Re: Trojan ?
- From: "Wayne Small" <wayne@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 17 Sep 2002 07:15:58 +1000
Jim,
As a test we have disabled the SMTP service on the server - therefore the only
thing making calls outbound to port 25 is the trojan itself. We're getting
someone onsite this morning to look at the issue better as it only came to us
at 4:30pm yesterday afternoon. In the ISA WEB & FW logs, there appears to be
no suspicious activity - except for a number of connections being sent out to
port 25.
Really strange.
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 17 September 2002 2:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Take a look at the ISA WEB and FW logs to determine where these requests may be
originating from.
Since you have SBS2K, you probably also have Exch2K installed and running,
which might explain the dest-TCP-25 connections.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: Wayne <mailto:wayne@xxxxxxxxxxxxxx> Small
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Monday, September 16, 2002 5:05 AM
Subject: [isalist] Trojan ?
http://www.ISAserver.org
Today I have inherited a new site that appears to have a trojan running in it.
They have large amounts of internet traffic - basically the volume in and out
varies by only a few megabytes (as part of 900MB in 24hrs). We have checked
the server and found via netstat, a large number of connections from the
servers local port 1080 to a range of dynamic ports on a subnet of remote
machines. In addition we have found a large number of connections from the
servers dynamic ports to a number of remote mail systems on port 25 (i.e.
hotmail etc). The server is an SBS server and has the standard filters to
prevent inbound access to all ports other than 25. Specifically there is no
filter that allows access to port 1080 from the internet. I suspect some
trojan (either on the server or an internal workstation) is making a connection
using port 1080 outbound and using this to relay mail most likely spam back out
to the internet. The server has current AV software and as such I would think
is virus free. Task Manager does not show any unusual services running.
I have stopped the SOCKs4 Application filter and the connections to the
internet on port 1080 and 25 also stops. I have also noted a brief conneciton
to port 80 of a specific IP address on the internet - I assume the trojan is
"phoning home".
Anyone else seen activity like this that can provide more information?
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
