Re: We are being blocked from various mail servers because of trojan

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Wow, you are saying that is my only option? That it might not just be
a single computer that is blasting through port 25, but it is
something that can't be found by putting Symantec on it now and
running a full scan? That i have no other option?

jared

On Wed, 13 May 2009 20:36:52 -0400, Leythos <spam999free@xxxxxxxxxx>
wrote:

In article <sgnm051632391aed11201mal83qh55ulak@xxxxxxx>,
shop@xxxxxxxxxxx says...

Hey all, i'm getting pretty concerned becuase this is the 2nd day i'm
having to deal with this and we are getting put on more blacklists.
I'm running on very little sleep and have to get this fixed tonight
while people are out of the office...here is some more information to
help asses the situation...

In the past the owner didn't want to spend the money for network
antivirus, so when Trend Micro expired last June he told me to just
use store bought McAfee on some of the computers and not worry about
the server for antivirus software...BIG mistake, i know - i just
didn't have any money for it...

Well, now i don't have any antivirus solution on the 2 servers (main
and member) and some of the clients are missing McAffee...i realize
this is a horrible mistake, and know i will get lectured but can only
do what i have the ability from the owner to do even after telling him
multiple times it makes my job harder.

So, here is my current need:

1. Put antivirus on both servers (please give me a good suggestion
that i can put on right now to hopefully have 30 or 60 days of trial
to come up with the money)

2. DETAILED INSTRUCTIONS ON BLOCKING PORT 25 OUTGOING SMTP FROM
EVERYONE BUT SERVER. It is very surprising to me that this is a
solution i read about, but can not find a single "how to" article on
it...i'm not an ISA guy at all, so with ISA 2004 i feel very
lost...personally, i hate working in it and was very frusterated last
night at 4:00 in the morning after searching for an hour and not
finding anything. If this is a common thing to do, how come nobody
has detail steps to follow?

3. I'd like to find out throught some sort of logs on the server how
to view this issue...i thought i had it fixed, we were removed from
the blacklists...i slept for about 3 hours after being up almost 30
and when i woke up we were back on the blacklists...so, i obviously
missed something...

As always THANK YOU...this group is invaluable...i really do try and
find fixes myself before posting to the group...i don't want to be
viewed as taking adavantage of you guys, but with all of the jobs i
have, Network Admin is only one of several and it gets neglected until
we have a "fire" situation...

You are so screwed.

Your best and only bet is to backup the DATA and then wipe the servers
and computers in the network and start from scratch. Once your network
is compromised so badly, without AV or other tools, there is no way you
can be sure you've got it all cleaned. "Cleaning" it would never pass a
security audit, certainly not worth risking your business for it.

What you need to do is rebuild the servers while your network is
shutdown and isolated, using a different AD name, different passwords
for admin accounts, and disconnect all workstations from the network
while you rebuild your servers.

This could be completed in about 6 hours, then, ONLY CONNECT TO
MICROSOFT to get patches and updates.

Contact any vendor and buy the minimum licensing for a Corporate AV
solution - I have never been hacked while using Symantec Corporate
Edition products - the most current version is Symantec End Point
Protection, 5 licenses is cheap and you're going to need it.

You could have the entire office clean and back online in a single day.

Once you get this done, have your ISP assign you a new public IP, fix
your public DNS, make sure that the ISP creates a valid RDNS record, and
then start submitting your domain name for removal to the black-lists.

If you attempt to get yourself removed before you've fixed the problem
you are likely to be put on a permanent block.
.

Relevant Pages

  • Re: We are being blocked from various mail servers because of trojan
    ... Even if one machine on your network was infected, it has had plenty of time on that machine to scrape various domain credentials so your entire domain is potentially compromised. ... The money saved on passing over AV is lost in time/wages rebuilding the network. ... antivirus, so when Trend Micro expired last June he told me to just ... now i don't have any antivirus solution on the 2 servers (main ...
    (microsoft.public.windows.server.sbs)
  • Re: C and Network
    ... identify the servers and computers in a local network, ... have the list of directories and files on C (for Windows) or in the ... typical network you'll need to know about "sockets". ...
    (comp.lang.c)
  • Re: C and Network
    ... identify the servers and computers in a local network, ... typical network you'll need to know about "sockets". ...
    (comp.lang.c)
  • Re: We are being blocked from various mail servers because of trojan
    ... In the past the owner didn't want to spend the money for network ... antivirus, so when Trend Micro expired last June he told me to just ... now i don't have any antivirus solution on the 2 servers (main ...
    (microsoft.public.windows.server.sbs)
  • Re: We are being blocked from various mail servers because of trojan
    ... the idea comes from a basic security principle 'once compromised trust cannot be restored'. ... In the past the owner didn't want to spend the money for network ... antivirus, so when Trend Micro expired last June he told me to just ... now i don't have any antivirus solution on the 2 servers (main ...
    (microsoft.public.windows.server.sbs)