I need your help because i'm lost.
We are currently blacklisted because of S_Gozi
The message from the SpamHaus organization says the following:
-
This IP is infected with, or is NATting for a machine infected with s_gozi
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.
This was detected by a TCP/IP connection from ***.***.***.254 on port 9674 going to IP address 52.4.170.36 (the sinkhole) on port 443.
The botnet command and control domain for this connection was "genfromthethemraising.com".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 52.4.170.36 or host name genfromthethemraising.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 52.4.170.36 or genfromthethemraising.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2015-07-20 16:08:18 (GMT - this timestamp is believed accurate to within one second).
What can I do ? I researched already all occurence for 52.4.170.36 + genfromthethemraising.com
Thanks already for your help !
This thread was automatically locked due to age.
