I am facing serious problems which is resulting in us being black listed which is no good with our customer contacts as we are unable to email to them due to the black listing. the black list that keeps reporting us is CBL which appears to be an affiliate of spamhaus. I have checked all computers and the computers i havent checked i have disabled their network access or account access to our network through VPN depending on if they were in house employees or off site. I have yet to find the cutwail/ pushdo (originally it was being reported by CBL blacklist as cutwail but today it is being reported as the pushdo variant. I am currently running Exterminate this but havent seen anything special in its findings thus far. is there anyway to narrow down my searches to help isolate and resolve the problem as quickly as possible? below is a short run down on my network.
Network Specs:
Static IP address
in house domain controller, currently one until i finish bringing the second online
In house Exchange server, freshly rebuilt due to motherboard failure
VPN set up through domain controller for my off site employees
1 netgear r6200 router which is ran through a couple a 48 port and 24 port switch hard lined the entire office.
inbound and outbound emails from my exchange server are ran through a baracuda 300 spam antivirus and firewall to capture what isnt legitimate, i still need to tweak the settings to capture more as im seeing a few here and there that havent recevied and SCL score that are allowed.
My thought is that since the PUSHDO variant is running off the HTTP port i could close it but then i was thinking that may cause internet issues for everyone in general
I have ran MBAM on all in house machines and those off site employees that came in with no results that were relative to what i was looking for. any insight on this or how to narrow down to a group or single computer would be very helpful
I am not familiar with server management but I did find this:
“In some cases, the sites receiving the bogus HTTP traffic are flooded to the point that they are knocked offline. Dell’s CTU team also found that Pushdo malware generates a specific HTTP request, which starts with a “?xclzve_” prefix, and can be used to help determine which HTTP requests are legitimate.” - http://blog.avast.com/2013/06/25/15507/
Servers and printers : 192.168.1.2-.7 Domain Controller is .55 and .35
internal Lan PC’s start at .10-.60
VPN starts at .100 (just for seperation and ID for situations like this)
unfortunately the way my boss has the network i also feed 3 external houses (6-12 computers extra plus other wifi enabled devices) from UBNT nanostations which share our public IP address, which i have yet to ID those yet. This will be changed when we move to a new ISP
bothunter.net doesnt appear to work due to running windows platforms or maybe im new to this, is there a way to possibly run bothunter on windows 7 platform? i ran snort but didnt see anything as webtraffic is a constant.
i searched wireshark for the string that is usually a signal of attack and didnt turn up any results, im looking for instructions on how to install bothunter on windows 7 using unix (cygwin) to run it. i really need to get this resolved, but im not finding anyone on my network that is infected at this point
If the IP the CBL detected is a NAT firewall/gateway/router, do NOT make assumptions as to which machine is infected. Servers, even mail servers, are usually not the cause. Read these instruction on what to do: http://www.mynetwatchman.com/pckidiot/nattrack.htm
Go to DNSSTUFF and enter the IP into the “Spam Database Lookup” → http://www.dnsstuff.com/
You might have installed a proxy of some sort on your machine which is misconfigured (perhaps by default) to permit people on the Internet to relay through it to other places, credits info go to CBL abuse-eat,
really appreciate your help, i have checked this, though today i did notice something weird, which was chrome was telling me the proxy server was reconfigured but there shouldn’t be a proxy set anywhere, after restarting the domain controller and realizing my ISP was having issues with low connectivity and intermittent outages in my area things went back to normal. problem is, the reason why im really on the hunt is the cbl black list, even for the Pushdo though its HTTP, is keeping me from contacting clients which has already cost us in the ball park of 150+k in profits. so i really really need to get this resolved as quickly as possible. Ill read your through your links and report back any finds and/or logs.
Also all servers were scanned to begin with just as a precautionary
Looking here for the software causes.
But did you also check on the flex cables? Wasn’t there any peak current going over that router to cause it to misconfigure?
Keep an eye open for all causes, not just the issues that come as easy options…hope you fix this soon, really mean that , “kenachora”,
i didnt see any currents that were questionable to cause misconfiguration. but i did speak with my IP address and they are seeing transfers of 5 MBs at a time in bandwidth spikes that happen 3-4 times a day to 3 different IP addresses. I identified the IP addresses which that information is being sent to and thats one of our customers, so would this possibly be cause for a false positive? it appears that CBL is the only thing flagging us any more for this issue
i was actually thinking about this recently, what file names are created or how could i manually locate to find if there is a pushdo variant installed on a machine, just incase the anti malware/spyware software is not capturing it correctly
below are results from netalyzer i didnt see anything that stood out as could be allowing malicious issues
Major Abnormalities –
You are listed on a significant DNS blacklist
Minor Aberrations –
The NAT’s DNS proxy doesn’t fully implement the DNS standard
Your computer’s clock is substantially slow
Address-based Tests + –
NAT detection (?): NAT Detected +
Local Network Interfaces (?): OK +
DNS-based host information (?): Warning –
You are not a Tor exit node for HTTP traffic.
You are listed on the following Spamhaus blacklists: XBL
The SORBS DUHL believes you are using a statically assigned IP address.
NAT support for Universal Plug and Play (UPnP) (?): Yes +
Reachability Tests + –
TCP connectivity (?): OK +
UDP connectivity (?): OK +
Traceroute (?): OK +
Path MTU (?): OK +
Hidden Proxy Detection (?): Not executed +
Network Access Link Properties + –
Network performance (?): Latency: 50 ms, Loss: 0.0% +
TCP connection setup latency (?): 47ms +
Background measurement of network health (?): no transient outages +
Network bandwidth (?): Upload 7.2 Mbit/s, Download >20 Mbit/s +
Network buffer measurements (?): Uplink 64 ms, Downlink 95 ms +
HTTP Tests + –
Address-based HTTP proxy detection (?): OK +
Content-based HTTP proxy detection (?): OK +
HTTP proxy detection via malformed requests (?): OK +
Filetype-based filtering (?): OK +
HTTP caching behavior (?): OK +
JavaScript-based tests (?): OK +
DNS Tests + –
Restricted domain DNS lookup (?): Failed –
One or more of the hostnames required for the test could not be resolved.
Unrestricted domain DNS lookup (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
DNS resolver address (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
DNS resolver properties (?) –
Internal Server Error on Test Report
DNS glue policy (?): Prohibited –
The client was not permitted to run this test in its entirety. We encourage you to re-run Netalyzr, allowing it to conduct its tests if prompted. However, some system configurations will always block this test. See the corresponding FAQ for help.
DNS resolver port randomization (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
DNS lookups of popular domains (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
DNS external proxy (?): OK –
Your host ignores external DNS requests.
DNS results wildcarding (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
DNS-level redirection of specific sites (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
IPv6 Tests + –
DNS support for IPv6 (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
IPv4, IPv6, and your web browser (?): No IPv6 support –
Your browser was unable to fetch a test image from an IPv6-only server. IPv4 performance to our IPv4-only server did not differ substantially from our IPv4/IPv6 dual-stacked one.
IPv6 connectivity (?): No IPv6 support –
Your system appears to have no IPv6 connectivity as it was unable to contact our IPv6 test server.
Network Security Protocols + –
DNSSEC Support from the DNS Roots (?): Not executed –
The test was not executed. Required functionality was unavailable or not permitted, or this session dates from a time before Netalyzr supported this test.
Host Properties + –
System clock accuracy (?): Warning –
Your computer’s clock is 147 seconds slow.
Browser properties (?): OK –
Your web browser sends the following parameters to all web sites you visit:
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml; q=0.9,/; q=0.8
Accept Language: en-US,en;q=0.8
Accept Encoding: gzip,deflate,sdch
Accept Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Java identifies your operating system as Windows 7.
Uploaded data (?): OK –
The client uploaded the following additional content:
apache_404
custom_404
plain_404
raw_http_content
upnp_0_descr
upnp_0_details
upnp_0_ssdp
Ok so an update today, i found a computer with the “system care anti virus” virus, and was wondering if this could be related to a push do, i have isolated my network so the only persons getting on the network are employees so that reduces the range and number of computers that this could be comming from. is this virus related or behave similar to the push do trojan?