Cbl szívás

Sokat szívtam a cbl listával (http://cbl.abuseat.org/)
hátha másnak is hasznos lesz.

Rendre bekerült a natolt szerverünk 1 hétig keresetem a virusos gépet ami spammelehet
nem találtam. Egyetlen spam se ment ki a szerverről.
ekkor írtam egy levelet a CBL Team nek
amire ezt válaszolták :
[i]
The IP was positively identified, most recently at:

2007:02:14 ~11:30 UTC+/- 15 minutes (approximately 4 hours, 30 minutes ago)

to be participating in a distributed denial-of-service (DDOS) attack on
the cbl.abuseat.org web page. Most of these IPs participating in this
DDOS are at least attempting to emit email spam (including, at the very
least, graphical pharmaceutical spam).

At this time, details of this infestation are little known.

We have some preliminary information that seems to indicate that this is
being caused by a recent variant of the "Spam-Mailbot" worm/trojan. At
least McAfee VirusScan is apparently able to detect it, but is not able
to repair or remove it.

This variant, according to third hand reports, is an "IRC-controlled"
spambot that intersperses the sending of spam with attempts to remove
its own IP from the CBL via the CBL's lookup and remove pages.

Our detections are definitive, and cannot confused by normal queries to
the CBL web page.

In many cases, the spambot is apparently unable to send spam because it
is port 25 blocked, but the port 80 connections can still be made. We
have also taken steps to avoid listing web proxies or NATs forwarding
packets. So, in all probability, the IP itself is infected, even if it
is a proxy or nat.

One way of finding the malicious software doing this would be to run a
packet sniffer looking for connections to cbl.abuseat.org
(216.168.28.50) on port 80, and identifying what software is doing it.

Running a combination of anti-spyware and anti-virus programs may also
help to find this software. http://www.mynetwatchman.com/tools/sc/ (the
seccheck tester) will probably be the most helpful in finding it, as
well as yielding information we can use to help others to find/kill it.

We would appreciate any information on the infection that you find.

This entry has already been delisted from the CBL. Unless otherwise
stated, the CBL will relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.

-- Sidney, CBL Team
[/i]

Röviden van olyan virus ami kifejezetten az ő WEB szerverüket DDOS olja
egy ilyen fertőzhette meg az egyik gépet, és ezért bannoltak ki rendre.
Blokkolva a fenti cím 80 as portjára menő forgalmat többé nem került fel a szerver

A szomorú hogy erről a lehetőségről nem írtak az oldalukon,
semilyen értesítés nem megy róla, stb
csak szív vele az ember és keresi a spammelőt pedig nincs is.

( sj | 2007. 02. 22., cs – 10:56 )

Szomoru vagy sem, de ez is azt bizonyitja, hogy az rbl listak sok legitim mailert is megfognak. Mert ha az egyik gepetek meg is fertozodott, de a tobbi attol meg elkuldhette volna a leveleit, de a cbl az egesz halotokat hazavagta. Marmint azok fele, akik a cbl-t hasznaljak. Varhato, hogy szerte egyre tobb hasonlo fals drop lesz.

ASK Me No Questions, I'll Tell You No Lies