The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible?

Discussion in 'Security' started by jols, Sep 26, 2014.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Two different servers involved. One was cleared and did not re-appear, now we have another server on their list.

    What makes me believe these are false positives? Because in the detail that descreibes the reson for hte listing, they give a source port number which has never been opened in our firewall. Both listings describe this kind of thing:
    ---------
    IP Address ######## is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2014-09-26 17:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago.

    This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.


    THEN FURTHER DOWN THE PAGE:

    The report for your IP indicates connections from/to TCP/IP IP address n/a (the sinkhole server address) with a destination port 80, source port (for this detection) of 51578 at exactly 2014-09-26 17:28:24 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.

    ----------------------------

    Thus, "source port (for this detection) of 51578" has never been opened, so we have a false positive, right?

    And by the way, I have confirmed that our firewall is effectively closing this port with this tester:

    telnet portquiz.net 51578

    Could I be missing something with this?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Just because you have a port closed for inbound traffic does not mean traffic can't go out from that port.

    It's very "normal" for your connections to a webserver (on the servers port 80) to initiate from a high port number on your own machine.

    Mote than likely you do have a hacked website or user on your server.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Thanks but I never stated we closed ports just for inbound traffic.

    Since the two servers in question were first put on line, the ports mentioned in both CBL reports have been closed for outbound traffic: TCP_OUT, UDP_OUT, and TCP6_OUT. And again, this test were run from WITHIN these servers, and was unable to connect, e.g:

    telnet portquiz.net 51578

    Also extensive netstat monitoring is showing no outbound activity on ports and port ranges outside of our firewall parameters.

    So..... false positive from CBL/Spamhaus, yes? This is the only conclusion that I can arrive at so far. Seems like either there is something seriously wrong at Spamhaus or some other system spoofing our server IP.

    What would you assume this to be? Anyone?
     
  4. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    "telnet portquiz.net 51578" would put "51578" in the IP destination port field.

    The message from Spamhouse just tells you that the offending connection came from source port 51578 on your server, something that would not be blocked by your firewall. So no reason to believe this a false positive.
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Thanks Tom, but with all due respect, this makes no sense.

    If we only allow a certain limited number of ports in our firewall, in TCP_OUT and UDP_OUT.

    And 51578 is outside of this range of allowed ports.

    Then how is it that our firewall would not block an outbound connection on port 51578 ???


    -----------------

    P.S. Likewise, we do not allow inbound traffic on port 51578 as well, via TCP_IN or UDP_IN.
     
    #5 jols, Sep 27, 2014
    Last edited: Sep 27, 2014
  6. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Assuming you allow outgoing connections to port 80, connecting to that port from inside your system with a source port of 51578 would not be stopped by your firewall settings.

    Linux typically uses source port numbers in the range 32768 to 61000. These are chosen automatically when a connection attempt is made.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Okay, I get it now, thanks!

    Question - Would such an outbound source port connection be recorded in /var/log/messages ?
     
  8. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible

    Good lead. Thanks much.
     
Loading...
Similar Threads - CBL SPAMHAUS false
  1. abdelhost77
    Replies:
    4
    Views:
    515

Share This Page