Operating System & Version
CENTOS 7.8
cPanel & WHM Version
v90.0.16

jakeevans

Registered
May 27, 2012
2
1
51
cPanel Access Level
Root Administrator
Hey Everyone,

I basically needed some help with a server that I have been running for years now, never ever had a problem in resolving Spamhaus SBL block issues
as I know that sometimes rogue scripts running on customers website are the cause of spam ; in turn I can find evidence of this in mail delivery reports in WHM,
find the offending script, and sort it out.

However, I now have a new problem where I have recently been listed in the XBL blacklist and do not understand how to resolve this if anyone in the cPanel community can help?

I basically go to Spamhaus XBL and it tells me: (Removed sensative data)

x.x.x.x is listed
This IP address was detected and listed x times in the past 28 days, and x times in the past 24 hours. The most recent detection was at Sun Nov 8 20:00:00 2020 UTC +/- 5 minutes
This IP address was self-removed x times in the past week.
This IP is infected (or NATting for a computer that is infected) with a botnet, most likely matsnu.
Matsnu acts as a downloader and remotely controlled trojan.




Detection Information Summary
Destination IPx.x.x.x
Destination port80
Source IPx.x.x.x
Source port40474
C&C name/domainx.com
ProtocolTCP
TimeSun Nov 8 20:00:35 2020 UTC


So obviously its showing the source as my IP address but the destination address is someone completely random.
I've searched for this address endlessly and found no record of it anywhere, checked exim mail logs, access logs...etc

So how do I go about resolving this?
I tried to delist, then it says the IP is infected with some other kind of virus, not matsnu, so can anyone point me in the right direction?
Its showing my source port as 40474 - but that port is closed (checked with port scanner) and CSF hasn't allowed it either, so how does this work even though the port is blocked.

I've browsed this forum already, found some useful posts of someone using shtracer.pl, but they used it on CentOS6, my WHMcPanel & OS is:
CENTOS 7.8 - cPanel/WHM v90.0.16
Upon trying to use shtracer.pl - it fails to load - i'm guessing its for CentOS6 only?

Kind Regards,
Jake
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
402
243
cPanel Access Level
Root Administrator
Hey there!

It's always interesting to me why they don't provide more specific data when an IP address is blocked. Spamhaus clearly knows the traffic they are flagging, so they should be able to tell you what they are seeing on their end.

If this were me, I'd ask for more specific details on what traffic they flagged, mentioning that you didn't see any outbound traffic to that source IP they had provided.