Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Virus or someone just after me... Paranoya issue?

Posted on 2007-11-23
7
Medium Priority
?
448 Views
Last Modified: 2013-11-22
I have a question which I think doesn't fit into any category. I'm new in the office where I work in now. The first week when I came to substitute the previous network admin was terrible. For some reason computers in the office (3 networks) where infected by virus. I had to walk around the office (> 100 pcs) and clean them up, install antispyware and windows updates. Th second month I've implemented WSUS and installed the deployed latest version of CA antivirus. I've been keeping an eye on regular apdates of computers on the network and everything was fine until today. One of pcs didn't have updated antivirus and started to send smtp requests, spam messages I believe, because we where blocked by spamcop.
The whole office wasn't able to send any emails externally of our office. All email where returning back with ndr saying that spamcop blocked our IP. I did my best, I found pc that was sending the report, I've closed smtp ports on ISA since we use only Exchange.
Now seems we are unblocked and email is fine...
Just trying to share with you. How comes that this office have never had any problems before me and when I came so many problems occured just like that?
I know there's no my fault, but users think it's my fault. I don't get any help or support from other two IT guys. One of them is a technician, another keeps resolving problems with Navision. I do the rest...
All office personnel was thinking that it's my fault that email was blocked for the day.
So frustrated. My first project which is about to fail...
Sorry.. It's not a question or anything, just sharing. Hope I won't be banned for this post. PLease, delete it if it's out of this site scope...
0
Comment
Question by:Zaurb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20341189
All manner of possibilties.

1. the fact that you have had to get all the updates sorted yourself suggest that the site was a problem waiting to happen anyway. This could be down to just your bad luck/co-incidence.

2. If you are having to amend the ISA rules in such a way then that is purely bad configuration that you have inherited. ISA configurations start with most protocols open for all users through all ports but then get closed down to specific ports from specific machines for specific groups/users/services.

3. Sounds like your predecessor may have left the odd 'present' on the environment to either catch you out/show you up or cause troubles for the company 9rather than just for you). Not sure what version of ISA you are running but assuming it is a supported version (2004/2006) then would be worthwhile opening the isa gui, select monitoring-logging-click start query and watching the inbound/outbound traffic flows for a while just in case something has been amended/tampered with.

4. I'd also check your user accounts - especially if you provide remote access to the system. Any accounts that don't match the current userbase? Check the ISA gui in the firewall policy for the published servers - especially any rdp/vpn entries. Review any source IP's that you don't recognise.

Sounds like the site was in sh*t order and you are sorting it out. The new kid on the block is always the one to get the blame when things happen unexpectedly. Change the tack from being defensive to being positive. Document nthe state of things you have found without mud-throwing, then detail the things you are dealing to ensure they are corrected. All anyone can do.

Keith
0
 
LVL 10

Expert Comment

by:effx
ID: 20341211
Ok i have this virus/spambot/spam relay on my computer there are no spyware/virus updates for this virus/root kit i have disabled it by blocking its output port, I have scanned my computer with over 50+ scanners, only one of them detected that there was a problem but could not fix it.

To find a solution i used wireshark to find all the network traffic, I found that this virus/root kit does this process :

It connects to these addresses
http://208.72.169.22:4099/g/714A79-7A5423-DB00D2 or http://208.72.168.250:4099
Downloads a zip file which contains :

      000_data22
      001_ncommall
      002_senderna
      003_sendersu
      config
      message
      mlist
      mxdata

Once this file is downloaded it reads the files in the correct order eg. 000, 001, 002, 003, config, message, mlist, msdata

From what i could deduce from this virus/root kit is that this turns one of your computers into a spam relayer thus making your public fixed IP address a spammer and stopping your outgoing mail by companies that monitor for spam, once contained you should notify the people that you have found and contained the spamming virus and they should remove you from the list.

The way I containd this virus/root kit was to block the port 4099 on my router to the public port, this seems to disable the virus, now all we need to do is hope that one of those amazing virus companies get an updat that removes this virus, In the mean time i will be writing my own antivirus and if i removes the virus i will post a removal link.

Another point this virus/rootkit hides itself from windows by faking responses from the CPU when accessing the the files system.

The semi-solution to this is to block the port that the virus recieves its data on, use wireshark to find this, run wireshark before you start the computer you think has the infection, then start it, as soon as the system detects internet connection it will do what looks like an normal web connect but on a strange port, or even port 80, and straight after that it will start sending spam out on the smtp port, at this point switch the computer off that is infected, scroll through all the logs that you got from wireshark and just befor and smtp data there is your port and address where the virus/rootkit downloads from.

Block the download port this will stop the virus/rootkit.

I how this clarifies some stuff for you.

Method of infection i have found is buffer overflow installation - but dont quote me on that.

EFFX.
0
 
LVL 10

Expert Comment

by:effx
ID: 20341223
as for the site, not a nice setup. i know i just got a 1000 computer site and a week of being there things have started to happen, but i dont think its as bad as yours. If the problem does not get resolved i would re image the computer that is infected. :-)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Zaurb
ID: 20341394
i had only three pcs which i have had to reinstall & re-format when we've started having troubles with spamcop. My boss told me that it's not a nice start...

0
 
LVL 6

Accepted Solution

by:
rbkumaran earned 80 total points
ID: 20342143
With 100 + computers in the network, why would every PC in th network be allowed to SMTP on port 25? That in itself is asking for trouble.

An ideal solution would be to use a mail gateway so any SMTP to the internet is only allowed from that gateway. Also, all open (OUT) is again not the best way to secure network. Allow access on only required ports, set an internal policy and any exceptions to the existing rules be done on a request/approval basis.

If I were you, I would use this issue to my advantage to take control of IT chaos and revamp wherever necesssary
0
 
LVL 10

Expert Comment

by:effx
ID: 20343345
I agree with rbkumaran, You have found the problem not created it. Explain that you are endevoring to rectify the problem and tidy the network up, you will come out of this smelling of roses if you fix all the problems.

Make all internet communication go through a proxy this way you can control all the internet transmissions, make sure your proxy has an SPI firewall on it too. Ensure you close all ports except the required ports, use authentication on your proxy too this way you can log transmissions to single users.

There are software solutions to proxies and also hardware solutions.

For software you could use something like WinGate

For Hardware you could use anything from a Belkin Router (Eugh) upto a dedicated PIX firewall.

The choice is yours show managment the problems then explain what you are going to do and prove that you are 10x better than the last guy.

EFFX
0
 
LVL 1

Author Closing Comment

by:Zaurb
ID: 31410722
Thank you very much! I followed your advice and it really helped me! Thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question