Trojan ?
- From: "Wayne Small" <wayne@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 16 Sep 2002 22:05:13 +1000
Today I have inherited a new site that appears to have a trojan running in it.
They have large amounts of internet traffic - basically the volume in and out
varies by only a few megabytes (as part of 900MB in 24hrs). We have checked
the server and found via netstat, a large number of connections from the
servers local port 1080 to a range of dynamic ports on a subnet of remote
machines. In addition we have found a large number of connections from the
servers dynamic ports to a number of remote mail systems on port 25 (i.e.
hotmail etc). The server is an SBS server and has the standard filters to
prevent inbound access to all ports other than 25. Specifically there is no
filter that allows access to port 1080 from the internet. I suspect some
trojan (either on the server or an internal workstation) is making a connection
using port 1080 outbound and using this to relay mail most likely spam back out
to the internet. The server has current AV software and as such I would think
is virus free. Task Manager does not show any unusual services running.
I have stopped the SOCKs4 Application filter and the connections to the
internet on port 1080 and 25 also stops. I have also noted a brief conneciton
to port 80 of a specific IP address on the internet - I assume the trojan is
"phoning home".
Anyone else seen activity like this that can provide more information?
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
Other related posts:
