Portal Home > Knowledgebase > Articles Database > Zeus Botnet?
Zeus Botnet?
| Posted by brianemwd, 09-24-2014, 12:42 AM |
| I have one server that keeps getting listed in the Spamhaus XBL/CBL database for having a Zeus botnet installed on the server. Doing all of the regular scans are bringing up nothing: using cxs, maldet, chkrootkit, rkhunter, cvscan.
CBL is saying this:
"This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms."
This is a CloudLinux Server 6.4 cPanel x64 running Mod Security and CSF.
Right now I am at a total loss to find out where the vulnerability is coming from and I could really use some help to help me track this infection. Connections are being made to C&C servers (not sure what those are) on high port numbers. The thing that confuses me is I thought CSF/Iptables would be blocking off all ports except those that are listed in its configuration. Am I missing something here?
Any help would be appreciated.
Brian
|
| Posted by Larry, 09-24-2014, 06:39 PM |
| Your server might be rooted. I'd recommend backing up all cPanel accounts, reinstall the server (Complete format / wipe), and restore those accounts in a secure environment. When you're rooted, it's difficult to fix, and when you do find a fix, something else is probably infected which gives exploiters a back door to re-infect the server.
The longer you wait, the worse it's gonna get and your IP may be permanently blacklisted if it's not resolved soon.
|
| Posted by TonyB, 09-24-2014, 07:09 PM |
| If it was only their web site on the server that probably be a good recommendation. If it's shared web hosting what is far more likely is one site is compromised. Backing up all accounts and restoring them again I'd predict the same thing happening again within a week.
|
| Posted by brianemwd, 09-24-2014, 07:51 PM |
| Doing some research, it looks like the Zeus Botnet is only installed on windows machine so CBL's reports on why you are listed is questionable. I contacted them today and their response was:
--------------------------------------
The IP is infected with spamware, most recently
detected at:
2014:09:23 ~23:30 UTC+/- 15 minutes (approximately 12 hours, 45 minutes ago)
Please put a packet sniffer on the network and look for traffic to 72.52.116.52.
--------------------------------------
Doesn't sound like a Zeus botnet compromised like they initially led me to believe.
So right now I have tcpdump monitoring traffic to that IP address but nothing has been captured so far.
All the usual scans have pulled up nothing and at this point I am very skeptical of CBL.
Brian
|
| Posted by THCServers, 09-24-2014, 08:11 PM |
| lookup for cp.php and gate.php on your server, we have some clients using the botnet on our servers and this is the 1st thing to look for if you want to discover if a botnet was installed on your server. Also as CBL said you can used a packet sniffer to see the outgoing/incoming traffic
|
| Posted by brianemwd, 09-24-2014, 08:44 PM |
| I used locate for those two files and nothing turned up. Can you give me some tips on using packet sniffers on a cPanel server? The packing sniffing stuff is totally foreign to me. Right now I am using:
tcpdump -w xpackets.pcap -i etho dst 72.52.116.52
Thanks,
Brian
|
Add to Favourites 
Print this Article
Also Read
