Re: inetinfo sending spam?
- From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
- Date: Thu, 14 Apr 2005 19:28:39 -0500
Matt,
I forgot to mention Zone Alarm earlier.
I generally would never run ZA on a server but it was the first thing that
came to mind!
And SBS does not like it anyhow. The only way I could use ZA on the server
was to only start ZA after SBS was fully up and running.
I'll give Active Ports a look.
Thanks Again
"Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
news:uK0x57UQFHA.3628@xxxxxxxxxxxxxxxxxxxxxxx
> It's more than likely a NDR flood.
>
> Firstly, never install zone alarm on a server. Use a program like Active
> Ports instead.
>
> Turn of NDRs, and see if the traffic stream is still there.
>
> Matt Gibson - GSEC
>
>
> "Adam Butler" <adambutler100@xxxxxxxxxxx> wrote in message
> news:Or2nk3UQFHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
>> Hello,
>> I'm running SBS2k3 Standard for about a year.
>> I'm behind a Zywall hardware firewall that I monitor the logs daily with
>> LinkLogger.
>> Today I noticed several hundred outgoing connections on SMTP port 25 to
>> IP 64.246.42.20.
>> The Whois shows: Everyones Internet, Inc of Houston Texas.
>>
>> As soon as I discovered this, I blocked port 25 outgoing until I can
>> figure out what happened.
>> I do not have any ports from the public open to the SBS server except
>> SMTP port 25.
>> No RWW or anything else is open to the public.
>> I do have a Linux web server on my same subnet that has port 80 open but
>> that is all.
>> The Linux box does send logging email to one of my SBS box's email
>> accounts.
>> I also do not have any extra software installed on the SBS box.
>> I do not surf the web from the SBS box.
>>
>> The only thing I can think of is someone did a brute force attack against
>> port 25 and hit a good password on one of my accounts.
>>
>> I did actually recently see some failed logon attempts to port 25 from
>> the Asia region of the world. The security log showed some of the
>> passwords attempted but the attempts quit in a matter of minutes.
>>
>> So, tonight I installed Zone Alarm on the SBS box just long enough to
>> determine what program is trying to send via port 25.
>> Zone Alarm constantly pops up INETINFO.EXE with the same IP I posted
>> above on port 25.
>>
>> Is there a way to see what is calling inetinfo so I can see whatever it
>> is sending?
>> Or does a log maybe exist that I may be able to look at the content of
>> what has been sent?
>>
>> I only have three user accounts on the SBS box. All have strong
>> passwords.
>> I will change the passwords in a bit but I thought for now to leave them
>> alone as I have blocked any public access.
>>
>> Any help is greatly appreciated!
>>
>> Adam
>>
>>
>
>
.
- References:
- inetinfo sending spam?
- From: Adam Butler
- Re: inetinfo sending spam?
- From: Matt Gibson
- inetinfo sending spam?
- Prev by Date: Re: Error 0x80072030 returned from call to GetBOConnector()
- Next by Date: Multiple langauges
- Previous by thread: Re: inetinfo sending spam?
- Next by thread: Local access
- Index(es):
Relevant Pages
|
