2
Blocked on RBL due to ranbyus command?
Problem reported by Michael Barber - 9/6/2021 at 2:21 PM
Submitted
My mail server is getting block on spamhaus by something bizarre which shouldn't even be possible.  Outbound ports not used are explicitly blocked and that includes any ports above 5000.  Anyone know what is going on or how to make this stop?

The listing says:

"my mail server ip" initiated a connection to a ranbyus command and control server, with contents unique to ranbyus C&C command protocols. 

Technical details of the ranbyus detection

10.*.*.* initiated a tcp connection from 10.*.*.* from port 60068, to the sinkhole IP address 216.218.185.162 on port 80.

The most recent detection was on: September 1 2021, 02:31:46 UTC.

6 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
It looks like SpamHaus has articles on these types of issues. Based on their documentation, this indicates your server is infected with malware and will need to be cleaned up before operating it further. I recommend shutting it down and booting into safe mode for a deep scan.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Michael Barber Replied
That has to be wrong.  I have several antivirus products running on there and I have also just scanned it and there are no threats or malware detected.

Do you have the link for this information because I believe it is a false positive.

Also the malware they cite requires a program to be running that would be visible as a service or exe and there are no superfluous program running either and they are all accounted for.
0
Michael Barber Replied
Also, I just checked the firewall and packets on port 80 are blocked.
0
Michael Barber Replied
Also, I just checked the firewall and OUTBOUND packets on port 80 are blocked.
0
Michael Barber Replied
Continuously runs ESET NOD32

Doesn't make sense...
Sophos-Blizzard.JPG
0
Kyle Kerst Replied
Employee Post

I recommend doing a remote AV scan (something like Trend Micro Housecall) as it eliminates the possibility that the AV is being compromised by whatever infection is present (pretty common to malware.)
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread