Re: Trojan ?
- From: "Wayne Small" <wayne@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 17 Sep 2002 19:53:37 +1000
Jim,
Thanks for your help with this. We have resolved the issue. The cause
of the issue appeared to be that the external NIC's IP address was
changed and that the SBS Internet Connection Wizard had not been run
since then. Effectively the site (despite having a correctly
constructed LAT) was allowing outsiders to use it as a socks proxy
server. We noted that if we disabled the SOCKS application filter that
the system would stop. We've also found a number of links on the
internet since then which seem to indicate that this style of abuse is
common. The following web site http://www.astra-soft.com has a tool
which will allow you to scan for potential SOCKS hosts through which you
can relay your SPAM!.
What concerns me though is that we went over the packet filters, and
site and content rules and they did not specifically allow port 1080 to
be open to the outside world. Therefore the configuration itself
appeared to be fine. In hindsight I should have run the isainfo.vbs
which would have allowed me to see more information.
Anyway - problem resolved, system was NOT compromised, but was being
used to relay SPAM through. You learn a little more each day.
Thanks for your responses.
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 17 September 2002 2:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Hi Wayne,
Bear in mind that any traffic in the FW log came from someone behind the
ISA.
Since you're concerned about SMTP-like traffic, the WEB logs will be of
little use, except possibly to assist in narrowing down the culprit as
most trojan'ed boxes are rarely "single-purposed".
Most traffic originating at the ISA itself is not logged as it uses
packet filters, which do not log "allow" traffic by default.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: Wayne <mailto:wayne@xxxxxxxxxxxxxx> Small
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Monday, September 16, 2002 2:15 PM
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Jim,
As a test we have disabled the SMTP service on the server - therefore
the only thing making calls outbound to port 25 is the trojan itself.
We're getting someone onsite this morning to look at the issue better as
it only came to us at 4:30pm yesterday afternoon. In the ISA WEB & FW
logs, there appears to be no suspicious activity - except for a number
of connections being sent out to port 25.
Really strange.
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 17 September 2002 2:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Trojan ?
http://www.ISAserver.org
Take a look at the ISA WEB and FW logs to determine where these requests
may be originating from.
Since you have SBS2K, you probably also have Exch2K installed and
running, which might explain the dest-TCP-25 connections.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: Wayne <mailto:wayne@xxxxxxxxxxxxxx> Small
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Monday, September 16, 2002 5:05 AM
Subject: [isalist] Trojan ?
http://www.ISAserver.org
Today I have inherited a new site that appears to have a trojan running
in it. They have large amounts of internet traffic - basically the
volume in and out varies by only a few megabytes (as part of 900MB in
24hrs). We have checked the server and found via netstat, a large
number of connections from the servers local port 1080 to a range of
dynamic ports on a subnet of remote machines. In addition we have found
a large number of connections from the servers dynamic ports to a number
of remote mail systems on port 25 (i.e. hotmail etc). The server is an
SBS server and has the standard filters to prevent inbound access to all
ports other than 25. Specifically there is no filter that allows access
to port 1080 from the internet. I suspect some trojan (either on the
server or an internal workstation) is making a connection using port
1080 outbound and using this to relay mail most likely spam back out to
the internet. The server has current AV software and as such I would
think is virus free. Task Manager does not show any unusual services
running.
I have stopped the SOCKs4 Application filter and the connections to the
internet on port 1080 and 25 also stops. I have also noted a brief
conneciton to port 80 of a specific IP address on the internet - I
assume the trojan is "phoning home".
Anyone else seen activity like this that can provide more information?
Regards,
Wayne Small MCSE+I, MCSE 2000
Technical Director
Correct Solutions Pty Ltd
Check out www.correct.com.au for more information on Correct Solutions
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: