EFW Support

Support => General Support => Topic started by: quicktech on Friday 11 October 2013, 07:17:34 am



Title: Citadel-BASE Virus
Post by: quicktech on Friday 11 October 2013, 07:17:34 am
I am receiving notifications that a user on our network is infected with the Citadel-BASE virus

Timestamp: 2013-09-17 00:34:20 GMT
Issue: Citadel-B54-BASE
command: /pmserver/browse.php
srcprt: 4862
controller: hotels2013.org

Timestamp: 2013-10-07 00:39:22 GMT
Issue: Citadel-BASE
command: /pmserver/browse.php
srcprt: 1587
controller: hotels2013.org

I have our staff behind an Endian firewall, and would like to prevent this from leaving our network.
The srcprt does change (as you can see above) so I cannot block a specific port from our network, how can I block the URL so I can prevent this from leaving our network so our ISP wont disable our internet connection and then I can track down the machine internally?

Thanks for your time