Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 20360 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BlackList CBL

CristianHernandez

Hello Community

My question is this, I have a UTM 9 Sophos, in one of our interfaces have public IP 190.25.189.210 which we are listing on blacklists.

When I go to check indicates CBL page the following message:

This IP address is infected with, or is NATting for a machine infected with Palevo (Microsoft).

Palevo (also known as Rimecud, Butterfly bot and Pilleuz) is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks).

The CBL detection is being made using sinkholing techniques.

Further (technical) information about Palevo can be obtained here:

This was detected by a UDP connection from 190.25.189.210 on port 2963 going to IP address 192.42.116.41 (the sinkhole) on port 50000.

The botnet command and control domain for this connection was "".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or . See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

I have a rule that denies all traffic from that network segment and yet I still blocking've reviewed all policies and we found our UTM which is the gap.

I need help.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Cristian,

    I've had exactly the same problem at my client two weeks ago. Blocking that IP address from firewall rules will have no effect since Web Filtering is having greater priority. In my case I've resolved problem with blocking Malicious sites category in Filter Action which was enabled before. From Web Filtering log file:

    2016:02:18-08:12:52 utm httpproxy[22183]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.171" dstip="192.42.116.41" user="*********" ad_domain="*****" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffSimplGenerFilte (General Filter)" size="0" request="0xe006b000" url="http://192.42.116.41/pages/link_outbound" referer="" error="" authtime="104" dnstime="436" cattime="58432" avscantime="0" fullreqtime="158616" device="1" auth="2" ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.3)" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites"

  • 0 in reply to vilic

    Hi vilic

    I have the following categories and this blocked all malicious.

    that I have more q block.

  • 0 in reply to CristianHernandez

    Check if you had passed traffic to this IP address, like in my example:

  • 0 in reply to vilic

    If this made me blocking the IP, but the message indicates that CBL now have a Botnet on my network and is going through my UTM without any lock.

Reply Children
No Data