Hi all, Spamhaus was blocking my public IP for sending TCP packets with identified conficker signature to specific IP addresses.
“This IP address was detected and listed 9 times in the past 28 days, and 1 times in the past 24 hours. The most recent detection was at Fri May 25 13:45:00 2018 UTC +/- 5 minutes”
“This IP address is infected with, or is NATting for a machine infected with the Conficker malicious botnet.”
“This was detected by a TCP connection from “xxx.xxx.xxx.xxx” on port “42953” going to IP address “38.229.191.187” (the sinkhole) on port “80”.”
I assumed that there should be an infected PC “within” my internal network.
So I created a logging/blocking FORWARD rule for the Spamhaus’ mentioned IP and it’s neigbours /16 because it was foreign destination.
I unlisted from Spamhaus, but quite a while after - blacklisted again. So I had a suspect: my routerboard itself.
After creation of not only FORWARD rules but also an OUTPUT rule, the trap succeeded.
May/25/2018 21:42:13 memory firewall, info output: in:(none)out:pppoe’ws. proto TCP (SYN). xxx.xxx.xxx.xxx :61996->38.229.79.168 80, len 40
May/25/201 821:56:55 memory firewall, info output: in:(none) out:pppoews, proto TCP (SYN). xxx.xxx.xxx.xxx :57706->38.229.1 .21:23. len 40
May/25/201 821:59:26 memory firewall, info output: in:(none) out:pppoews, proto TCP (SYN). xxx.xxx.xxx.xxx :38789->38.229.246.228:8080, len 40
and so forth…
Unlisting from Spamhaus was successful now and I have to reinstall ROS on that machine.
But what will do the job? “Reset configuration”, “Netinstall” or can I throw away that box because the conficker is persistent anywhere on that board?
Anybody else who had this infection?