The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP Blacklisted

Discussion in 'Security' started by Osama Tariq, Apr 10, 2015.

  1. Osama Tariq

    Osama Tariq Well-Known Member

    Joined:
    Nov 27, 2014
    Messages:
    187
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Lahore, Pakistan
    cPanel Access Level:
    Root Administrator
    Twitter:
    Below is the reason of my ip blacklisted, I have blocked this ip "212.227.252.198" in firewall. Moreover scan all accounts with clamav. Kindly let me know any other preventive measures.

    Code:
    IP Address 167.114.118.103 [B]is listed[/B] in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
    
    It was last detected at 2015-04-10 14:00 GMT (+/- 30 minutes), approximately 30 minutes ago.
    
    
    This IP is infected with, or is NATting for a machine infected with s_gozi 
    
    Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search. 
    
    This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols. 
    
    This was detected by a TCP/IP connection from 167.114.118.103 on port 40182 going to IP address 212.227.252.198 (the [URL='http://cbl.abuseat.org/sinkhole.html']sinkhole[/URL]) on port 80. 
    
    The botnet command and control domain for this connection was "domain.com". 
    
     
    #1 Osama Tariq, Apr 10, 2015
    Last edited by a moderator: Apr 15, 2015
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Blocking the IP will not help you; the IP is not malicious. Sinkhole IPs are used so that domains which used to host malware can be pointed to them, to identify infected machines. Blocking the IP will only prevent your server from being detected as infected, it will not fix or prevent any infections.

    clamAV is a good start. Maldet would also be advisable. You should carefully review the output of "ps faux" as root to inspect all running processes. You could also do a recursive grep to look for the suspect domain "domain.com" in the code in any sites. Lastly you should also review your mail queue, since if there is spam in there it might help you identify the hacked account which caused this CBL listing of your server.
     
    #2 quizknows, Apr 10, 2015
    Last edited by a moderator: Apr 18, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. Osama Tariq

    Osama Tariq Well-Known Member

    Joined:
    Nov 27, 2014
    Messages:
    187
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Lahore, Pakistan
    cPanel Access Level:
    Root Administrator
    Twitter:
    My ip is delisted. I have just blocked his ip and scan with clamav.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...
Similar Threads - Blacklisted
  1. Ruan
    Replies:
    3
    Views:
    316

Share This Page