Cutwail spambot somewhere on my network

So late last week my company's IP was blacklisted on Spamhaus' CBL block list.  Says we are infected with the cutwail spambot.  So I ran Malwarebytes Pro and Hitman 3.7 Pro on the machine I thought was infected.  I also put an access restriction policy in place in DD-WRT to block outbound traffic on port 25 for the machine I suspected, and one other machine that I thought was maybe a problem.  Ran fine all weekend, come in today and about an hour in we get blacklisted again.  I'm at a loss here.  I've never had a problem like this in almost 10years of being in the field.

Right now i'm running malwarebytes pro on 2 of our other workstations just in case.

Some help with this would be great.
LVL 9
MikeIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
Please describe your network/system topography for us.
Brief description of your layout, systems, OS, etc.

What kind of security applications are you running on your workstations and servers?
0
MikeIT ManagerAuthor Commented:
Subnet: 192.168.0.0/24
Router/Gateway - ASUS RT-N16 running DD-WRT
2 Domain Conrollers - EXCHANGE, DC2
2 Exchange 2010 Servers - EXCHANGE, EXCHANGE5
2 Application Server - APPSERVER, CRM3
1 File Server - IBMX306STORSERV
2 NAS devices
8 workstations running Win7 Pro
Various phones and tablets connected via wifi

Microsoft Security Essentials is running on Workstations.
0
younghvCommented:
Sorry for the delay. Had to take a quick service call.

Malwarebytes-Pro can be safely run on all of your systems - without rebooting any of them.
It would be a good starting point in eliminating suspect systems.

"RogueKiller" is also "Server Safe" and is one of the most effective malware identifiers/fighters available.

Details in this EE Article:
http://www.experts-exchange.com/A_4922.html Rogue-Killer-What-a-great-name
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

MikeIT ManagerAuthor Commented:
Is the Microsoft Safety Scanner any good?  I have that running on APPSERVER and EXCHANGE as we speak.
0
younghvCommented:
I think you mean "Microsoft Security Essentials" (MSE), and - no - it is not designed for any server OS, only workstation.

For servers, you need this:
http://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx

MSE is the only AV product I install on my - or my customer's - computers; along with Malwarebytes Pro.

Details in this EE Article:
http://www.experts-exchange.com/A_1958.html MALWARE - "An Ounce of Prevention..."
0
MikeIT ManagerAuthor Commented:
No, I was talking about Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx

I ran roguekiller on all the servers and 2 of the workstations and cleaned them.  Going to try and delist and see what happens.  I'm praying this works.
0
MikeIT ManagerAuthor Commented:
Well it was good for about 14hrs.  Now we're back to square one.
0
Sudeep SharmaTechnical DesignerCommented:
Do you have logs from Router/Gatway to check who else apart from Exchange is connecting to port 25?

http://www.dd-wrt.co.in/wiki/index.php/Logging_with_DD-WRT

Are all the emails getting routed via Exchange? Do you have lockdown policy for port 25 to allow only Exchange to connect to it?

You could also enable the logging on the Exchange to check who is sending what and what frequency.

Sudeep
0
MikeIT ManagerAuthor Commented:
Ran Spybot S&D on a bunch of machines and found some stuff on 3 of them, enabled logging on my firewall (apparently I guess I Forgot to save settings when I enabled it a couple months back). and only see the appropriate amount of SMTP traffic coming from Exchange.  Delisted our IP and hoping for the best.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.