. The other is a deny rule for all traffic from anywhere on the LAN to the smtp service. Make sure the permit rule appears above the deny rule in the rule's list.

By doing this you will be preventing any system other than your mail server from directly sending email. Typically a virus sending spam will addres its outgoing mail to port 25 on the default gateway, which is typically the firewall or a switch leading to it. Adding these rules will stop spam from being sent directly to your firewall, and out.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
@Perarduaadastra - no you were very clear, just me getting things wrong.

Any way I have comfigured the 2 rules as suggested and that should prevent us being re-blacklisted.

I now just need to find the problem machine now. Will give that a try tomorrow.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
We are still seem to be having a problem this morning.

I have configured the Connections monitor as per the attached screenshot.

Interface X1 is our Wan connected interface. 192.168.2.2 is our exchange server.

I see there is a line that says traffic with a source port of 32851 is going out. What is this.

I presume this filter would show any traffic on port 25 going out from any PC/server.

So if something shows up here it could be the infected device.
sonic-screenshot.docx
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Please elaborate on what you mean still having the problem?

It is normal to see traffic from 192.168.2.2 on port 25, as this is your mail server. You should not see traffic from anywhere else on port 25. Is there any such thing on the balance of the connections monitor? Any high number port is an ephemeral port. That is a port used by any service for a short period of time. If you are seeing a large amount of packet data from this connection, then it is suspect, otherwise you can ignore it.

Did you check the Sonicwall logs for any block messages?

Finally, if the fact that you may still appear on RBL lists is what you are using to determine that you are still having the problem, then you may not really still have one. Once you appear on a block list it may take days to be removed, and typically you must request removal and complete whatever procedure each RBL list site demands of you. There is no shortcut to this. If you previously requested to be removed, then continued to send spam, they may refuse to remove your domain.

Use this site to check your status.

http://mxtoolbox.com/blacklists.aspx
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
The information you're looking for will be in the logs, rather than on the diagnostics page.

Carlmd's points are well made; in particular, you must block the flow of spam before requesting the removal of your IP from the RBL hosts' lists that you currently appear in, as you'll get short shrift from them if spam continues to be generated from your address after applying for its removal.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:roy_batty
Comment Utility
OK I think I have stopped the spam leaving the network onto the internet, I have scanned the mail server for malware and it came up clean.

I looked in the log and I can see outgoing smtp traffic being blocked from a PC on the LAN. Gonna get it removed tomorrow and see how things go.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
Everytime I request a delisting from the blacklists, sometime later we get added again. I presume that this suggests that we are still having an issue with something sending out emails on our network.

What am I missing here?
0
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 350 total points
Comment Utility
Are your Exchange queues full of messages that can't be resent? You may be a victim of backscatter.

See this link for a full explanation of backscatter:

http://en.wikipedia.org/wiki/Backscatter_%28email%29

and an answered EE question on the problem here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26888149.html

I mention this because if your mail server is sending out vast numbers of NDRs then that will guarantee your IP address's appearance on RBLs and won't show in the Sonicwall logs.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
There is not a hugh amount of message in the queue. Somemail is getting sent but some is not and keeps retrying. Currently 10 messages retrying.

We do have Symantec mail security for exchange. We use the Premium Anti-spam function. I presume that this picks up mail before it reaches the exchange server.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
I would look at the reasons the messages are not being sent. If they have been in the queue for a while I would delete them.

When you say you are being listed again on the RBL, do you mean after you added the rules to the Sonicwall and removed the infected pc? If so, again look at a rejected message for more details, just to be sure it is the same problem and not something else.

Be carefule to note the times of rejections verses when you made the corrections. Please note that each time you request removal from an RBL, then get listed again, it gets harder to get removed.
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Some of the blacklists provide additional information on WHY they added you to the list.  

Once we found out that an email list a client purchased included an address that was a "honeypot":  which is basically a fake addresses setup purely to detect spammers.   There was no actual issue with spam going out, it was just a single bad recipient address that did it.

That's just an example, but the point is there are several reasons your may have been blacklisted again- see if you can find out more from the blacklists themselves.
0
 
LVL 1

Author Comment

by:roy_batty
Comment Utility
I'm am getting a little lost now.

I have blocked port 25 LAN to WAN except for the exchange server.

The reason I think that our problems are being caused by blaclisting is that we do not have a load of emails stuck in the exchange queue but there are messages to certain domains that are getting stuck.

I have checked on MXToolbox.com and I can see our domain being listed, then being removed as a result of my manual request. Later on it is blacklisted again.

A link on the mxtoolbox site took me to the blacklist sites (spamhaus and cbl). They provided the details of exactly what is causing the blacklisting which I mention in my original message. This suggests it is caused my malware sending out spam.

The fact that we continue to be re-listed to me suggests that problem traffic is going out on a port(s) other than 25.

Either that or it is the mailserver itself which is infected.

Am I making sense here?
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
Have you made sure that your mail server isn't acting as a relay?

Going back to your original post, the information given there suggests that malware is using P2P methods for its activities and that significant traffic on high ports should be viewed with suspicion. If the information you're getting now is essentially the same as it was at the outset, then perhaps attention has been so focused on email that other threats have been overlooked.

Check the logs for references to traffic to or from the IP addresses given by the RBL host in their response to your query, and see which of the computers on your network is in sending to or receiving from those addresses. This will reveal which of them has been compromised.
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Use the following to test you mail server for open relay and more...

http://mxtoolbox.com/diagnostic.aspx

email can also be sent using port 587, so block this port as well on the Sonicwall if you think it is suspect.

Here is a complete list of ports for email....

Port       Properties
25       Standard. Support Insecure SMTP and SMTP over TLS
80       Open on most firewalls* because this port is used for talking to web servers to get web pages. Supports insecure SMTP and SMTP over TLS
465       Standard port for SMTP over SSL. (How is SSL different from TLS?)
587       Standard port open on most firewalls. Supports insecure SMTP and SMTP over TLS. Also performs sender IP address masking and outbound email processing (e.g. automatic email encryption and other services).
2025       Nonstandard port open on most firewalls. Supports insecure SMTP and SMTP over TLS
6025       Nonstandard port open on most firewalls. Supports insecure SMTP and SMTP over TLS. Also performs sender IP address masking and outbound email processing (e.g. automatic email encryption and other services).
6465       Nonstandard port open on most firewalls. Supports SMTP over SSL. Also performs sender IP address masking and outbound email processing.

Did you identify any virus or malware on any of your pc's that you have investigated. If so, looking up the specifics of that infection may provide help in identifying how it works.
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Hmm, I think I would do a "sanity check" at this point:  probably want to do this test after hours-  request removal from the RBL, then disconnect your internet.  If you continue to get listed, we fail the sanity check and need to look at something else.  You can try some variations of this as well, slowly reconnect different parts of the network to the internet, waiting each time to see if you get re-added to the list.
Be careful though:  you don't want to request removal and get re-listed too often (varies per RBL), or they will stop de-listing you.
 
Alternatives:  There are companies out there in the cloud that provide email gateway services.  This usually comes in two parts, one: for inbound- it scans all your email and only forwards non-spam to your email server.  The second part is for outbound email:  it will scan all your outbound messages for viruses, and message with high spam scores, and only then send it out to the recipient.   It is up to THEM to prevent the sending address from being blacklisted, and that's what they do all day, so they are really good at it.  With this setup you would configure your firewall to only allow outbound SMTP to be sent to the provider's IP address.
0
 
LVL 1

Author Closing Comment

by:roy_batty
Comment Utility
This was a tricky on to get to the bottom of. I think the issue was primarily related to backscatter as suggested. Once I had disabled the spam filter we stopped getting blacklisted.

I will now configure the spam filter in a way that prevents this occurring again.

There was one PC on the LAN that was sending out mail on port 25 but I don't think that was the main reason for continued re-blacklisting.

Thanks for the help guys.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wireshark 7 52
Sonicwall NSA240 AppFlow 2 28
network timeout on mapped drive 3 25
Slow internet - due to unknown uploads 9 56
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now