Re: We are being blocked from various mail servers because of trojan

Yes, it is your only option.

The problem is that viruses, once they get a foothold, can lie to AV software, change signature files as they are installed, or otherwise thwart cleaning procedures. MOST of the modern malware and botnet variants can do this.

Even if one machine on your network was infected, it has had plenty of time on that machine to scrape various domain credentials so your entire domain is potentially compromised. This means the only effective fix is to rebuild the domain...hence the reason Leythos suggests copying *JUST THE DATA* (no AD migration!!!!) and using new accounts, passwords, new joins, etc.

The money saved on passing over AV is lost in time/wages rebuilding the network. You knew the lecture was coming...so here it is...you should've stuck to your guns with your boss and *REFUSED* (yes, that means threatening to quit) over this shortcut. Because guess what...now thiis problem reflects on YOU, not him. You can go to him and say "I told you so" all you want, and his/her response will be "I didn't realize the problem was this bad! You didn't explain it to me!!!" So...yeah....you are screwed.

Knuckle down, do the work, and double check everything.

-Cliff


"Jaredean" <shop@xxxxxxxxxxx> wrote in message news:abtm05t9kleoriht13jr56o22mrnil6a2c@xxxxxxxxxx
Wow, you are saying that is my only option? That it might not just be
a single computer that is blasting through port 25, but it is
something that can't be found by putting Symantec on it now and
running a full scan? That i have no other option?

jared

On Wed, 13 May 2009 20:36:52 -0400, Leythos <spam999free@xxxxxxxxxx>
wrote:

In article <sgnm051632391aed11201mal83qh55ulak@xxxxxxx>,
shop@xxxxxxxxxxx says...

Hey all, i'm getting pretty concerned becuase this is the 2nd day i'm
having to deal with this and we are getting put on more blacklists.
I'm running on very little sleep and have to get this fixed tonight
while people are out of the office...here is some more information to
help asses the situation...

In the past the owner didn't want to spend the money for network
antivirus, so when Trend Micro expired last June he told me to just
use store bought McAfee on some of the computers and not worry about
the server for antivirus software...BIG mistake, i know - i just
didn't have any money for it...

Well, now i don't have any antivirus solution on the 2 servers (main
and member) and some of the clients are missing McAffee...i realize
this is a horrible mistake, and know i will get lectured but can only
do what i have the ability from the owner to do even after telling him
multiple times it makes my job harder.

So, here is my current need:

1. Put antivirus on both servers (please give me a good suggestion
that i can put on right now to hopefully have 30 or 60 days of trial
to come up with the money)

2. DETAILED INSTRUCTIONS ON BLOCKING PORT 25 OUTGOING SMTP FROM
EVERYONE BUT SERVER. It is very surprising to me that this is a
solution i read about, but can not find a single "how to" article on
it...i'm not an ISA guy at all, so with ISA 2004 i feel very
lost...personally, i hate working in it and was very frusterated last
night at 4:00 in the morning after searching for an hour and not
finding anything. If this is a common thing to do, how come nobody
has detail steps to follow?

3. I'd like to find out throught some sort of logs on the server how
to view this issue...i thought i had it fixed, we were removed from
the blacklists...i slept for about 3 hours after being up almost 30
and when i woke up we were back on the blacklists...so, i obviously
missed something...

As always THANK YOU...this group is invaluable...i really do try and
find fixes myself before posting to the group...i don't want to be
viewed as taking adavantage of you guys, but with all of the jobs i
have, Network Admin is only one of several and it gets neglected until
we have a "fire" situation...

You are so screwed.

Your best and only bet is to backup the DATA and then wipe the servers
and computers in the network and start from scratch. Once your network
is compromised so badly, without AV or other tools, there is no way you
can be sure you've got it all cleaned. "Cleaning" it would never pass a
security audit, certainly not worth risking your business for it.

What you need to do is rebuild the servers while your network is
shutdown and isolated, using a different AD name, different passwords
for admin accounts, and disconnect all workstations from the network
while you rebuild your servers.

This could be completed in about 6 hours, then, ONLY CONNECT TO
MICROSOFT to get patches and updates.

Contact any vendor and buy the minimum licensing for a Corporate AV
solution - I have never been hacked while using Symantec Corporate
Edition products - the most current version is Symantec End Point
Protection, 5 licenses is cheap and you're going to need it.

You could have the entire office clean and back online in a single day.

Once you get this done, have your ISP assign you a new public IP, fix
your public DNS, make sure that the ISP creates a valid RDNS record, and
then start submitting your domain name for removal to the black-lists.

If you attempt to get yourself removed before you've fixed the problem
you are likely to be put on a permanent block.

.

Relevant Pages

  • Re: Dcidag errors
    ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: I need Job Blobb
    ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ...
    (microsoft.public.cert.exam.mcse)
  • Re: I need Job Blobb
    ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ...
    (microsoft.public.cert.exam.mcse)
  • Re: We are being blocked from various mail servers because of trojan
    ... In the past the owner didn't want to spend the money for network ... antivirus, so when Trend Micro expired last June he told me to just ... now i don't have any antivirus solution on the 2 servers (main ...
    (microsoft.public.windows.server.sbs)
  • Re: We are being blocked from various mail servers because of trojan
    ... the idea comes from a basic security principle 'once compromised trust cannot be restored'. ... In the past the owner didn't want to spend the money for network ... antivirus, so when Trend Micro expired last June he told me to just ... now i don't have any antivirus solution on the 2 servers (main ...
    (microsoft.public.windows.server.sbs)
Loading