Solved

Unidentified IP address on the network -?

Posted on 2003-11-13
57
6,489 Views
Last Modified: 2013-12-07
Hi Experts,

I am not sure if I should be posting this in the security area or the networking area. I apologize if this is the wrong place.
I really have wierd problem-

I have Netgear FVS318 router on DSL on a single network (windows 2000 server) 192.168.1.X ; 255.255.255.0
I have accounted for all the machines except one (192.168.1.12)

I can't  ping this machine, however when I do a TCP port scan , I am showing port 25 and 110 open
UDP port scan reveals several different ports.
I have checked for everything network printers and any other network devices, but no answers. Even the Netgear router does not list this IP in the attached devices list. I can see that there is byte transfer from this IP using etrust Intrusion detection and Kerio network monitor

Please advice, Is there anything I am missing to check.

Thanks,

Kris



0
Comment
Question by:krisred
  • 14
  • 10
  • 8
  • +9
57 Comments
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Are you sure that isn't a secondary address bound to one of your other machines?
0
 
LVL 2

Expert Comment

by:mcmurrick
Comment Utility
If you have physically identified all equipment directly connected to your internal network and have ruled out that there is not an offending additional overlooked device or machine on your network, you should check to see if any of your machines have an alternate connection defined ie. multiple IP addresses assigned to an individual machine multiple ip configurations is possible in more recent NT based versions of windows and linux.
0
 
LVL 2

Expert Comment

by:ihuckaby
Comment Utility
Well, port 25 is SMTP and 100 is POP3, so whatever it is, it wants to do mail.

Have you sniffed out the packets yet?  If it's actually doing POP3, those usernames and passwords are clear text.  That might help.

Do you have a mail server inside?

Might be you have a machine that's been infected with one of those wonderful Trojans that have their own SMTP server so that they can spam.  However that would generally respond to a ping.

Out of morbid curiousity, have you accounted for the router?  I'm guessing you have as you can look at it's attached devices.
0
 

Author Comment

by:krisred
Comment Utility
HI PsiCop, mcmurrick, ihuckaby -

How do I check if there is a secondary address bound? or multiple Ip addresses assigned to single machine?
Yes, I have accounted for the router which is our gateway (192.168.1.1)

We do have a mail sever (Mdaemon Mail Server) behind netgear router. The only ports open to the internet through the firewall are 25 and 110
I have checked for trojans and viruses.. found none. .

Well, from what I can tell using eTrust Intrusion detection the machine(192.168.1.12)  is recieving ICMP request from the following clients
69.27.199.93
66.30.11.18
66.29.199.157
66.29.199.226
66.29.199.240
and so on.....

Thanks,

Kris





0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
You can either look in the TCP/IP properties or do an IPCONFIG/ALL from a command prompt on each machine
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Telnet to port 25 on that address and see what it says.

Steve
0
 
LVL 2

Assisted Solution

by:ihuckaby
ihuckaby earned 100 total points
Comment Utility
Those IP addresses you've listed would appear to be home type nodes.  (e.g. 66.29.199.157 = dialup-b-157.foxberry.net)  Not sure why they would be pinging into you.

Do you have your router configured for port forwarding?  Common sense would have it forwarding ports 25 and 110 to your mail server, which would have those ports open.  I would look at the address it's forwarding to, to see if it's 192.168.1.12 or an external address.  If it's an external address, then 192.168.1.12 might be your internal address on the mail server.

At any rate, I'd follow the other's advice and do an "ipconfig /all" at the command prompt of your machines, starting with the mail server.  That should let you know if one of the machines you know about has 192.168.1.12 as it's secondary address.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
I also like the idea of telnetting to port 25 on that address and see what responds.
0
 

Expert Comment

by:rossboulet
Comment Utility
Once you telnet or even attempt to ping the device, an arp -a command should then show the physical address of the network interface in the mystery device.  Match that up with known phisical addresses to see if its a second address on an existing device.
0
 

Author Comment

by:krisred
Comment Utility
I checked all the machines with ipconfig /all - but did not find a secondary address (192.168.1.12)

I cannot telnet to port 25 or 110 on the machine (192.168.1.12) or ping it

I check the router for port forwarding - to see if its forwording to the right machine (machine hosting the mail server). The settings are correct and it is not being forwarded to 192.168.1.12

The other I noticed unusual in the mail server smtp-out logs is the there are lot of emails (spam) try to go out. but all the email says sender not specified. I ran a trojan scanner to see if there were any .. could not find any. However the spam attempt to leave the mail server was unsuccessful.

This machine 192.168.1.12 has a physical address as detected by the etrust intrusion detection scanner 00:40:F4:6C:B1:CD
Does this mean that there is a physical device ? or ?






0
 

Author Comment

by:krisred
Comment Utility
This is what I am seeing in the logs

Thu 13/Nov/2003 13:28:09 ICMP: 192.168.1.12:8 <- 69.27.197.77:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:30:16 ICMP: 192.168.1.12:8 <- 69.30.10.66:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:31:04 ICMP: 192.168.1.12:8 <- 69.27.243.180:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:31:26 ICMP: 192.168.1.12:8 <- 69.33.99.218:8     0 + 64By,     0s      - unknown service: 192.168.1.12


0
 
LVL 16

Assisted Solution

by:SteveJ
SteveJ earned 150 total points
Comment Utility
First of all, if a TCP scan said that there's a device listening on TCP Port 25 that's because the scanner was able to connect to it. So I dont immediately understand why you cant telnet to it. (telnet 192.168.1.12 25).

ihuckaby is probably on to something with his comment about the trojan (regardless of whether your trojan scanner found one). I would ping every address on the network from my PC and then look at the arp cache see which IP address has the MAC address 00:40:F4:6C:B1:CD. That's the infected machine.

By the way, ihuckaby, the 69.x.x.x address that you found is the internet facing address and the person/machine pinging is behind that interface with a private address . . . and the reason that they'd be pinging is to see if their trojan was properly installed and running.

Good luck,
Steve
0
 

Expert Comment

by:rossboulet
Comment Utility
Does that same physical address (00:40:F4:6C:B1:CD) match any other known device on your network?
0
 

Author Comment

by:krisred
Comment Utility
I am not sure why I can't telnet to the machine. When I telent 192.168.1.12 110 or 25 .. its says cannot connect to host. operation timed out.

I checked  the ARP cache  after pinging all the IP addresses  on the network, but none of them compare to 192.168.1.12 (00:40:F4:6C:B1:CD)


Well, I don't what else to do.
0
 

Expert Comment

by:rossboulet
Comment Utility
Did you check the physical address of the machine you are on?
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
00:40:F4 belongs to Cameo Communications . . . You don't have any wireless stuff on your WAN do you?

Try adding the 00:40:F4 MAC address to your arp cache statically and see if you can telnet to it then. If it's a trojan it probably doesn't have the ability to respond to arp requests . . . which is why your scanner may have been able to detect it but you couldn't telnet to it.

. . . sounds more and more like a spam generator.


Good luck,
Steve
0
 

Author Comment

by:krisred
Comment Utility
No we don't any wireless devices on the LAN

I tried adding the address
arp -s 192.168.1.12 00-40-F4-6C-B1-CD
to the arp cachce statically .. telnet did not work (no response)

I am still logging the ICMP logs almost every 2 minutes

Thanks,

Kris
0
 

Author Comment

by:krisred
Comment Utility
Ofcourse, I checked the physical address on the machine I was on.
Found nothing- even ran a trojan scanner with current trojan definitions.. nothing at all
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 100 total points
Comment Utility
There are worms that have their own SMTP engine built in, also.  Those worms also tend to disable antivirus scanning as part of their thing.

Start looking at the system services and running tasks to see if anything sticks out as a bit unusual from the rest.

Alternatively, run a web-based free antivirus scan on all the PCs - they can't be blocked by worm payloads.  A good one is Trend Micro's Housecall, at http://housecall.trendmicro.com/

A lot of backdoors don't show up on virus scans, so you may also want to run something along the lines of SpySweeper  http://www.webroot.com.  It picks up spyware and backdoors that antiviruses miss.

If you have a spam generator running on one of your systems, it was probably planted with a backdoor.
0
 
LVL 2

Expert Comment

by:ihuckaby
Comment Utility
Sorry I've been absent.  Work called.

If those "home" addresses are pinging you "almost every two minutes", then I'd have to agree that you almost definitely have a Trojan / Spam generator installed on one of your machines, and it's planter is checking on it.

I would go with ShineOn's recommendations and try the web scanners.  Local antivirus solutions are fairly well known and frequently circumvented.

Depending on your layer 2 layout:  If you are using switches you might try sniffing individual ports.  You'd either need to span ports, or hook a hub up in between the end device and the switch.  One of them is going to have packets coming from that box (MAC address, IP address, etc.)  That will let you know which switchport it's coming in on, which might give you the machine if you can trace the cable back.  If you're all hubs, that won't help you.

Possibly a dumb question, but when you wrote that you ran your trojan scanner, was that just on the mail server?  You never mentioned running it elsewhere, and many of them only scan the local machine.

And thanks Steve, I know about address translation.  Just did a very bad job of expressing curiousity about those ICMP requests.  Guess I should have said "I'm not sure of any LEGITIMATE reason why they'd be pinging you".  Oops.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
It's possible you have a rogue wireless access point, something someone has set up on their own.
If your switch supports it, you can tell which port (whatever the thing is) it's  plugged into by it's mac address.
Whatever it us, it needs an IP address so you can exclude that mac address from your DHCP server or null route the little bugger at your router to effectively disable it.
0
 
LVL 3

Expert Comment

by:guynumber5764
Comment Utility
Is 192.168.1.12 sending out any traffic or are you only seeing incoming ICMP?
In the latter case, it may just be that port 8 on your router is forwarded to that address.

Coming from another angle, perhaps if you can get your network nice and quiet you can try to ping the device while watching the switch.   Even if the device doesn't respond, that should show you where the switch is directing the packets.
0
 

Expert Comment

by:abatie
Comment Utility
Is it possible the mac address is getting reprogrammed on something?  Can some interfaces be more than one mac at a time?  would be a nasty thing for a trojan to do to make it hard to find - use a secondary mac that doesn't show up in system configs...  I'd sniff the net with tcpdump et al and look at the actual traffic the intrusion system is seeing.  If you can identify the traffic and get a sense of frequency, then unplug systems one a time until you stop seeing it...
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 100 total points
Comment Utility
Some network adapters allow a "locally administered" mac address and there are utilities that can spoof the NdisReadNetworkAddress function or modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Your NIC>
(as well as "phantom interfaces such as are used in Cisco's HSRP)  but i've never heard of malware availing itself of that function except for arp cache poisoning attempts and then you'd see ff:ff:ff:ff:ff:ff in an attempt to sniff switched networks. I can see where it would be usefull to try and hijack a legitimate MAC and IP (and this is availed sometimes in ARP poisoning attempts) but what would the point be of creating a unique address for it's own sake?

As the MAC's manufacturer's preamble is legitimate, and that manufacturer makes wireless gear, again, I'd block the mac from DHCP, null route the IP address (I'd do that for any unautorized or compromised device) and be looking for a rogue access point.   If someone did intall an AP it certainly would be for a laptop, probably a personal laptop that hadn't passed corporate security muster and could well be infected.
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
You may be infected with the swen worm or a variant.  It's a mass email worm that has its own smtp engine.  A variant may be doing ip masquerade.

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

cheers
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Yeah, Swen or variants is one of what I was talking about.  One of the things of interest with that particular worm -

>>Note: Due to the numerous changes that the worm makes to the Windows registry, the worm can be somewhat difficult to remove if it has already run and your Symantec antivirus product subsequently quarantined or deleted it.<<

Today's worms are such nasty, insidious things that once they get past your antivirus, are likely to trample all over your system, and you must be aware of what they can do and what changes they can make in order to find and clean them.

The ONLY way to be safe from these nasties is to be running a platform that has none of these vulnerabilities.
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
ihuckaby . . . I didn't mean to be condescending.
Hope you didn't take it that way.

Steve
0
 
LVL 1

Expert Comment

by:mangia
Comment Utility
Getting back to the OUI on the MAC address for Cameo.  Cameo Communications is a LAN hardware supplier specializing in ethernet cards, ethernet hubs, ethernet switches, ethernet transceiver, ethernet converter, USB hub, USB to ethernet converter, and gigabit switches.

Have you checked all your stuff?  I'm thinking it's a switch or some other device configured to foward ports 25 & 110 which would explain why you can't telnet to them.

--M
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
WHat kind of switch are youe using?
Can you diplay the spanning tree or CAM table?
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
I would still suspect a backdoor that someone used to plant a spam generator, even more so than a worm - otherwise, why would there be "home" addresses pinging it on a regular basis, and suspicious outgoing mail?  The errant IP address, coming from a device, may mean that the device was compromised to allow the hacker access to your network using your network, or that they are spoofing an address on your internal network through that device, so they can do their nasties.

More proof that NAT is not a firewall...
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
I tend to agree with ShineOn's assessment. You've got a compromised host somewhere. You need to identify the MAC address associated with the IP address and use that to find the machine.
0
 

Author Comment

by:krisred
Comment Utility
Hi,
I really appreciate all your continuous help to resolve this.
Here's a brief summary of what all I done and what I have found and trying to use anything I can:
a) I have accounted for all the physical machines with IP addresses including the router
b) Performed Antivirus, trojan, and malaware spyware scans - None found. However when I ran Housecall from Trend Micro, it detected Nachi.A and cleaned it on two machines.
c) Tried to telenet to port 25 and 110 on 192.168.1.12 (unidentified machine) - no response
d) Used ipconfig /all on all the machines to see if there was a secondary IP bound to an adapter - Found none
e) Checked for Swen worm - none found
f) I found ICMP traffic directed to this machine(192.168.1.12) from external IP's  - using Kerio Network Monitor
g) Zone Alarm logs (blocked) shows that traffic is being routed to 192.168.1.12 from External IP
h) Etrust Intrustion Detection logs also show ICMP requests to this machine (192.168.1.12) . The alert logs say that there is DDoS attack daemon running on 192.168.1.204 - possible attacker 192.168.1.9 and also there is DDoS attack daemon running on 192.168.1.9 - possible attacker 192.168.1.204. So this incident is isolated between these two machines.
i) So I installed Link Ferret Network Montor on 192.168.1.9 (00:50:BA:C8:B3:C6) and captured the packets. There was only one adapter listed to capture the packets from (so hidden adapters) This is what I have -
The source: 00:09:5B:82:D8:C8 (192.168.1.1: 137) - This is the router
The Destination: 00-40-F4-6C-B1-CD (this is 192.168.1.12: 137)
ICMP request are being sent by the DNS servers 206.26.36.34 and 198.107.0.14)
NBNS (Name query requests are being sent by 192.168.1.1 (router) to 192.168.1.12 - port 137

When I ran the Link Ferret Network Monitor on 192.168.1.204 (this is where the mail server is) , I did not find anything unusual. However I did find hidden adapter that showed up in the drop down list in the Link ferret network monitor - to select the capture device. I don't know if this is the adapter that is bound to 192.168.1.12.

tcp port scan of 192.168.1.12 revealed port 25 and 110 open - could it be on 192.168.1.204 (since it is running mail server)

How do I remove this hidden adapter if this is what is causing the problem

Thanks again,

Kris




0
 

Expert Comment

by:abatie
Comment Utility
Where are you running Zone Alarm, Etrust and Kerio?  It's simply not possible for anyone to send anything to 192.168.* from outside because that's a network that isn't routed by ISPs.  It's reserved for private networks behind NAT routers.  If your router is routing things to those addresses, either a host with that address initiated the connection, or the router is configured to route outside connections (to your external address) to that internal address.

When you say source 192.168.1.1:137 destination 192.168.1.12:137, you're implying that your NAT router is configured to forward Microsoft Networking packets, which would be an extremely bad thing (though it could be that someone inside is mapping an external drive or possibly making rpc calls to an outside machine --- I'm not *that* familiar with MS networking).

But another question is how is your tcp port scan detecting port 25 and 110 open on 192.168.1.12 if you can't telnet to it?  One should imply the other.  Even if it's on the mail server, if you can port scan that address, you should be able to telnet to it (even if it doesn't do anything when you do).

And DDOS attacks from *inside* your LAN?  This isn't a campus dorm LAN by chance is it?
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Nachi.A is also known as Welchia.

Port 137 is one of the NetBIOS name service ports.  Is your port 137 traffic UDP or TCP?  Actually, it really doesn't matter all that much..  What you probably have is some type of Denial of Service attack.  

You want to clean your mail server as deeply as you possibly can, and if that fails, you want to blow it away and reinstall everyting, then harden it as much as possible before letting it go on the Internet again.
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 50 total points
Comment Utility
Many modern malwares modify things behind the scenes - they'll install their own SMTP servers, for example. Windoze makes this easy since, by design, it hides so much of its internal configuration from the user, obscured by a maze of Registry entries.

ShineOn's idea is probably what I'd do. The only way to be sure you've killed malware in Windoze is to wipe and reload.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 150 total points
Comment Utility
. . . of course, the zero-th thing that both PsiCop, ShineOn and I would do is disconnect the suspect machine from the network to see of the "activity" showing up in your log ceases.

Good luck,
Steve
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Excellent point, Steve.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Ditto.
0
 

Author Comment

by:krisred
Comment Utility
Well,

Here's the scenario now... Like I mentioned I isolated the incident to two machines (192.168.1.9) and (192.168.1.204)
I disconnected 192.168.1.9 from the network and ran a TCP port scan on the unknown machine (192.168.1.12) -- did not respond to ICMP and did not find any ports either. Now I disconnected (192.168.1.204) which is a windows 2000 server with Mdaemon mail server and ran a TCP port scan, it didn't respond to ICMP but scanned all the tcp (25, 110)  and udp (many)  ports .So now I know this machine is the one that is hiding the IP 192.168.1.12.

So how I get rid of this now.

Thanks for continous support.

Kris
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Well, now it may be time to wipe that machine clean and reload everything on it. Before that, however, have you tried this?

http://www.agnitum.com/download/tauscan.html


They claim to be able to find and remove all sorts of backdoor / trojans. They offer a 30-day trial.

Say, Pete, regarding the page with your "ugly mug" . . . where'd you get the source code for the Clock3D? Did you write it?


Good luck,
Steve
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
The mdaemon mail server is the culprit?

You want to do a bunch of stuff.  You have to find out what is running on that server that doesn't belong there.  You will have to remove programs and clean up the registry.

First place to look is services.  Any nonstandard services are suspect.  Any services that could allow remote access are suspect.  Some backdoor-type services have innocent-sounding names.  Any that seem odd to you should be disabled.

Second, edit the registry and go to where the various RUN statements are in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and remove any entries that do not belong there.

I know this sounds like feeling around in the dark, but without knowing your system personally, I can't tell you what belongs and what doesn't.  You have to figure that out yourself.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
If you can't figure all of that out, then you want to do as I and PsiCop and SteveJ said, and wipe it clean and start fresh.
0
 

Expert Comment

by:abatie
Comment Utility
Yes, once you verify the machine that's doing it, I'd wipe it.  It's sure, and it's probably easier.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Kris -

I just reread your last comment - is it the mdaemon server or is it the other, Win2K box that is the culprit?  Either way, you need to clean it, but if it's not your mail server, that's so much nicer for you.

Once again, wipe it clean and start fresh.  Make sure you have all your Win2K/XP/2K3 systems patched current, including security hotfixes.  Disable all services that aren't needed in your environment - to decide which ones to disable, go to http://www.blackviper.com/WIN2K/servicecfg.htm  for Win2K services, and http://www.blackviper.com/WinXP/servicecfg.htm for WinXP services, so you know what you need and don't need enabled.   Not only do you gain speed overall by disabling unnecessary services, you also gain a measure of stability and security and remove potential vulnerabilities.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
<unsubscribes>
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Thanks for closing the question and awarding points, but it would be very beneficial to the growth of the EE knowledgebase if you would let us know exactly what the problem was.

Thanks again.
0
 

Author Comment

by:krisred
Comment Utility
You are right ShineOn..
Well, I couldn't exactly find the problem, but I isolated it two machines and using port scan while it was disconnected to network on individual machines I found the unidentified machine (192.168.1.12) on one of the machines. After running all kinds of trojan, and anti-virus scans I could not find anything - so as advised I reinstalled windows. not it seems to working fine.

Thanks,

kris
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
To rephrase, after isolating the unauthorized IP address to one of the machines, and after running all of the utilities you could think of or were advised of on that machine without the effect of "cleaning" the unauthorized IP, you were able to get rid of it by doing a clean install of Windows.  Is that correct?

Now I wish I had asked that you do an image of the errant machine to send to SARC or one of the other places that researches vulnerabilities.  Too bad you couldn't identify a particular trojan/backdoor/whatever, but I'm glad you got i fixed.

Keep those patches current!  A new one pops up every day (if not more...)
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Completely patching Windoze is like trying to clean out the Aegean Stables with a whisk broom.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
ROFLMAO!

More like trying to patch *every other* hole in a sieve with the expectation that it will stop the leaks. ;)
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
. . . untie the Gordian Knot with chopsticks.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
It takes Occam's Razor to cut through a Gordian Knot... ;)
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
When you say you found the address, did you find some evidence on the machine?





[an error occurred while processing this directive]
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Didn't Occam have a beard?
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Hmmmmm...  does that mean Occam's razor is dull?
0
 

Author Comment

by:krisred
Comment Utility
Hi Chicagoan,

I didn't really find any evidence or error. . Like I mentioned before after isolating the unauthorized or unidentified IP address to two different machines on the network. I disconnected each one from the network and ran a port scan on the individual machines for the IP (192.168.1.12) . I had the port scan configured to scna even if the host didn't respond to ping (ICMP). One of the machines came up with results for this IP - with port 25, 110, and several UDP ports open. This machine that I found the IP is a windows 2000 server SP4 with Mdaemon mail server on it. Now that I figured out where the source was - I ran every possible anti-virus, trojan, malaware, spyware scans, none of them picked up anything. Even the services that were running didn't look unusual. Well, as suggested was to start clean.. . and thats what I did.
I have no signs of that IP now neither I have any spam going out.

Hope this answers your question.

Thanks,

Kris
0
 
LVL 3

Expert Comment

by:guynumber5764
Comment Utility
If it was your mailserver, it could be an open relay...

http://news.zdnet.co.uk/internet/security/0,39020375,39117923,00.htm

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now