RE: Need Help to protect against spammer

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

OK, forget this. That was a malware called Korolev and it was embedded in
the C:\Windows\Expand.exe. I've never heard of it and couldn't find much on
the internet about it but a 64 bit firewall called COMODO found it. It
seems a bit suspicious that there is nothing on the internet about Korolev
malware embedded in the Windows Expand.exe.
--
Regards,
Jamie


"thejamie" wrote:

First off, - not sure spammer is what this is so need someone to help me
clarify. Mail was denied to ATTNET because my server was reported for
spamming so I am watching my ISA firewall closely. Here is what I notice.

Somone is hitting my wireless workgroup network at 192.168.z.z from msn
messenger. Destination IP is a microsoft ip starting 205... and protocol is
msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
is always logged into my sbs network via vpn) did not have its guest account
disabled - it is disabled now. Finally the External address it tries to
reach is an IP produced by the DNS from the wireless router's NAT list (as
above 192.168.z.z)

The next event that appears to define the attack is a call to the localhost
over a port from IP 255.255.255.255:Port (UDP)

And then there is the one call from a specific IP address (starts with 69)
(From Rackspace.com, Ltd. out of San Antonio, but need more information to
know if they are hacked too or if they are the spammer)... The 69 IP is the
external source, the 192.168.z.z mentioned above is the Destination.

Fortunately ISA is blocking this pattern that occurs probably three or four
times in a row in a second or two and then repeats a few seconds later ISA
refers to it as Unidentified traffic and denies it but I find it odd that the
pattern recurs so frequently and so my question is, could this be my spammer.
Please note, there are other attacks as well as this one most of them
originating from addresses in China but are more random and appear to only be
probing. The one from 69.x.x.x is far more persistant.

Can anyone tell me what else to look for?
--
Regards,
Jamie
.

Relevant Pages

  • Re: ISA Server Access XP Client
    ... many an ISA 20i00 machine was taken out by viruses that didn't "attack ISA directly"; they all died from traffic hemorrhage ... users that download/email/im each other various forms of malware. ... Restricted Zone in IE. ... Yes the attack surface is increased somewhat,...but it was pretty big to ...
    (microsoft.public.isa)
  • Re: ISA Server Access XP Client
    ... If you choose the Firewall client share during installation, the ISA installer will create ... Jim Harrison [ISA SE] ... users that download/email/im each other various forms of malware. ... Yes the attack surface is increased somewhat,...but it was pretty big to ...
    (microsoft.public.isa)
  • Re: DNS calls to Ukraine destinations
    ... protocol, port 53, to two different IPs that belong to a web hosting company in the Ukraine. ... I can't help but think that this is malware in action, but can't determine what is doing it. ... Trend-Micro AV) and it seems to be healthy now, but the ISA logs show this ... if you do not want to post here then you know my email and please email me where you posted the Hijack This log and thanks in advance because I appreciate all you do for these newsgroups. ...
    (microsoft.public.security.virus)
  • Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
    ... ISA doens't help against spywary, malware. ... XP SP2 has nothing to do with what ISA does. ... with what happens behind a NAT firewall that isn't happening already. ...
    (microsoft.public.backoffice.smallbiz2000)