Jim, Thanks for your help with this. We have resolved the issue. The cause of the issue appeared to be that the external NIC's IP address was changed and that the SBS Internet Connection Wizard had not been run since then. Effectively the site (despite having a correctly constructed LAT) was allowing outsiders to use it as a socks proxy server. We noted that if we disabled the SOCKS application filter that the system would stop. We've also found a number of links on the internet since then which seem to indicate that this style of abuse is common. The following web site http://www.astra-soft.com has a tool which will allow you to scan for potential SOCKS hosts through which you can relay your SPAM!. What concerns me though is that we went over the packet filters, and site and content rules and they did not specifically allow port 1080 to be open to the outside world. Therefore the configuration itself appeared to be fine. In hindsight I should have run the isainfo.vbs which would have allowed me to see more information. Anyway - problem resolved, system was NOT compromised, but was being used to relay SPAM through. You learn a little more each day. Thanks for your responses. Regards, Wayne Small MCSE+I, MCSE 2000 Technical Director Correct Solutions Pty Ltd Check out www.correct.com.au for more information on Correct Solutions -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 17 September 2002 2:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Trojan ? http://www.ISAserver.org Hi Wayne, Bear in mind that any traffic in the FW log came from someone behind the ISA. Since you're concerned about SMTP-like traffic, the WEB logs will be of little use, except possibly to assist in narrowing down the culprit as most trojan'ed boxes are rarely "single-purposed". Most traffic originating at the ISA itself is not logged as it uses packet filters, which do not log "allow" traffic by default. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the books! ----- Original Message ----- From: Wayne <mailto:wayne@xxxxxxxxxxxxxx> Small To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> Sent: Monday, September 16, 2002 2:15 PM Subject: [isalist] Re: Trojan ? http://www.ISAserver.org Jim, As a test we have disabled the SMTP service on the server - therefore the only thing making calls outbound to port 25 is the trojan itself. We're getting someone onsite this morning to look at the issue better as it only came to us at 4:30pm yesterday afternoon. In the ISA WEB & FW logs, there appears to be no suspicious activity - except for a number of connections being sent out to port 25. Really strange. Regards, Wayne Small MCSE+I, MCSE 2000 Technical Director Correct Solutions Pty Ltd Check out www.correct.com.au for more information on Correct Solutions -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 17 September 2002 2:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Trojan ? http://www.ISAserver.org Take a look at the ISA WEB and FW logs to determine where these requests may be originating from. Since you have SBS2K, you probably also have Exch2K installed and running, which might explain the dest-TCP-25 connections. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the books! ----- Original Message ----- From: Wayne <mailto:wayne@xxxxxxxxxxxxxx> Small To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> Sent: Monday, September 16, 2002 5:05 AM Subject: [isalist] Trojan ? http://www.ISAserver.org Today I have inherited a new site that appears to have a trojan running in it. They have large amounts of internet traffic - basically the volume in and out varies by only a few megabytes (as part of 900MB in 24hrs). We have checked the server and found via netstat, a large number of connections from the servers local port 1080 to a range of dynamic ports on a subnet of remote machines. In addition we have found a large number of connections from the servers dynamic ports to a number of remote mail systems on port 25 (i.e. hotmail etc). The server is an SBS server and has the standard filters to prevent inbound access to all ports other than 25. Specifically there is no filter that allows access to port 1080 from the internet. I suspect some trojan (either on the server or an internal workstation) is making a connection using port 1080 outbound and using this to relay mail most likely spam back out to the internet. The server has current AV software and as such I would think is virus free. Task Manager does not show any unusual services running. I have stopped the SOCKs4 Application filter and the connections to the internet on port 1080 and 25 also stops. I have also noted a brief conneciton to port 80 of a specific IP address on the internet - I assume the trojan is "phoning home". Anyone else seen activity like this that can provide more information? Regards, Wayne Small MCSE+I, MCSE 2000 Technical Director Correct Solutions Pty Ltd Check out www.correct.com.au for more information on Correct Solutions ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wayne@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wayne@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')