Detect zombie/spyware sending through port 25?
Hi guys,
I've got a Network that has been infected with some Spyware and it's using port 25 on a user PC so send lots of spam across the net. The user has clicked an Angelina Jolie e-mail (I would have done the same if it wasn't for the fact that it's obviously Spyware and the link ends in .avi.exe
). I managed to capture this traffic coming from his IP through a NAT setting on the router.
The users use the router as their default gateway for direct internet access rather than going through a Server, otherwise I would have set up Network monitor to filter out port 25 traffic. I have tried installing FileMon on this users PC to see if I can see the exe using port :25 but to no avail..
Once his PC was taken off the Network, the flood of random IP addresses with port 25 dissapeared from the router so I can only assume it was this PC, OR maybe the Spyware was relaying through his machine, hense it would be great if somebody could point me in the right direction of tracking down all :25 traffic going around the Network.
Regards,
Luke
I've got a Network that has been infected with some Spyware and it's using port 25 on a user PC so send lots of spam across the net. The user has clicked an Angelina Jolie e-mail (I would have done the same if it wasn't for the fact that it's obviously Spyware and the link ends in .avi.exe
). I managed to capture this traffic coming from his IP through a NAT setting on the router.The users use the router as their default gateway for direct internet access rather than going through a Server, otherwise I would have set up Network monitor to filter out port 25 traffic. I have tried installing FileMon on this users PC to see if I can see the exe using port :25 but to no avail..
Once his PC was taken off the Network, the flood of random IP addresses with port 25 dissapeared from the router so I can only assume it was this PC, OR maybe the Spyware was relaying through his machine, hense it would be great if somebody could point me in the right direction of tracking down all :25 traffic going around the Network.
Regards,
Luke
Comments
-
Cessation
Member Posts: 326
I think the upgraded version of Netmon would work... but im not too sure of how many people really use it.mr2nut wrote:Hi guys,
I've got a Network that has been infected with some Spyware and it's using port 25 on a user PC so send lots of spam across the net. The user has clicked an Angelina Jolie e-mail (I would have done the same if it wasn't for the fact that it's obviously Spyware and the link ends in .avi.exe ). I managed to capture this traffic coming from his IP through a NAT setting on the router.
The users use the router as their default gateway for direct internet access rather than going through a Server, otherwise I would have set up Network monitor to filter out port 25 traffic. I have tried installing FileMon on this users PC to see if I can see the exe using port :25 but to no avail..
Once his PC was taken off the Network, the flood of random IP addresses with port 25 dissapeared from the router so I can only assume it was this PC, OR maybe the Spyware was relaying through his machine, hense it would be great if somebody could point me in the right direction of tracking down all :25 traffic going around the Network.
Regards,
LukeA+, MCP(270,290), CCNA 2008.
Working back on my CCNA and then possibly CCNP. -
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Try TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx . I also recommend you restrict SMTP (you can setup an opensource SMTP server like Postfix and forward your clients through it and use it to directly monitor email usage if you don't have an enterprise email solution), or install an IDS like Snort (again free) and write a quick rule to alert on unusual SMTP activity (it's quite easy to do basic rules like this).
Lastly if your client is infected to the point that it is a spam bot then it is likely infected with multiple other types of malware and actively trying to infect the rest of your network. Wipe it clean.....In a case like this user complaints should be completely ignored, their loss of the PC for the time it takes to reinstall is nothing compared to the risk it poses to your network.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?