Two different servers involved. One was cleared and did not re-appear, now we have another server on their list.
What makes me believe these are false positives? Because in the detail that descreibes the reson for hte listing, they give a source port number which has never been opened in our firewall. Both listings describe this kind of thing:
---------
IP Address ######## is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-09-26 17:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago.
This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.
THEN FURTHER DOWN THE PAGE:
The report for your IP indicates connections from/to TCP/IP IP address n/a (the sinkhole server address) with a destination port 80, source port (for this detection) of 51578 at exactly 2014-09-26 17:28:24 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
----------------------------
Thus, "source port (for this detection) of 51578" has never been opened, so we have a false positive, right?
And by the way, I have confirmed that our firewall is effectively closing this port with this tester:
telnet portquiz.net 51578
Could I be missing something with this?
What makes me believe these are false positives? Because in the detail that descreibes the reson for hte listing, they give a source port number which has never been opened in our firewall. Both listings describe this kind of thing:
---------
IP Address ######## is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-09-26 17:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago.
This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.
THEN FURTHER DOWN THE PAGE:
The report for your IP indicates connections from/to TCP/IP IP address n/a (the sinkhole server address) with a destination port 80, source port (for this detection) of 51578 at exactly 2014-09-26 17:28:24 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
----------------------------
Thus, "source port (for this detection) of 51578" has never been opened, so we have a false positive, right?
And by the way, I have confirmed that our firewall is effectively closing this port with this tester:
telnet portquiz.net 51578
Could I be missing something with this?
