Long Time Lurker, First Time Poster
basically as above, we have been blacklisted by CBL due to this
IP Address 220.127.116.11 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2015-04-22 09:00 GMT (+/- 30 minutes), approximately 1 days, 29 minutes ago.
It has been relisted following a previous removal at 2015-04-21 12:13 GMT (1 days, 20 hours, 43 minutes ago)
Perhaps the person who previously removed it didn't actually fix the problem.
This IP is infected with, or is NATting for a machine infected with s_gozi
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.
This was detected by a TCP/IP connection from 18.104.22.168 on port 33739 going to IP address 22.214.171.124 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "agilkkccduh.com".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 126.96.36.199 or host name agilkkccduh.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 188.8.131.52 or agilkkccduh.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
The main problem is it's quite an open building and people come & go quite often, it's also a 3 hour round trip to drive there and theres no guarentee that everyone will be there, plus we have a lot of VPN users too
I left Wireshark running all yesterday and checked it today, but of course it hasn't reconnected since i started it, i'm not also 100% convinced it will catch the connection -
Theres about 12 computers and a server (windows SBS 2008), the server is also the DNS server and it's a draytek router for internet connection
Anyone help, this is not something we've had to deal with before