IP Blacklisted
Below is the reason of my ip blacklisted, I have blocked this ip "212.227.252.198" in firewall. Moreover scan all accounts with clamav. Kindly let me know any other preventive measures.
IP Address 167.114.118.103 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2015-04-10 14:00 GMT (+/- 30 minutes), approximately 30 minutes ago.
This IP is infected with, or is NATting for a machine infected with s_gozi
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.
This was detected by a TCP/IP connection from 167.114.118.103 on port 40182 going to IP address 212.227.252.198 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "domain.com".
-
Blocking the IP will not help you; the IP is not malicious. Sinkhole IPs are used so that domains which used to host malware can be pointed to them, to identify infected machines. Blocking the IP will only prevent your server from being detected as infected, it will not fix or prevent any infections. clamAV is a good start. Maldet would also be advisable. You should carefully review the output of "ps faux" as root to inspect all running processes. You could also do a recursive grep to look for the suspect domain "domain.com" in the code in any sites. Lastly you should also review your mail queue, since if there is spam in there it might help you identify the hacked account which caused this CBL listing of your server. 0 -
Hello, Feel free to update this thread with the outcome after reviewing the previous post. Thank you. 0 -
My ip is delisted. I have just blocked his ip and scan with clamav. 0 -
I am happy to see the issue is now addressed. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
4 comments