Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 20360 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BlackList CBL

CristianHernandez

Hello Community

My question is this, I have a UTM 9 Sophos, in one of our interfaces have public IP 190.25.189.210 which we are listing on blacklists.

When I go to check indicates CBL page the following message:

This IP address is infected with, or is NATting for a machine infected with Palevo (Microsoft).

Palevo (also known as Rimecud, Butterfly bot and Pilleuz) is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks).

The CBL detection is being made using sinkholing techniques.

Further (technical) information about Palevo can be obtained here:

This was detected by a UDP connection from 190.25.189.210 on port 2963 going to IP address 192.42.116.41 (the sinkhole) on port 50000.

The botnet command and control domain for this connection was "".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or . See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

I have a rule that denies all traffic from that network segment and yet I still blocking've reviewed all policies and we found our UTM which is the gap.

I need help.



This thread was automatically locked due to age.
  • 0

    Hi, Cristian, and welcome to the UTM Community!

    Do you have Advanced Threat Protection enabled?  You might want to enable 'Log unique DNS requests' on the 'Advanced' tab of 'Firewall'.  On the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage', check to see if 192.42.116.41 had any activity as a server (more probable) or a client.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi BAlfson

    I have found that if there is a connection to this ip 192.42.116.41.


    I will verify that service.

  • 0 in reply to CristianHernandez

    Now, in the same place look at 'Top clients by service Protocol/Port: MRT' and you should have the IP of the guilty party!


    Cheers - Bob

  • 0 in reply to BAlfson

    Hi BALFson

    If I have a rule that blocks all IP services to that, because I still have some connections recording gap in the UTM as I can locate.

  • 0 in reply to BAlfson

    Hi BAlfson 

    Look what I get now.

    At the time of removal, this was the explanation for this listing:

    This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet.

    If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

    How to resolve future problems and prevent relisting

    Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

    I indicated that I have a botnet on my network, but the UTM tells me that it is blocking me.

    That could be happening.

  • 0

    Hi Cristian,

    I've had exactly the same problem at my client two weeks ago. Blocking that IP address from firewall rules will have no effect since Web Filtering is having greater priority. In my case I've resolved problem with blocking Malicious sites category in Filter Action which was enabled before. From Web Filtering log file:

    2016:02:18-08:12:52 utm httpproxy[22183]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.171" dstip="192.42.116.41" user="*********" ad_domain="*****" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffSimplGenerFilte (General Filter)" size="0" request="0xe006b000" url="http://192.42.116.41/pages/link_outbound" referer="" error="" authtime="104" dnstime="436" cattime="58432" avscantime="0" fullreqtime="158616" device="1" auth="2" ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.3)" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites"

  • 0 in reply to vilic

    Hi vilic

    I have the following categories and this blocked all malicious.

    that I have more q block.

  • 0 in reply to CristianHernandez

    Check if you had passed traffic to this IP address, like in my example:

  • 0 in reply to vilic

    If this made me blocking the IP, but the message indicates that CBL now have a Botnet on my network and is going through my UTM without any lock.