Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 











Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum

Jazyk
Výber jazykovej mutácie:



The time now is 28.03.2024 - 12:10


Server na blackliste

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Author Message
sef
Post subject: Server na blackliste  PostPosted: 30.01.2014 - 11:38 #105774
Basic


Joined: Feb 18, 2007
Posts: 418

Nazdar.

Uz asi tyzden je moj server na blackliste. Zatial bol iba na mailspike bl. Ale od dnesneho rana je aj na spamhause.org. Tam som sa docital toto:

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.

If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16470.

REMEMBER: ZeroAccess is NOT an Email spamming tool. This detection was NOT because of spam.


Urobil som toto:
iptables -I OUTPUT -p udp --dport 16471 -j DROP
iptables -I OUTPUT -p udp --dport 16470 -j DROP
iptables -I OUTPUT -p udp --dport 16465 -j DROP
iptables -I OUTPUT -p udp --dport 16464 -j DROP

Staci? Neriesili ste niekto uz toto? Chodia aj mne maily napr. od abcd@mojafirma.sk na moj mail ale ja meno "abcd" na serveri nemam.

Dakujem ze kazdu radu. Port 25 mam na forwarde aj na outpute blokovany.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
midnight_man
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 11:50 #105775
Majster


Joined: Feb 14, 2011
Posts: 2544

Sak tam mas jasne napisane ktory port to pouziva tak si chyť lokalnu IP ktora pracuje s tym portom a hotovo Smile
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 11:55 #105776
Basic


Joined: Feb 18, 2007
Posts: 418

No ano 16470. Na inete so sa docital ze aj tie ostatne porty. Dal som hladat na lokalnej sieti a vypisalo mi vsetkych klientov ze to je "domain". HM?
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
midnight_man
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 12:37 #105777
Majster


Joined: Feb 14, 2011
Posts: 2544

16470 do FW s UDP protokolom a cakat ktore lokalne ip sa chytia.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 16:53 #105781
Basic


Joined: Feb 18, 2007
Posts: 418

Vyzera ze je to zatial OK. Obavam sa skor ze niekto kto ma tento jeden spam moze mat aj viac. Cize moze sa stat ze zachvilu budem zase v BL. Blokujete nejako OUTPUT? Ja blokujem iba Incoming a povolujem na nom iba 25 SMTP,80web a 53 tcp + udp na DNS. Na forwarde blokujem 25 + tie co som pisal hore. A na OUTPUT iba tie co som pisal hore. Zatial cca 2 roky nebol problem.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 16:55 #105782
Basic


Joined: Feb 18, 2007
Posts: 418

http://www.trojanhunter.com/trojanhunter/portlist/

tieto by som hned blokol keby sa mi chcelo tolko vypisovat.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 17:17 #105783
Basic


Joined: Feb 18, 2007
Posts: 418

Toto by mi pomohlo na vystopovanie SPAMera?

iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
pixall
Post subject: RE: Server na blackliste  PostPosted: 30.01.2014 - 21:35 #105785
Majster


Joined: Okt 21, 2003
Posts: 4247

sef wrote: ›Vyzera ze je to zatial OK. Obavam sa skor ze niekto kto ma tento jeden spam moze mat aj viac. Cize moze sa stat ze zachvilu budem zase v BL. Blokujete nejako OUTPUT? Ja blokujem iba Incoming a povolujem na nom iba 25 SMTP,80web a 53 tcp + udp na DNS. Na forwarde blokujem 25 + tie co som pisal hore. A na OUTPUT iba tie co som pisal hore. Zatial cca 2 roky nebol problem.


OUTPUT je traffic ktory vznika na tom konkretnom stroji, a odchadza cez siet von. takze si si tym zablokoval spojenia z toho konkretneho routera (od loklanych aplikacii), nie spojenia ktore cez router prechadzaju. RTFM.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 31.01.2014 - 00:20 #105786
Basic


Joined: Feb 18, 2007
Posts: 418

iptables -I OUTPUT -p udp --dport 16470 -j DROP
iptables -I FORWARD -p udp --dport 16470 -j DROP

tak som to dal.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
alwarez
Post subject: RE: Server na blackliste  PostPosted: 31.01.2014 - 08:11 #105789
Basic


Joined: Máj 22, 2005
Posts: 477
Location: Michalovce
nie je lepsie konkretneho vinnika najst a odstranit, ako dropovat pakety?
iptables -I FORWARD -p udp --dport 16470 -j LOG --log-prefix "kamarat co posiela udp na port 16470"
a potom dropnut
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 31.01.2014 - 09:55 #105790
Basic


Joined: Feb 18, 2007
Posts: 418

A kde potom najdem ten log? 16470 mam asi poriesene a si myslim ze este je nejaky iny SPAM v sieti a vsetke porty asi logovat nema zmysel. Dik za radu
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 31.01.2014 - 09:58 #105791
Basic


Joined: Feb 18, 2007
Posts: 418

Este jedna vec. Spamhaus aspon vypise ze preco a kedy si blokovany ale ten skur.. mailspike bl nic len ze si blokovany. Pisal som im aj mail ale maju ma v p... Keby aspon napisali ze siris ten a ten SPAM ale nic.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
alwarez
Post subject: RE: Server na blackliste  PostPosted: 31.01.2014 - 11:47 #105793
Basic


Joined: Máj 22, 2005
Posts: 477
Location: Michalovce
asi poriesene? logy najdes vo /var/log
ak prevadzkujes server na linuxe, nebolo by odveci si nieco nastudovat, alebo nechat s linuxom pracovat niekoho kto aspon trochu vie co robi
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: Server na blackliste  PostPosted: 01.02.2014 - 14:51 #105809
Basic


Joined: Feb 18, 2007
Posts: 418

Nazdar.

Log som vedel ze sa uklada do /var/log akurat ze som tam nemal nastavene vytvaranie Logov pre iptables. Dopisal som to do rsyslog.conf kedze ja mam redhat a hladal som syslog.conf. Ale tak ako hovorim este najst dalsieho SPAMera je tazsie kedze neviem port. Cez iptraf som pozeral ake porty sa vyuzivaju. 25 SMTP som nenasiel ziaden. Su tam bezne porty. Inak ako odhalit napr. port 53. Ved aj cez UDP 53 ci TCP funguje napr. Bonk (DoS) trojan horse also uses port 53(TCP).A je ich viac takych. Netstat -tapn aj to som skusal.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
krtko
Post subject: RE: Server na blackliste  PostPosted: 01.02.2014 - 14:54 #105810
Basic


Joined: Jan 21, 2004
Posts: 425
Location: Rimavska Sobota
ano, urcite zablokuj aj 53jku Laughing Laughing Laughing
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Jump to:  

Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)