Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gozi - CBL blacklisted - On a network, computer infected unknown


  • Please log in to reply
No replies to this topic

#1 dgparryuk

dgparryuk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 April 2015 - 04:07 AM

Hi

 

Long Time Lurker, First Time Poster

 

basically as above, we have been blacklisted by CBL due to this

 

IP Address 81.142.64.38 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2015-04-22 09:00 GMT (+/- 30 minutes), approximately 1 days, 29 minutes ago.

It has been relisted following a previous removal at 2015-04-21 12:13 GMT (1 days, 20 hours, 43 minutes ago)

Perhaps the person who previously removed it didn't actually fix the problem.

This IP is infected with, or is NATting for a machine infected with s_gozi

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.

This was detected by a TCP/IP connection from 81.142.64.38 on port 33739 going to IP address 192.42.119.41 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "agilkkccduh.com".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.119.41 or host name agilkkccduh.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.119.41 or agilkkccduh.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

 

 

The main problem is it's quite an open building and people come & go quite often, it's also a 3 hour round trip to drive there and theres no guarentee that everyone will be there, plus we have a lot of VPN users too

 

I left Wireshark running all yesterday and checked it today, but of course it hasn't reconnected since i started it, i'm not also 100% convinced it will catch the connection -

 

Theres about 12 computers and a server (windows SBS 2008), the server is also the DNS server and it's a draytek router for internet connection

 

Anyone help, this is not something we've had to deal with before



BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users