Re: Trojan ?
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 16 Sep 2002 21:13:13 -0700
Hi Wayne,
Bear in mind that any traffic in the FW log came from someone behind the ISA.
Since you're concerned about SMTP-like traffic, the WEB logs will be of little
use, except possibly to assist in narrowing down the culprit as most trojan'ed
boxes are rarely "single-purposed".
Most traffic originating at the ISA itself is not logged as it uses packet
filters, which do not log "allow" traffic by default.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: Wayne Small
To: [ISAserver.org Discussion List]
Sent: Monday, September 16, 2002 2:15 PM
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Jim,
As a test we have disabled the SMTP service on the server - therefore the
only thing making calls outbound to port 25 is the trojan itself. We're
getting someone onsite this morning to look at the issue better as it only came
to us at 4:30pm yesterday afternoon. In the ISA WEB & FW logs, there appears
to be no suspicious activity - except for a number of connections being sent
out to port 25.
Really strange.
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 17 September 2002 2:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Take a look at the ISA WEB and FW logs to determine where these requests
may be originating from.
Since you have SBS2K, you probably also have Exch2K installed and running,
which might explain the dest-TCP-25 connections.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: Wayne Small
To: [ISAserver.org Discussion List]
Sent: Monday, September 16, 2002 5:05 AM
Subject: [isalist] Trojan ?
http://www.ISAserver.org
Today I have inherited a new site that appears to have a trojan running
in it. They have large amounts of internet traffic - basically the volume in
and out varies by only a few megabytes (as part of 900MB in 24hrs). We have
checked the server and found via netstat, a large number of connections from
the servers local port 1080 to a range of dynamic ports on a subnet of remote
machines. In addition we have found a large number of connections from the
servers dynamic ports to a number of remote mail systems on port 25 (i.e.
hotmail etc). The server is an SBS server and has the standard filters to
prevent inbound access to all ports other than 25. Specifically there is no
filter that allows access to port 1080 from the internet. I suspect some
trojan (either on the server or an internal workstation) is making a connection
using port 1080 outbound and using this to relay mail most likely spam back out
to the internet. The server has current AV software and as such I would think
is virus free. Task Manager does not show any unusual services running.
I have stopped the SOCKs4 Application filter and the connections to the
internet on port 1080 and 25 also stops. I have also noted a brief conneciton
to port 80 of a specific IP address on the internet - I assume the trojan is
"phoning home".
Anyone else seen activity like this that can provide more information?
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
