Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Bot infected according to CBL, cant find infection.

  • Please log in to reply
No replies to this topic

#1 mbasha


  • Members
  • 1 posts
  • Local time:01:01 PM

Posted 18 August 2017 - 10:00 AM

Hi everyone, We recently discovered one of our windows 2012 servers was showing up on some blacklists and when checking the IP on the CBL found reports that the server is sending Bot commands to a honeypot. We checked the server with malwarebytes, Microsoft Windows malicious software removal tools, Microsoft safety scanner, and zbot killer. All of which show no infections. Rebuilding this machine would be a nightmare so im wondering if there are any other options or possible solutions for finding the issue and disinfecting this machine. Any help with this issue would be greatly appreciated. Pasted below is the report from the CBL detailing the malicious behavior seen coming from the server.
Results of Lookup

redacted.ip is listed

This IP address was detected and listed 4 times in the past 28 days, and 1 times in the past 24 hours. The most recent detection was at Thu Aug 17 18:55:00 2017 UTC +/- 5 minutes

This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".

ZeuS is a malicious software (malware) used by cyber-criminals to commit e-banking fraud and steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.).

The infection was detected by observing this IP address attempting to make contact to a ZeuS Command and Control server (C&C), a central server used by the criminals to control with ZeuS infected computers (bots).

More information about the ZeuS Trojan can be found here:


You can try Kaspersky's Zbot killer to get this infection detected/removed. However, we strongly recommend you to completely re-install your operating system to get this infection removed permanently.

This was detected by a TCP connection from "redacted.ip" on port "n/a" going to IP address "" (the sinkhole) on port "80".

The botnet command and control domain for this connection was "b65951f4c254.net".

This detection corresponds to a connection at Thu Aug 17 18:54:13 2017 UTC (this timestamp is believed accurate to within one second).

Detection Information Summary Destination IP Destination port 80 Source IP redacted.ip Source port n/a C&C name/domain b65951f4c254.net Protocol TCP Time Thu Aug 17 18:54:13 2017 UTC


BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users