Jump to content
  • Announcements

    • spinynorman

      Mandriva Official Documentation

      Official documentation for extant versions of Mandriva can be found at doc.mandriva.com.   Documentation for the latest release may take some time to appear there. You can install all the manuals from the main repository if you have Mandriva installed - files are prefixed mandriva-doc.
    • paul

      Forum software upgrade   10/29/17

      So you may have noticed the forum software has upgraded !!!
      A few things that have changed. We no longer have community blogs (was never really used) We no longer have a portal page.
      We can discuss this, and decide whether it is needed (It costs money) See this thread: Here
Sign in to follow this  
Guest smitty

Desperately need help - CBL Listing

Recommended Posts

Guest smitty

Hello All

 

I am desperately looking for some direction. I have a Mandriva box with two network cards. One for loc and one for net. Every now and then and it is adhoc we are getting listed on CBL with the following description:

 

This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.

 

It is referring to IP 216.66.15.109

 

Is there in which I can block any and all traffic to this IP using shorewall?

 

I have squid, postfix, shorewall in place. Apparently according to CBL it uses port 80, here we have a transparent proxy in use.

 

Could anyone please help me out. Have battled for two weeks.

 

Thank you

 

Smitty

Share this post


Link to post
Share on other sites

I don't use shorewall, so can't tell you specifically. I am using iptables however, so you should be blocking all inbound traffic unless you need access on those ports. You don't list your inbound requirements. You have squid and postfix, so do these need to be accessible to the internet? If yes, then secure squid so that nobody can use it unless you authorise them to, and the same with postfix:

 

http://www.mailradar.com/openrelay/

 

that page will help you test and tell you what you need to do and fix postfix. As for the rest, you need to generate iptables or shorewall rules to block what you don't want access to. If you want to block on that particular IP:

 

iptables -A INPUT -d 216.66.15.109 -j DROP

 

assuming that 216.66.15.109 is your public IP address assigned to this server. If not, replace it with your public IP address. Because the one above that you mentioned is Fremont, California, and your IP posting here is South Africa. So change that destination IP appropriately.

 

will be suffice, and allow you to continue using your server locally. However it won't be accessible now from the internet for any of your resources. If you need access, then generate appropriate iptables rules prior to this to grant access for particular source IP's, or secure squid so that only authorised users can use it.

 

Based on the text from the cbl, someone is using your proxy to hide their conficker requirements, and so you were correctly blocked.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×