Zaurb
asked on
Virus or someone just after me... Paranoya issue?
I have a question which I think doesn't fit into any category. I'm new in the office where I work in now. The first week when I came to substitute the previous network admin was terrible. For some reason computers in the office (3 networks) where infected by virus. I had to walk around the office (> 100 pcs) and clean them up, install antispyware and windows updates. Th second month I've implemented WSUS and installed the deployed latest version of CA antivirus. I've been keeping an eye on regular apdates of computers on the network and everything was fine until today. One of pcs didn't have updated antivirus and started to send smtp requests, spam messages I believe, because we where blocked by spamcop.
The whole office wasn't able to send any emails externally of our office. All email where returning back with ndr saying that spamcop blocked our IP. I did my best, I found pc that was sending the report, I've closed smtp ports on ISA since we use only Exchange.
Now seems we are unblocked and email is fine...
Just trying to share with you. How comes that this office have never had any problems before me and when I came so many problems occured just like that?
I know there's no my fault, but users think it's my fault. I don't get any help or support from other two IT guys. One of them is a technician, another keeps resolving problems with Navision. I do the rest...
All office personnel was thinking that it's my fault that email was blocked for the day.
So frustrated. My first project which is about to fail...
Sorry.. It's not a question or anything, just sharing. Hope I won't be banned for this post. PLease, delete it if it's out of this site scope...
The whole office wasn't able to send any emails externally of our office. All email where returning back with ndr saying that spamcop blocked our IP. I did my best, I found pc that was sending the report, I've closed smtp ports on ISA since we use only Exchange.
Now seems we are unblocked and email is fine...
Just trying to share with you. How comes that this office have never had any problems before me and when I came so many problems occured just like that?
I know there's no my fault, but users think it's my fault. I don't get any help or support from other two IT guys. One of them is a technician, another keeps resolving problems with Navision. I do the rest...
All office personnel was thinking that it's my fault that email was blocked for the day.
So frustrated. My first project which is about to fail...
Sorry.. It's not a question or anything, just sharing. Hope I won't be banned for this post. PLease, delete it if it's out of this site scope...
Ok i have this virus/spambot/spam relay on my computer there are no spyware/virus updates for this virus/root kit i have disabled it by blocking its output port, I have scanned my computer with over 50+ scanners, only one of them detected that there was a problem but could not fix it.
To find a solution i used wireshark to find all the network traffic, I found that this virus/root kit does this process :
It connects to these addresses
http://208.72.169.22:4099/g/714A79-7A5423-DB00D2 or http://208.72.168.250:4099
Downloads a zip file which contains :
000_data22
001_ncommall
002_senderna
003_sendersu
config
message
mlist
mxdata
Once this file is downloaded it reads the files in the correct order eg. 000, 001, 002, 003, config, message, mlist, msdata
From what i could deduce from this virus/root kit is that this turns one of your computers into a spam relayer thus making your public fixed IP address a spammer and stopping your outgoing mail by companies that monitor for spam, once contained you should notify the people that you have found and contained the spamming virus and they should remove you from the list.
The way I containd this virus/root kit was to block the port 4099 on my router to the public port, this seems to disable the virus, now all we need to do is hope that one of those amazing virus companies get an updat that removes this virus, In the mean time i will be writing my own antivirus and if i removes the virus i will post a removal link.
Another point this virus/rootkit hides itself from windows by faking responses from the CPU when accessing the the files system.
The semi-solution to this is to block the port that the virus recieves its data on, use wireshark to find this, run wireshark before you start the computer you think has the infection, then start it, as soon as the system detects internet connection it will do what looks like an normal web connect but on a strange port, or even port 80, and straight after that it will start sending spam out on the smtp port, at this point switch the computer off that is infected, scroll through all the logs that you got from wireshark and just befor and smtp data there is your port and address where the virus/rootkit downloads from.
Block the download port this will stop the virus/rootkit.
I how this clarifies some stuff for you.
Method of infection i have found is buffer overflow installation - but dont quote me on that.
EFFX.
To find a solution i used wireshark to find all the network traffic, I found that this virus/root kit does this process :
It connects to these addresses
http://208.72.169.22:4099/g/714A79-7A5423-DB00D2 or http://208.72.168.250:4099
Downloads a zip file which contains :
000_data22
001_ncommall
002_senderna
003_sendersu
config
message
mlist
mxdata
Once this file is downloaded it reads the files in the correct order eg. 000, 001, 002, 003, config, message, mlist, msdata
From what i could deduce from this virus/root kit is that this turns one of your computers into a spam relayer thus making your public fixed IP address a spammer and stopping your outgoing mail by companies that monitor for spam, once contained you should notify the people that you have found and contained the spamming virus and they should remove you from the list.
The way I containd this virus/root kit was to block the port 4099 on my router to the public port, this seems to disable the virus, now all we need to do is hope that one of those amazing virus companies get an updat that removes this virus, In the mean time i will be writing my own antivirus and if i removes the virus i will post a removal link.
Another point this virus/rootkit hides itself from windows by faking responses from the CPU when accessing the the files system.
The semi-solution to this is to block the port that the virus recieves its data on, use wireshark to find this, run wireshark before you start the computer you think has the infection, then start it, as soon as the system detects internet connection it will do what looks like an normal web connect but on a strange port, or even port 80, and straight after that it will start sending spam out on the smtp port, at this point switch the computer off that is infected, scroll through all the logs that you got from wireshark and just befor and smtp data there is your port and address where the virus/rootkit downloads from.
Block the download port this will stop the virus/rootkit.
I how this clarifies some stuff for you.
Method of infection i have found is buffer overflow installation - but dont quote me on that.
EFFX.
as for the site, not a nice setup. i know i just got a 1000 computer site and a week of being there things have started to happen, but i dont think its as bad as yours. If the problem does not get resolved i would re image the computer that is infected. :-)
ASKER
i had only three pcs which i have had to reinstall & re-format when we've started having troubles with spamcop. My boss told me that it's not a nice start...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with rbkumaran, You have found the problem not created it. Explain that you are endevoring to rectify the problem and tidy the network up, you will come out of this smelling of roses if you fix all the problems.
Make all internet communication go through a proxy this way you can control all the internet transmissions, make sure your proxy has an SPI firewall on it too. Ensure you close all ports except the required ports, use authentication on your proxy too this way you can log transmissions to single users.
There are software solutions to proxies and also hardware solutions.
For software you could use something like WinGate
For Hardware you could use anything from a Belkin Router (Eugh) upto a dedicated PIX firewall.
The choice is yours show managment the problems then explain what you are going to do and prove that you are 10x better than the last guy.
EFFX
Make all internet communication go through a proxy this way you can control all the internet transmissions, make sure your proxy has an SPI firewall on it too. Ensure you close all ports except the required ports, use authentication on your proxy too this way you can log transmissions to single users.
There are software solutions to proxies and also hardware solutions.
For software you could use something like WinGate
For Hardware you could use anything from a Belkin Router (Eugh) upto a dedicated PIX firewall.
The choice is yours show managment the problems then explain what you are going to do and prove that you are 10x better than the last guy.
EFFX
ASKER
Thank you very much! I followed your advice and it really helped me! Thanks!
1. the fact that you have had to get all the updates sorted yourself suggest that the site was a problem waiting to happen anyway. This could be down to just your bad luck/co-incidence.
2. If you are having to amend the ISA rules in such a way then that is purely bad configuration that you have inherited. ISA configurations start with most protocols open for all users through all ports but then get closed down to specific ports from specific machines for specific groups/users/services.
3. Sounds like your predecessor may have left the odd 'present' on the environment to either catch you out/show you up or cause troubles for the company 9rather than just for you). Not sure what version of ISA you are running but assuming it is a supported version (2004/2006) then would be worthwhile opening the isa gui, select monitoring-logging-click start query and watching the inbound/outbound traffic flows for a while just in case something has been amended/tampered with.
4. I'd also check your user accounts - especially if you provide remote access to the system. Any accounts that don't match the current userbase? Check the ISA gui in the firewall policy for the published servers - especially any rdp/vpn entries. Review any source IP's that you don't recognise.
Sounds like the site was in sh*t order and you are sorting it out. The new kid on the block is always the one to get the blame when things happen unexpectedly. Change the tack from being defensive to being positive. Document nthe state of things you have found without mud-throwing, then detail the things you are dealing to ensure they are corrected. All anyone can do.
Keith