Question

Locked

Spam Bot

By irvingf ·
I am the LAN Admin for a health imaging center.

Over the last week our public IP address was blocked twice by CBL. This pass Saturday I came in to the office to run Spybot S&D, Malwarebytes and to updated my AV on all machines. I also removed any unnecessary software from the machines. Needless to say that today in the morning I came to find out that once again our IP address had been blocked.

Is there anything that I could've missed? Any tools that the Tech Republic Community may recomend? What else can I do?

Thank you,
Dalton

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Who is CBL?

by Kenone In reply to Spam Bot

Your ISP?
And yes, USERS! I had a similar problem once, went nuts trying to find the problem. Finally tracked it down to some sales person sending out 50K "newsletters" to keep the customers up to date.

Collapse -

Well assuming that CBL is your Internet Provider

by OH Smeg In reply to Spam Bot

And that they are blocking your IP address because of Bulk amounts of spam being sent you can try Wireshark to see what traffic there is on the network.

http://www.wireshark.org/download.html

Also the above scans that you did may not be sufficient if there is an infection as quite often these nasties reside in the Restore Points which need to be disabled as well as you need to perform the Scans in Safe Mode so that the applications used have a better chance of being able to find and delete the infections. But even that is not a guarantee that you will get everything int he case of the really nasty ones or Root Kits you'll need to use one of the many Rescue Disc's available so that Windows is not running and it can be cleaned.

I personally like F Secure

http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/

But there are many others and F Secure has a tendency to rename infections which may result in the need to reimage the system but it will clean them up. You can however read this TR Article Blog for a more complete list of the Rescue Cd's that is currently being discussed now.

http://blogs.techrepublic.com.com/security/?p=3803&tag=content;leftCol

Col

Collapse -

CBL

by irvingf In reply to Well assuming that CBL is ...

Sorry about the late reply. CBL is not our ISP. Our ISP is TPAC.

CBL is a blacklist website. Probably the biggest one.

http://cbl.abuseat.org/

Collapse -

Did I get this right?

by AnsuGisalas In reply to Spam Bot

You cleaned house on saturday, and by monday morning you'd been blocked again?
You probably would need to do a root-kit check.
If that comes out clean (do it from a rescue CD or stick), then you might want to keep something monitoring the system and traffic.

Collapse -

Update

by irvingf In reply to Did I get this right?

I have to admit the my ISP (TPAC) has been very helpful. they were able to give me the internal IP address of the infected machine and it's name.

That night I re-install the OS on that machine. The following day the same thing happened again.

I am at a stand still. I am not sure as to what else I may do.

BTW, I will check out F-Secure and WireShark. Thank for the tip.

Collapse -

Re: Reinstall

by seanferd In reply to Update

Did you wipe the HDD first, or did you just install over the existing install?

Another thought - the malware causing this is still in your network, ready to reinfect. Or, someone with access to your network (from inside or outside) is causing this. Or, it isn't your network at all, but your public IP is being spoofed.

Back to Software Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums