• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

Botnet, DOS attack, Spam

Since this past friday we have incurred major slow downs on our network. Then, emails began getting bounced back, and it turns out we are listed on a couple blacklists for barracuda and another. Today, I started scanning to see if computers were infected. A couple computers had torjans listed, one fake antivirus, and one "idid". Both were cleaned with supersntispyware, but the problem is still occuring and I can seem to track it down. The main problem is that internet has slowed to a crawls, originally just on our wireless, but now on the wired network as well. We have a SBS 2003 server, Cisco 871W, Exchange 2003, and Windows XP Pro workstations. I am thinking we are apart of a botnet or spam email network of some sort, and I am not sure where to go next. I would appreciate any help with this matter. Thank you!
0
BoyleCom
Asked:
BoyleCom
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
Justin EllenbeckerIT DirectorCommented:
The first steps are monitoring the traffic that goes through the computers and see if any comptuers are sending email that are not your exchange server.  You can do this by running something like wireshark and watching the traffic.  You will also want to make sure that relaying is shutdown on 2003.  Check the message logs on your exchagne server and see if they are coming out of there. Superantispyware is a nice product but I would also run malwarebytes.org anti malware.  How many workstations do you have? Is it possible to wireshark them one at a time?  Also you can write ACLs into your cisco router to stop all traffic that is destined for port 25 except from your exchange server.  This will help as long its not your exchange server that is infected.
0
 
Justin EllenbeckerIT DirectorCommented:
You are also going to have to contact the vendors like barracuda and go through the steps for getting off their black list after you have things cleaned up.  Also what AV software are you running on the network?
0
 
joefreedomCommented:
The first step I would take is to notify your internet service provider (ISP) and let them know you suspect malicious activity is originating from your network and ask them if they can provide any proof or disprove this claim.  Meanwhile, i would continue to scan all of your servers and workstations with trusted anti-malware software such as A-squared, malwarebytes, etc.

-A-squared: http://www.emsisoft.com/en/software/free/
-Malwarebytes: www.malwarebytes.org
-Hijack this: free.antivirus.com/hijackthis
-RootkitRevealer: technet.microsoft.com/en-us/sysinternals/bb897445.aspx

You should consider purchasing at minimum software firewall licenses for your servers and workstations.  I've had great luck with 'Kaspersky' and their line of software firewalls:
http://www.kaspersky.com/

If you are serious about malware you should also consider a Hardware firewall that will sit in-front of or directly behind your router to filter all network traffic inbound/outbound such as a barracuda:
www.barracudanetworks.com

You need to spend time scanning your servers and workstations to clean-up any and all malware before you can think about having a secure environment.  Read-up on general malware removal tools and techniques.  In essence when you have backups of your data on your workstations follow this procedure:

-Install a-squared and malwarebytes
-Update the virus definitions of both applications so they can detect the latest threats
-Disable your 'restore points'
-Boot the computer into 'Safe Mode'
-Scan all hard-drives with multiple scanners (e.g. a-squared and malwarebytes)
-Remove all detected malware
-Reboot workstation, enable restore points if all threats are removed.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
BoyleComAuthor Commented:
Anybody have an idea of the router config I would type to block SMTP traffic from all but my exchange. It is a cisco 871w. Thank you uys for your help. It looks like I had started down the right path, but obviously your suggestions give me more tools to use. I am also running rubotted from trend micro on all the PC's and server, which so far has found 0. I have also used superantispyware and malwarebytes; on the 2 workstations that had some trojans found.
0
 
joefreedomCommented:
Configuring cisco access-lists is something that should be done by someone familiar with the entire configuration.  With that said, check out this previous question:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23185513.html

Ultimately you are going to end up with something similar to this applied to your outbound ACL:
access-list 102 permit tcp 192.168.1.100 0.0.0.0  any eq smtp
access-list 102 deny tcp any any eq smtp

I'm not a Cisco access-list expert so please be sure you understand the repercussions of your actions before you implement any changes.  Backup your configuration before doing anything and again, make sure you understand the consequences before implementing!

For whatever it is worth, if your workstations are connecting to POP3 mailservers or have any applications which require the SMTP protocol (port 25 by default)  you may be causing more issues when blocking SMTP.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
RUBotted is a nice piece of software, but don't fall into the trap of buying housecall when it finds a supposed bot.  Many of the items RUBotted identifies as suspicious activity are not from being botted but from visiting suspicious sites.  I always install this s/w with the recommendation that if there is a positive to call me.  Usually, I just delete the log and everything is fine, but I keep track of who calls and have found that the same people get the erroneous message all the time.  The browser history shows it's the sites they are visiting not a real bot.

On that note I would also recommend installing an alternate hosts file like the one hosted here:

http://www.mvps.org/winhelp2002/hosts.htm

The included batch file backs up your original hosts file and installs the new one.  It blocks a significant amount of malware sites.  If you use Symantec's live update you will need to delete the line with om.symantec.com on it.

About restore points, There is some disagreement here.  I strongly believe that an infected restore point is better than none at all.  I have never personally seen malware from a restore point harm a computer unless the restore point is used.  It is my understanding that this malware is in a benign state until it is "restored".  I agree that you should disable system restore, but only as the last step once you know your systems are working.  I wrote the article below on how to disable and reenable the system restore option.  Pay particular attention to the article I link to in the first paragraph ( http://e-e.com/A_1934.htm ) which explains restore points and the comments to this article are quite revealing.

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Windows/XP/Removing-protected-System-Restore-files-if-they-have-been-infected.html
0
 
joefreedomCommented:
To each their own.  I create a backup image of my workstations or at least their important data before doing any troubleshooting.  I don't trust restore points so I blow them away before I run scanning utilities then enable them again when i'm done.  Reinstalling shouldn't be the end of the world.  If it is, then its time to rethink the backup strategy.  Acronis all the way.

For whatever it's worth: Good article, my personal opinion varies a bit in that i'd rather trust a solution such as Acronis to handle my restore capabilities.  I've been burned by system restore a number of times in my personal experience, more than enough times to convince management that its worth the investment.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Thanks.  I too am an ardent supporter of acronis and use it religiously.  But in certain instances, such as shared computers, I sometimes rely on SR.  Another great tool is SteadyState from MS.  Which is like cleanslate, it basically reimages a computer everytime you reboot - great for shared computers where where content doesn't change.

If you are interested in a free reimaging solution check out this on SS:

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Windows/XP/Windows-SteadyState.html
0
 
joefreedomCommented:
Thanks for the info, much appreciated!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now