Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible?

jols

• September 26, 2014 21:31

Two different servers involved. One was cleared and did not re-appear, now we have another server on their list. What makes me believe these are false positives? Because in the detail that descreibes the reson for hte listing, they give a source port number which has never been opened in our firewall. Both listings describe this kind of thing: --------- IP Address ######## is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-09-26 17:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago. This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms. THEN FURTHER DOWN THE PAGE: The report for your IP indicates connections from/to TCP/IP IP address n/a (the sinkhole server address) with a destination port 80, source port (for this detection) of 51578 at exactly 2014-09-26 17:28:24 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second. ---------------------------- Thus, "source port (for this detection) of 51578" has never been opened, so we have a false positive, right? And by the way, I have confirmed that our firewall is effectively closing this port with this tester: telnet portquiz.net 51578 Could I be missing something with this?

• 

  quizknows

  • September 27, 2014 02:40

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Just because you have a port closed for inbound traffic does not mean traffic can't go out from that port. It's very "normal" for your connections to a webserver (on the servers port 80) to initiate from a high port number on your own machine. Mote than likely you do have a hacked website or user on your server.

  0
• 

  jols

  • September 27, 2014 04:26

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Thanks but I never stated we closed ports just for inbound traffic. Since the two servers in question were first put on line, the ports mentioned in both CBL reports have been closed for outbound traffic: TCP_OUT, UDP_OUT, and TCP6_OUT. And again, this test were run from WITHIN these servers, and was unable to connect, e.g: telnet portquiz.net 51578 Also extensive netstat monitoring is showing no outbound activity on ports and port ranges outside of our firewall parameters. So..... false positive from CBL/Spamhaus, yes? This is the only conclusion that I can arrive at so far. Seems like either there is something seriously wrong at Spamhaus or some other system spoofing our server IP. What would you assume this to be? Anyone?

  0
• 

  Tom Risager

  • September 27, 2014 08:01

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible "telnet portquiz.net 51578" would put "51578" in the IP destination port field. The message from Spamhouse just tells you that the offending connection came from source port 51578 on your server, something that would not be blocked by your firewall. So no reason to believe this a false positive.

  0
• 

  jols

  • September 27, 2014 08:17

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Thanks Tom, but with all due respect, this makes no sense. If we only allow a certain limited number of ports in our firewall, in TCP_OUT and UDP_OUT. And 51578 is outside of this range of allowed ports. Then how is it that our firewall would not block an outbound connection on port 51578 ??? ----------------- P.S. Likewise, we do not allow inbound traffic on port 51578 as well, via TCP_IN or UDP_IN.

  0
• 

  Tom Risager

  • September 27, 2014 08:47

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Assuming you allow outgoing connections to port 80, connecting to that port from inside your system with a source port of 51578 would not be stopped by your firewall settings. Linux typically uses source port numbers in the range 32768 to 61000. These are chosen automatically when a connection attempt is made.

  0
• 

  jols

  • September 27, 2014 08:56

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Okay, I get it now, thanks! Question - Would such an outbound source port connection be recorded in /var/log/messages ?

  0
• 

  Tom Risager

  • September 27, 2014 09:06

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible I don't think there are any logs that would record this by default. Maybe try some of the suggestions from this thread:

  0
• 

  cPanelMichael

  • September 29, 2014 19:05

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Hello :) You may also find this thread helpful: Outbound WordPress Brute Force Attack Thank you.

  0
• 

  jols

  • September 29, 2014 19:39

  Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible Good lead. Thanks much.

  0

Please sign in to leave a comment.