Re: Trojan ?

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 16 Sep 2002 09:15:11 -0700

Take a look at the ISA WEB and FW logs to determine where these requests may be 
originating from.
Since you have SBS2K, you probably also have Exch2K installed and running, 
which might explain the dest-TCP-25 connections.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the books!

  ----- Original Message ----- 
  From: Wayne Small 
  To: [ISAserver.org Discussion List] 
  Sent: Monday, September 16, 2002 5:05 AM
  Subject: [isalist] Trojan ?


  http://www.ISAserver.org


  Today I have inherited a new site that appears to have a trojan running in 
it.  They have large amounts of internet traffic - basically the volume in and 
out varies by only a few megabytes (as part of 900MB in 24hrs).  We have 
checked the server and found via netstat, a large number of connections from 
the servers local port 1080 to a range of dynamic ports on a subnet of remote 
machines.  In addition we have found a large number of connections from the 
servers dynamic ports to a number of remote mail systems on port 25 (i.e. 
hotmail etc).  The server is an SBS server and has the standard filters to 
prevent inbound access to all ports other than 25.  Specifically there is no 
filter that allows access to port 1080 from the internet.  I suspect some 
trojan (either on the server or an internal workstation) is making a connection 
using port 1080 outbound and using this to relay mail most likely spam back out 
to the internet.  The server has current AV software and as such I would think 
is virus free.  Task Manager does not show any unusual services running.

  I have stopped the SOCKs4 Application filter and the connections to the 
internet on port 1080 and 25 also stops.  I have also noted a brief conneciton 
to port 80 of a specific IP address on the internet - I assume the trojan is 
"phoning home".

  Anyone else seen activity like this that can provide more information?

  Regards, 
  Wayne Small   MCSE+I,  MCSE 2000 
  Technical Director 
  Correct Solutions Pty Ltd 
    
  Check out www.correct.com.au for more information on Correct Solutions 

  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2002