Question

  • Creator
    Topic
  • #2213975

    Spam Bot

    Locked

    by irvingf ·

    I am the LAN Admin for a health imaging center.

    Over the last week our public IP address was blocked twice by CBL. This pass Saturday I came in to the office to run Spybot S&D, Malwarebytes and to updated my AV on all machines. I also removed any unnecessary software from the machines. Needless to say that today in the morning I came to find out that once again our IP address had been blocked.

    Is there anything that I could’ve missed? Any tools that the Tech Republic Community may recomend? What else can I do?

    Thank you,
    Dalton

All Answers

  • Author
    Replies
    • #3027409

      Clarifications

      by irvingf ·

      In reply to Spam Bot

      Clarifications

    • #3027404

      Who is CBL?

      by kenone ·

      In reply to Spam Bot

      Your ISP?
      And yes, USERS! I had a similar problem once, went nuts trying to find the problem. Finally tracked it down to some sales person sending out 50K “newsletters” to keep the customers up to date.

    • #3025575

      Well assuming that CBL is your Internet Provider

      by oh smeg ·

      In reply to Spam Bot

      And that they are blocking your IP address because of Bulk amounts of spam being sent you can try Wireshark to see what traffic there is on the network.

      http://www.wireshark.org/download.html

      Also the above scans that you did may not be sufficient if there is an infection as quite often these nasties reside in the Restore Points which need to be disabled as well as you need to perform the Scans in Safe Mode so that the applications used have a better chance of being able to find and delete the infections. But even that is not a guarantee that you will get everything int he case of the really nasty ones or Root Kits you’ll need to use one of the many Rescue Disc’s available so that Windows is not running and it can be cleaned.

      I personally like F Secure

      http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/

      But there are many others and F Secure has a tendency to rename infections which may result in the need to reimage the system but it will clean them up. You can however read this TR Article Blog for a more complete list of the Rescue Cd’s that is currently being discussed now. 😉

      http://blogs.techrepublic.com.com/security/?p=3803&tag=content;leftCol

      Col

    • #2870360

      Did I get this right?

      by ansugisalas ·

      In reply to Spam Bot

      You cleaned house on saturday, and by monday morning you’d been blocked again?
      You probably would need to do a root-kit check.
      If that comes out clean (do it from a rescue CD or stick), then you might want to keep something monitoring the system and traffic.

      • #2869006

        Update

        by irvingf ·

        In reply to Did I get this right?

        I have to admit the my ISP (TPAC) has been very helpful. they were able to give me the internal IP address of the infected machine and it’s name.

        That night I re-install the OS on that machine. The following day the same thing happened again.

        I am at a stand still. I am not sure as to what else I may do.

        BTW, I will check out F-Secure and WireShark. Thank for the tip.

        • #2868986

          Re: Reinstall

          by seanferd ·

          In reply to Update

          Did you wipe the HDD first, or did you just install over the existing install?

          Another thought – the malware causing this is still in your network, ready to reinfect. Or, someone with access to your network (from inside or outside) is causing this. Or, it isn’t your network at all, but your public IP is being spoofed.

Viewing 3 reply threads