Solved

Server is sending spaware

Posted on 2004-10-21
269 Views
Last Modified: 2011-09-20
Hi,
Yesterday, we got a call from ISP threating us to close internet connection. They say that from our server or Pc on Lan some spayware are being send out. We are running 2000 server with ISA firewall and proxiy server. All of the PC has Ez antivirus running. How to go about find out what is cousing it and how to solve it? How to see, what is send out?  We have notice a lot of bad mail on our exchange server, which some time take hours to be deleted.
Thank's
m
0
Question by:margotsk
    21 Comments
     
    LVL 1

    Assisted Solution

    by:Ali_Jas
    On the ISA server look and find which internal pc is making to many connections to the outside world, and cleanup that pc
    0
     

    Author Comment

    by:margotsk
    How do i do that?
    0
     
    LVL 7

    Assisted Solution

    by:tonyteri
    One thing you should check first, is that your exchange Server is not an open relay.  Are you running Exchange Server 5.5, or 2000?

    TT
    0
     
    LVL 51

    Assisted Solution

    by:ahoffmann
    I'd disconnect Exchamge from internet first. Then analyze what it tries to deliver.
    0
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    Don't know it in ISA exactly, but you will probably find some answer by simply using the dos command netstat -n

    netstat shows all connections to and from a computer.

    as long as ISA is connected to both the Internet and your internal LAN, you must be able to see the internal connectections to your ISA server.

    If exchange is running fine for a longer time already this one probably wouldn't be the problem, because it would have been abused much earlier already.
    It's more likely that a virus, spy or malware has installed It's own smtp or ftp server. but It's not said It's running on the known TCP ports.

    finding the PC which actually makes the most connections to the outside world should be your first task.
    0
     
    LVL 3

    Accepted Solution

    by:
    There's a folder called ISALogs in the ISA server's directory (By default, it is C:\Program Files\Microsoft ISA Server\ISALogs). It contains logs from the web proxy, firewall proxy and the packet filter. look in the firewall proxy logs, the files named "FWSEXT<date>.log". The firewall proxy adds an entry to the log whenever somebody from the LAN makes a direct connection to the outside world, therefore it logs all viral and spyware events. Look especially for connections made to port 25 (SMTP). As long, as you are using Exchange or other e-mail server that resides inside the LAN, no connections should be started to outside the LAN on port 25! (You may as well block this port on the ISA server)

    If you are running Exchange, like tonyteri said, test your server for not being open relay. Open relay means that anybody in the world without any authentication can send mail using your server. Spammers continuously search for such open relay servers, therefore there's a very high chance that they find it. See this article for more information: http://www.ordb.org/faq/#what_is
    0
     

    Author Comment

    by:margotsk
    Hi,
    Thank's for responding.
    tonytery, the exchange server we are running is 2000. I checked about relay and it is turned off(I was following tutourial at www.msexchange.org/pages/article_p.asp?id=54).
    ahoffmann, i did not disconect exchange from internet yet, because i am not sure how to analyze afterwards. Would you please comment more on what you mean by saying "then analyze what it tries to deliver" and how to achiev it.
    Ali Jas, after i use netstat -n, it returns about 300 connections(for running 3 pc although it is friday and only 3 at most pc are currently running in LAN, is it reasonable to have 300 listings? In return, one column shows server ip and another display local and couple of external ip. The things that i notice is that some local ip addressees are showing to have established connection, but i can not ping them. Also, in second column there is a lot of ip address of server. There are some ip addresses more than others, would that mean anything or it just using more ports? How do i go about in analyzing the return from netstat. Do l look for count of the same ip address or ip with the same port numbers?
    Also, my partner deleted guest account that was on server created by default, thinking that somehow they have got the accounts authentification and were using it to send span. Could that be possible and would that solve the problem?
    Thank's ..and have great weekend
    m
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    > "then analyze what it tries to deliver"
    If you (or your ISP) assume that your MTA is sending the "spaware" then dropping the connection should stop the sending.
    If so, Exchange then probably has a lot of mails not being deliverd, that should be logged somewhere.

    > 300 connections
    hmm, are they on the LAN NIC or the external (WAN) NIC? On WAN you should have 2 or 3 + one for each Pc currently doing something in internet.
    0
     
    LVL 3

    Expert Comment

    by:Fairco
    ahoffmann's idea is good, you can find the queued mails in the Exchange Administrator program. However, Exchange also logs all mail traffic going through it. You can make a query of the sent (and received) mails in Exchange Administrator. Select Tools / Message Tracking Center from the left hierarchy list, and query a whole day. (That is, leave the "sender" and "recipient" fields blank, fill in the Exchange server's name, and choose 0:00-23:59 and one exact day in the time interval.) This way you can see an entire day's mail traffic.
    However, if your clients are using Outlook with direct Exchange connection (and not SMTP/POP3), it is not likely that the spam is going through your Exchange server. More likely it's using an own SMTP engine. Did you check the ISA logs for port 25 events?
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    hence ISA should block port 25 except from MTA sever, a real firewall does this ;-)
    0
     
    LVL 3

    Expert Comment

    by:Fairco
    Fortunately ISA is real intelligent, you can assign rules for certain Active Directory groups. Therefore, create a group named something like "Internet Users" and add all LAN users to it. Then create a rule in ISA, that blocks outgoing connetions to port 25 for everyone in the Internet Users group. If you are using Backoffice Server or Small Business Server, a "Backoffice Internet Users" group is automatically created by the installer (and maintained by the Backoffice console), therefore you can use that group for this rule. This way, only the users will have no access to port 25, Exchange won't be affected.
    0
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    300 is quitte a lot if they go to an external IP.

    It won't say anything if you can't ping those ip addresses. probably your pc(s) are abused by a virus or spy or malware which help in a ddos attack.
    I suggest you turn of the suspicious PC's and ask your ISP if they still see loads of traffic. If not, you'd better reïnstall those PC's from scratch. Because if you 'clean' those Pc's you're never sure if there's still a backdoor left behind. if so, your pc's will be compromised within any days again.

    Hopefully you will find the problem soon.
    0
     

    Author Comment

    by:margotsk

    Thank's again for responding.
    The scenario of taking down serever,  i will be able to do some time on Thursday nigth or weekend, because at this time office can not without pc.
    When i look in ISAlogs as Fairco pointed out, i can seee in about 300 listings if not more. they are using ports for most part 53, also 80 and 60k. There is only about 3 different local ip (listed udner c-ip) listed that the connections i guess is made from and the time is in regular bases(about 50 entries per hour), even in midnigth when no one is here and no one is using PC. Another thing i notice, that from midnigh till afternoon threre is the same externa iP (listed under r-port)listed which i believe connection was to. Afterfards or after 12pm other ip adreses are listed under r-port. Interesingly that ports changes once the external ip is changed.
    I believe this file shows that there is something going on, what would be best action from this point. Any suggestions.
    Thank's
    m
    0
     

    Assisted Solution

    by:ndemeter
    Since the external ip is the same go ahead and filter that one out. Also on the local machines run a netstat -a and look at what ports are open on the machines themselves. If you can find the ports that the internal machines are broadcasting from and still cannot find what sort of problem you have in your hands you can at least choke those ports on the ISA. Makes sense?
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    > .. for most part 53, also 80 and 60k.
    53 should not happen if you have configured a proper name server in your network. I'd block 53 for all except your dns server.

    80 might be ok, if there're people surfing, but keep in mond that malware might use this port 'cause it is most likely not blocked, for obvious reason

    all 60k are suspicious, I'd block anything from LAN to internet except 80, 443 (or whatever your policy says:)
    0
     

    Author Comment

    by:margotsk
    Hi,
    I forget to mention that i have webserver runing in back of office on which i work once in while in developing website. It is open all 24h and is not in Local domain. Its ip address appears on ISAlog at time period from midnigth till afternoon. With this server i use internet to access forums. It is not set to use web proxy office domain to access internet, but going directly. When i type netstat -a, in a list of open ports there does not appier neither 80,53 nor 60k port. Could it be that the Server is infected? if it is left open over night, normaly, not infected, would it make listing in ISAlogs file? what does ISAlogs exatly list its log file? ..once it list, it does not mean that it is infected?..how do i find out?
    Thank's
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    > .. netstat -a, in a list of open ports there does not appier neither 80,53
    hmm, did you use netstat exactly in that millisecond when the server used the port? I don't think so.
    Keep in mind that 53 is UDP, and http on TCP is stateless so the connection should drop immediately
    0
     

    Expert Comment

    by:ndemeter
    > I forget to mention that i have webserver runing in back of office on which i work once in while in developing website.

    From your statements it appears that you have a machine that is probably assigned a static ip on the OUTSIDE network that others can get to over the internet, right? If so that's where I would be looking at first for the problem. regardless of what services are running on it at this time try turning it off just for one day and see if your network bandwith usage drops dramatically. You could use something like MRTG to monitor it if you have your own router or even ask your ISP (that detected the violation in the first place) to look at their end.

    Which reminds me: When your ISP contacted you did they not tell you what originating IP? Did they not provide you with any logs?
    0
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    ndemeter:

    Isp usually only call if they get complaints themselves that some ip of their netblock is being abused. further if the customer has NAT enabled, the ISP sees all traffic coming from a single ip so they can't tell you much.

    Margotsk:
    It might be possible that your webserver is used to infect other pc's in your network, but It's not likely.
    You say that your webserver is not in your local domain, but that won't say anything. because the webserver is at the same side of the router like all your machines.
    so possible malware can just connect to the other computers using netshares.

    if any of your netshares is made on win95/98 or NT, w2k, w2k3 with everyone with full control. you can get infected.

    Taking down the infected machines is the best thing you could do. even when this is throughout the day. Why? If your ISP disconnects your Internet link you might have a bigger problem, because you do not have any clue when the link will be brought up again.

    You probably will not find the reason which causes the outbound traffic. so just reïnstalling from scratch the infected machines is the best option.

    If you are really interested in what happened to your machine, you could consider replacing the harddisk of the infected machine. so you can analyze the infected harddrive later on.

    0
     

    Author Comment

    by:margotsk
    Hi,
    Thank's for responding
    Ahoffmann, i see your point.
    Ndemeter, the server is using one of the domain controler dynamic ip addresses, even if it is not in same domain. Also, ISP did not specify the IP and also did not gave any logs.
    Ali Jas, if you mean netsharing the same as widows file sharing than it is the case, because we have not disable the default setting(XP pc).
    I shut down the sever yesterday at around 3:20pm and the last entry in ISAlogs is 3:52pm that was created on todays date. Thus, make me think that this server are being used to shout out the spayware since it got all the neccessary capabilities. I hope the other pc are not infecting but only used as intermdate.....To check it, I will keep shut down this websever for today and contact ISP to find out whatever on their end everything is ok. I will let you know if that did solve it.
    Thank's for now...
    m
    0
     

    Author Comment

    by:margotsk
    Hi everyone,
    That seemed to be the case, I have disconected web server and ISP confirmed that everything is good now. Thank's you all.
    I split points for all of you equaly - 100, since if find each of your input very usefull. I hope point distribution is OK, if not  please let me know?
    Have a good one,
    m
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    913 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now