Today I have inherited a new site that appears to have a trojan running in it. They have large amounts of internet traffic - basically the volume in and out varies by only a few megabytes (as part of 900MB in 24hrs). We have checked the server and found via netstat, a large number of connections from the servers local port 1080 to a range of dynamic ports on a subnet of remote machines. In addition we have found a large number of connections from the servers dynamic ports to a number of remote mail systems on port 25 (i.e. hotmail etc). The server is an SBS server and has the standard filters to prevent inbound access to all ports other than 25. Specifically there is no filter that allows access to port 1080 from the internet. I suspect some trojan (either on the server or an internal workstation) is making a connection using port 1080 outbound and using this to relay mail most likely spam back out to the internet. The server has current AV software and as such I would think is virus free. Task Manager does not show any unusual services running. I have stopped the SOCKs4 Application filter and the connections to the internet on port 1080 and 25 also stops. I have also noted a brief conneciton to port 80 of a specific IP address on the internet - I assume the trojan is "phoning home". Anyone else seen activity like this that can provide more information? Regards, Wayne Small MCSE+I, MCSE 2000 Technical Director Correct Solutions Pty Ltd Check out www.correct.com.au for more information on Correct Solutions