davids355
asked on
abuseat.org is reporting a trojan on our system, how can I find it?
I have a problem on one of the systems I manage: it is a small server based network with 20 clients and we are running server 2003 but only using pop email system on client machines.
we have a dynamic ip address (we don't use exchange).
every few weeks, email will not send and we get this error message from the provider (it comes up after a failed send and receive in outlook):
task sending reported an error:
the server responded, please see:
please see:
spamhaus.org/query/ip=-blo
When i follow the link to spamhaus, it points out that I am on two lists:
1.
[my ip] is listed in the PBL:
This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.
Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.
-Im not sure if this is relevant or not - would not authenticating really cause this issue, or is this just a ramification of the next listing:
2.[my ip] is listed in the XBL, because it appears in:
CBL
IP Address [my ip] is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-08-01 12:00 GMT (+/- 30 minutes), approximately 4 hours ago.
This IP address is infected with, or is NATting for a machine infected with a Trojan called Win32/Zbot (Microsoft), also known as "ZeuS" or "WSNPoem".
In this particular case, this host is infected with ZeuSv3, one of the most recent versions of ZeuS that is using peer-to-peer (P2P) command and control mechanisms. This version of Zeus is also known as "P2P ZeuS" or "Gameover malware".
ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).
To find an infected computer on a NATted network you will have to search through your firewall logs for connections from/to UDP port 15699. However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports (10,000 and higher) should be looked at closely.
--I have been running wireshark for the last two weeks, and I checked the period around the time stated above and could only find genuine email being sent from genuine users - I filtered the packets to show just port 25 communications and then filtered my MAIL TO, to see what was being sent out around that time period.
My questions are:
1.Could the virus be sending out from a port other than port 25?
2.Is it possible this is a false positive or is there definitely a virus on my network? (Seeing as we are using dynamic ip is it possible the virus is somewhere else on our wan subnet)?
3.point number 2 on the spamhaus site suggests we monitor traffic on UDP port 15699 - is this a sure way to discover the virus, or are there other ports I should be monitoring with wireshark?
thanks in advance.
Dave
we have a dynamic ip address (we don't use exchange).
every few weeks, email will not send and we get this error message from the provider (it comes up after a failed send and receive in outlook):
task sending reported an error:
the server responded, please see:
please see:
spamhaus.org/query/ip=-blo
When i follow the link to spamhaus, it points out that I am on two lists:
1.
[my ip] is listed in the PBL:
This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.
Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.
-Im not sure if this is relevant or not - would not authenticating really cause this issue, or is this just a ramification of the next listing:
2.[my ip] is listed in the XBL, because it appears in:
CBL
IP Address [my ip] is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-08-01 12:00 GMT (+/- 30 minutes), approximately 4 hours ago.
This IP address is infected with, or is NATting for a machine infected with a Trojan called Win32/Zbot (Microsoft), also known as "ZeuS" or "WSNPoem".
In this particular case, this host is infected with ZeuSv3, one of the most recent versions of ZeuS that is using peer-to-peer (P2P) command and control mechanisms. This version of Zeus is also known as "P2P ZeuS" or "Gameover malware".
ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).
To find an infected computer on a NATted network you will have to search through your firewall logs for connections from/to UDP port 15699. However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports (10,000 and higher) should be looked at closely.
--I have been running wireshark for the last two weeks, and I checked the period around the time stated above and could only find genuine email being sent from genuine users - I filtered the packets to show just port 25 communications and then filtered my MAIL TO, to see what was being sent out around that time period.
My questions are:
1.Could the virus be sending out from a port other than port 25?
2.Is it possible this is a false positive or is there definitely a virus on my network? (Seeing as we are using dynamic ip is it possible the virus is somewhere else on our wan subnet)?
3.point number 2 on the spamhaus site suggests we monitor traffic on UDP port 15699 - is this a sure way to discover the virus, or are there other ports I should be monitoring with wireshark?
thanks in advance.
Dave
1. Virus will not send FROM port 25, it will send TO port 25.
2. Yes, it's possible. Spam Blacklists are not always accurate, if you have a dynamic IP it may happen that the IP was blacklisted when it was leased to any other ISP's customer.
3. Port 15699 is sure thing with the "original" virus, if it's a custom modification/newer version they could've changed the port to avoid such checking and firewall blacklisting.
It's possible that running network traffic scans from your workstation isn't showing the full picture as modern switches will completely prevent such scans even if you put your NIC in promiscuous mode. To do a decent traffic monitoring you would need to do it on your router or by plugging an old HUB between switch and internet router, plugging your workstation into the hub and sniffing out the traffic with wireshark/tcpdump.
I would run a full antivirus/antimalware scans on all machines in your network.
try this http://support.kaspersky.ru/downloads/utils/zbotkiller.exe
2. Yes, it's possible. Spam Blacklists are not always accurate, if you have a dynamic IP it may happen that the IP was blacklisted when it was leased to any other ISP's customer.
3. Port 15699 is sure thing with the "original" virus, if it's a custom modification/newer version they could've changed the port to avoid such checking and firewall blacklisting.
It's possible that running network traffic scans from your workstation isn't showing the full picture as modern switches will completely prevent such scans even if you put your NIC in promiscuous mode. To do a decent traffic monitoring you would need to do it on your router or by plugging an old HUB between switch and internet router, plugging your workstation into the hub and sniffing out the traffic with wireshark/tcpdump.
I would run a full antivirus/antimalware scans on all machines in your network.
try this http://support.kaspersky.ru/downloads/utils/zbotkiller.exe
ASKER
Thanks for the replies.
1-sorry, thats what i meant, I have set wireshark to monitor communications over port 25 (either way).
I tested it by opening a connection to an external server on port 25, and it picked up the comms.
Regarding the capture of all traffic, I have purchased a specific "Hub" so as to capture all traffic, I have the router connected to the hub and the hub connected to both my monitoring PC, and the rest of the network, so should be capturing everything.
I will try monitoring on that UDP port, or perhaps I should monitor a large range on high end UDP ports?
1-sorry, thats what i meant, I have set wireshark to monitor communications over port 25 (either way).
I tested it by opening a connection to an external server on port 25, and it picked up the comms.
Regarding the capture of all traffic, I have purchased a specific "Hub" so as to capture all traffic, I have the router connected to the hub and the hub connected to both my monitoring PC, and the rest of the network, so should be capturing everything.
I will try monitoring on that UDP port, or perhaps I should monitor a large range on high end UDP ports?
>>>>we have a dynamic ip address (we don't use exchange).
Well that's the whole issue, you should opt for static IP address. Since the dynamic IPs which is now yours was with the spammer earlier and would be with some virus infected system later on and you are paying price for it.
Plus an email server. I would recommend simple Linux+sendmail or Linux+Postfix mail server.
Linux OS which is free and so is the email server running on it (sendmail or Postfix).
Well that's the whole issue, you should opt for static IP address. Since the dynamic IPs which is now yours was with the spammer earlier and would be with some virus infected system later on and you are paying price for it.
Plus an email server. I would recommend simple Linux+sendmail or Linux+Postfix mail server.
Linux OS which is free and so is the email server running on it (sendmail or Postfix).
ASKER
^^ I am certain it is our system that the problem is originating from, for two reasons:
1.its happening for the last 6 months + (was an issue before we took over support).
2.Today for example, I found the problem this morning, and before I had even done anything, spamhaus updated the "time of last issue" - so I know it was continuing after we had the IP address.
1.its happening for the last 6 months + (was an issue before we took over support).
2.Today for example, I found the problem this morning, and before I had even done anything, spamhaus updated the "time of last issue" - so I know it was continuing after we had the IP address.
But it was never yours. There is no solution to the issue unless you have static IP address with proper email server at place. But that's only my opinion unless some other experts at EE have some solution.
Further dynamics IP addresses are most likely be listed on different RBL, CBL and other xBLs for variety of reasons.
First, no proper PTR records.
No proper DNS or RDNS records of the IP address being used.
Email sent from the IP addresses not from a single address.
And since you didn't mentioned what domain name do the users uses to send the email, I believe that could be also one of the issue.
Further dynamics IP addresses are most likely be listed on different RBL, CBL and other xBLs for variety of reasons.
First, no proper PTR records.
No proper DNS or RDNS records of the IP address being used.
Email sent from the IP addresses not from a single address.
And since you didn't mentioned what domain name do the users uses to send the email, I believe that could be also one of the issue.
What are you using for your outbound email settings?
You should be using either your ISP's mail server or a 3rd party Mail Server, but using a 3rd party Mail Server may cause you problems because 100% of Dynamic IP Address will be Blacklisted on one or more IP Address Blacklist sites.
You should be using either your ISP's mail server or a 3rd party Mail Server, but using a 3rd party Mail Server may cause you problems because 100% of Dynamic IP Address will be Blacklisted on one or more IP Address Blacklist sites.
ASKER
Surely a lot of people use third party mail systems though.
For example, of the company's we look after, a good 15% of them use a pop based email system (not everyone can afford to implement an exchange system).
I think I will monitor traffic on high Udp ports, and in the mean time I'll contact provider to see if they can help -
In answer to your question, we have the domain providers smtp server for outgoing mail.
For example, of the company's we look after, a good 15% of them use a pop based email system (not everyone can afford to implement an exchange system).
I think I will monitor traffic on high Udp ports, and in the mean time I'll contact provider to see if they can help -
In answer to your question, we have the domain providers smtp server for outgoing mail.
POP is always a problem when sending.
A Hosted Exchange solution would be a much better option as the originating IP Address is the IP Address of the Exchange Server and not the IP Address of your ISP connection, which is what will happen when sending mail using a POP3/SMTP setup.
Plenty of companies will use POP3/SMTP, but plenty of those emails will get rejected by Spam Filters due to the originating IP Address being Dynamic and thus listed on various IP Address Blacklists.
Spam filters look at the originating IP Address and that is why POP3 / SMTP can cause headaches.
If you want to temporarily resolve the problem (with luck), reboot your router and it should hopefully pick up a new Dynamic IP Address, which might be a bit cleaner.
A Hosted Exchange solution would be a much better option as the originating IP Address is the IP Address of the Exchange Server and not the IP Address of your ISP connection, which is what will happen when sending mail using a POP3/SMTP setup.
Plenty of companies will use POP3/SMTP, but plenty of those emails will get rejected by Spam Filters due to the originating IP Address being Dynamic and thus listed on various IP Address Blacklists.
Spam filters look at the originating IP Address and that is why POP3 / SMTP can cause headaches.
If you want to temporarily resolve the problem (with luck), reboot your router and it should hopefully pick up a new Dynamic IP Address, which might be a bit cleaner.
ASKER
I appreciate what you are saying, and for the record I am always trying to promote exchange to all of our customers (more for the centralized management).
However, I am reasonably satisfied that there is a problem here (as I said, its been going on for some length of time and as I understand it, rebooting the router to pick up a new address was the advised solution by the last IT company!).
Anyway, I have now set up wireshark to capture any activity between UDP ports 10,000 - 20,000.
And tomorrow, I am going to speak to the hosting provider and see if they have a solution - seeing as they are actually blocking comms.
I will report back.
However, I am reasonably satisfied that there is a problem here (as I said, its been going on for some length of time and as I understand it, rebooting the router to pick up a new address was the advised solution by the last IT company!).
Anyway, I have now set up wireshark to capture any activity between UDP ports 10,000 - 20,000.
And tomorrow, I am going to speak to the hosting provider and see if they have a solution - seeing as they are actually blocking comms.
I will report back.
Are you using port 25 outbound to your ISP's mail server or port 587?
If port 25 - see if they can use port 587, then configure your clients to use port 587 and block TCP port 25 outbound on your firewall and that should stop any internal issues of spam sending.
If port 25 - see if they can use port 587, then configure your clients to use port 587 and block TCP port 25 outbound on your firewall and that should stop any internal issues of spam sending.
ASKER
^^Ah thats a good idea, yes I am using port 25 at the moment, I did also read that port 587 is better and normally the host provider will not block any comms that it receives on port 587 - its one of the things i was going to confirm with them when I ring them tomorrow.
I will try that, thanks.
I will try that, thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resolved myself with help of wire shark.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Alan