Botnet, DOS attack, Spam

Since this past friday we have incurred major slow downs on our network. Then, emails began getting bounced back, and it turns out we are listed on a couple blacklists for barracuda and another. Today, I started scanning to see if computers were infected. A couple computers had torjans listed, one fake antivirus, and one "idid". Both were cleaned with supersntispyware, but the problem is still occuring and I can seem to track it down. The main problem is that internet has slowed to a crawls, originally just on our wireless, but now on the wired network as well. We have a SBS 2003 server, Cisco 871W, Exchange 2003, and Windows XP Pro workstations. I am thinking we are apart of a botnet or spam email network of some sort, and I am not sure where to go next. I would appreciate any help with this matter. Thank you!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
The first steps are monitoring the traffic that goes through the computers and see if any comptuers are sending email that are not your exchange server.  You can do this by running something like wireshark and watching the traffic.  You will also want to make sure that relaying is shutdown on 2003.  Check the message logs on your exchagne server and see if they are coming out of there. Superantispyware is a nice product but I would also run anti malware.  How many workstations do you have? Is it possible to wireshark them one at a time?  Also you can write ACLs into your cisco router to stop all traffic that is destined for port 25 except from your exchange server.  This will help as long its not your exchange server that is infected.
Justin EllenbeckerIT DirectorCommented:
You are also going to have to contact the vendors like barracuda and go through the steps for getting off their black list after you have things cleaned up.  Also what AV software are you running on the network?
The first step I would take is to notify your internet service provider (ISP) and let them know you suspect malicious activity is originating from your network and ask them if they can provide any proof or disprove this claim.  Meanwhile, i would continue to scan all of your servers and workstations with trusted anti-malware software such as A-squared, malwarebytes, etc.

-Hijack this:

You should consider purchasing at minimum software firewall licenses for your servers and workstations.  I've had great luck with 'Kaspersky' and their line of software firewalls:

If you are serious about malware you should also consider a Hardware firewall that will sit in-front of or directly behind your router to filter all network traffic inbound/outbound such as a barracuda:

You need to spend time scanning your servers and workstations to clean-up any and all malware before you can think about having a secure environment.  Read-up on general malware removal tools and techniques.  In essence when you have backups of your data on your workstations follow this procedure:

-Install a-squared and malwarebytes
-Update the virus definitions of both applications so they can detect the latest threats
-Disable your 'restore points'
-Boot the computer into 'Safe Mode'
-Scan all hard-drives with multiple scanners (e.g. a-squared and malwarebytes)
-Remove all detected malware
-Reboot workstation, enable restore points if all threats are removed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

BoyleComAuthor Commented:
Anybody have an idea of the router config I would type to block SMTP traffic from all but my exchange. It is a cisco 871w. Thank you uys for your help. It looks like I had started down the right path, but obviously your suggestions give me more tools to use. I am also running rubotted from trend micro on all the PC's and server, which so far has found 0. I have also used superantispyware and malwarebytes; on the 2 workstations that had some trojans found.
Configuring cisco access-lists is something that should be done by someone familiar with the entire configuration.  With that said, check out this previous question:

Ultimately you are going to end up with something similar to this applied to your outbound ACL:
access-list 102 permit tcp  any eq smtp
access-list 102 deny tcp any any eq smtp

I'm not a Cisco access-list expert so please be sure you understand the repercussions of your actions before you implement any changes.  Backup your configuration before doing anything and again, make sure you understand the consequences before implementing!

For whatever it is worth, if your workstations are connecting to POP3 mailservers or have any applications which require the SMTP protocol (port 25 by default)  you may be causing more issues when blocking SMTP.
Thomas Zucker-ScharffSolution GuideCommented:
RUBotted is a nice piece of software, but don't fall into the trap of buying housecall when it finds a supposed bot.  Many of the items RUBotted identifies as suspicious activity are not from being botted but from visiting suspicious sites.  I always install this s/w with the recommendation that if there is a positive to call me.  Usually, I just delete the log and everything is fine, but I keep track of who calls and have found that the same people get the erroneous message all the time.  The browser history shows it's the sites they are visiting not a real bot.

On that note I would also recommend installing an alternate hosts file like the one hosted here:

The included batch file backs up your original hosts file and installs the new one.  It blocks a significant amount of malware sites.  If you use Symantec's live update you will need to delete the line with on it.

About restore points, There is some disagreement here.  I strongly believe that an infected restore point is better than none at all.  I have never personally seen malware from a restore point harm a computer unless the restore point is used.  It is my understanding that this malware is in a benign state until it is "restored".  I agree that you should disable system restore, but only as the last step once you know your systems are working.  I wrote the article below on how to disable and reenable the system restore option.  Pay particular attention to the article I link to in the first paragraph ( ) which explains restore points and the comments to this article are quite revealing.
To each their own.  I create a backup image of my workstations or at least their important data before doing any troubleshooting.  I don't trust restore points so I blow them away before I run scanning utilities then enable them again when i'm done.  Reinstalling shouldn't be the end of the world.  If it is, then its time to rethink the backup strategy.  Acronis all the way.

For whatever it's worth: Good article, my personal opinion varies a bit in that i'd rather trust a solution such as Acronis to handle my restore capabilities.  I've been burned by system restore a number of times in my personal experience, more than enough times to convince management that its worth the investment.
Thomas Zucker-ScharffSolution GuideCommented:
Thanks.  I too am an ardent supporter of acronis and use it religiously.  But in certain instances, such as shared computers, I sometimes rely on SR.  Another great tool is SteadyState from MS.  Which is like cleanslate, it basically reimages a computer everytime you reboot - great for shared computers where where content doesn't change.

If you are interested in a free reimaging solution check out this on SS:
Thanks for the info, much appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.