Results 1 to 14 of 14

Thread: HELP! Trojan mailer going mad!!

  1. #1
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Exclamation HELP! Trojan mailer going mad!!

    Hi guys,

    I know it's a bit cheeky to ask, but one of our servers is throwing a mental and Google really isn't being much help at the moment. We have a server (SBS 2003 & Exchange 2007) that is running a small group of PC's and we have recently been having problems getting blocked on spam blacklists. I believe that there is a trojan mailer on one of our PC's which is causing this problems as one of the exchange queues (yahoo.com.tw) has 97,000+ outgoing emails sitting in the queue from the past few days alone. I have frozen the queue, however there are still other queues with hundreds of outgoing emails in which I know won't be real emails.

    The problem lies in identifying the computer on the network that is casuing this. They all run Kaspersky AV and we have scanned all machines and found nothing. We have also run Malware Bytes and MS Malicious Software Removal Tool (something I heard was good at picking up these trojans) but still found nothing.

    I have already blocked port 25 on the firewall for everything on the network apart from the exchange server, but this is a real problem now. What's the best way to locate and remove these trojans?

    Thanks in advance,

    Allen

  2. #2
    Pork & Beans Powerup Phage's Avatar
    Join Date
    May 2009
    Location
    Kent
    Posts
    6,260
    Thanks
    1,618
    Thanked
    608 times in 518 posts
    • Phage's system
      • Motherboard:
      • Asus Crosshair VIII
      • CPU:
      • 3800x
      • Memory:
      • 16Gb @ 3600Mhz
      • Storage:
      • Samsung 960 512Gb + 2Tb Samsung 860
      • Graphics card(s):
      • EVGA 1080ti
      • PSU:
      • BeQuiet 850w
      • Case:
      • Fractal Define 7
      • Operating System:
      • W10 64
      • Monitor(s):
      • Iiyama GB3461WQSU-B1

    Re: HELP! Trojan mailer going mad!!

    I assume that that all the AV apps are up to date ?
    I'd run a hijackthis report and submit the result to their forums.
    I've also heard good things about the Prevx solutions.
    Society's to blame,
    Or possibly Atari.

  3. Received thanks from:

    Allen (19-01-2010)

  4. #3
    HEXUS.timelord. Zak33's Avatar
    Join Date
    Jul 2003
    Location
    I'm a Jessie
    Posts
    35,185
    Thanks
    3,126
    Thanked
    3,179 times in 1,926 posts
    • Zak33's system
      • Storage:
      • Kingston HyperX SSD, Hitachi 1Tb
      • Graphics card(s):
      • Nvidia 1050
      • PSU:
      • Coolermaster 800w
      • Case:
      • Silverstone Fortress FT01
      • Operating System:
      • Win10
      • Internet:
      • Zen FTC uber speedy

    Re: HELP! Trojan mailer going mad!!

    Can you ask each user to run an online Antivirus check tonight after work, and threaten them with death if they forget or don't repiort the result at the end ?

    http://housecall.trendmicro.com/uk/

    Quote Originally Posted by Advice Trinity by Knoxville
    "The second you aren't paying attention to the tool you're using, it will take your fingers from you. It does not know sympathy." |
    "If you don't gaffer it, it will gaffer you" | "Belt and braces"

  5. Received thanks from:

    Allen (19-01-2010)

  6. #4
    PHP Geek Flash477's Avatar
    Join Date
    Dec 2008
    Location
    Devon
    Posts
    822
    Thanks
    51
    Thanked
    72 times in 65 posts

    Re: HELP! Trojan mailer going mad!!

    It may sound like a silly question, but do the servers have AV, and have they been scanned?

  7. Received thanks from:

    Allen (19-01-2010)

  8. #5
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Re: HELP! Trojan mailer going mad!!

    Quote Originally Posted by Phage View Post
    I assume that that all the AV apps are up to date ?
    I'd run a hijackthis report and submit the result to their forums.
    I've also heard good things about the Prevx solutions.
    All AV systems are up to date. I may well run hijackthis and check out the reports to see if i can narrow down which pc is doing this. You can post the results on their forums can you? Didn't know that. Will check it out thanks.

    Never heard of Prevx tbh, but we have already paid up for a years worth of Kaspersky which is pretty good (although not great in this case I must admit).

  9. #6
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Re: HELP! Trojan mailer going mad!!

    Quote Originally Posted by Zak33 View Post
    Can you ask each user to run an online Antivirus check tonight after work, and threaten them with death if they forget or don't repiort the result at the end ?

    http://housecall.trendmicro.com/uk/
    I'll give that a go, cheers.

  10. #7
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Re: HELP! Trojan mailer going mad!!

    Quote Originally Posted by Flash477 View Post
    It may sound like a silly question, but do the servers have AV, and have they been scanned?
    Yes mate, it's running the same version (6 I believe) as all others, comes as a package. They are all up to date, have all had scans run on them including Kaspersky, Malware Bytes and MSRT.

  11. #8
    PHP Geek Flash477's Avatar
    Join Date
    Dec 2008
    Location
    Devon
    Posts
    822
    Thanks
    51
    Thanked
    72 times in 65 posts

    Re: HELP! Trojan mailer going mad!!

    Are you sure that the emails are coming from an internal source and that someone is not using your server as a relay? or would anyone be working from home and using that mail server?

  12. Received thanks from:

    Allen (19-01-2010)

  13. #9
    Jay
    Jay is offline
    Gentlemen.. we're history Jay's Avatar
    Join Date
    Aug 2006
    Location
    Jita
    Posts
    8,365
    Thanks
    304
    Thanked
    568 times in 409 posts

    Re: HELP! Trojan mailer going mad!!

    are you 100% sure you are not an open relay?

    Is it coming from the server or a PC on the network?

    What are the headers like, do they show you any info?

    I would wait until late on when the server is quiet and try and narrow it down
    □ΞVΞ□

  14. Received thanks from:

    Allen (19-01-2010)

  15. #10
    Oh no!I've re-dorkalated! Jiff Lemon's Avatar
    Join Date
    Jul 2003
    Location
    Sunny MK
    Posts
    2,504
    Thanks
    80
    Thanked
    44 times in 41 posts

    Re: HELP! Trojan mailer going mad!!

    Open exchange system manager, expand the server, then protocols, properties of SMTP. Check the relay tab - What IP ranges are allowed to relay, and have you got the "allowed any authenticated user to relay" button ticked?

  16. Received thanks from:

    Allen (19-01-2010)

  17. #11
    Senior Member
    Join Date
    Feb 2008
    Posts
    925
    Thanks
    4
    Thanked
    161 times in 148 posts
    • smargh's system
      • Motherboard:
      • Gigabyte GA-EP45-UD3P
      • CPU:
      • Xeon E5450 with 775-to-771 Mod
      • Memory:
      • 16GB Crucial
      • Storage:
      • Intel X25-M G2 80GB/Adaptec 3405 4x 2TB Ultrastar RAID1 / 1x 6TB Hitachi He6 / Dying 2TB Samsung
      • Graphics card(s):
      • GTX 750 Ti
      • PSU:
      • Seasonic X-560
      • Case:
      • Lian-Li PC-A71
      • Operating System:
      • Windows 7 Ultimate 64bit
      • Monitor(s):
      • BenQ G2400WD
      • Internet:
      • Really Crap ADSL2 <3Mbit

    Re: HELP! Trojan mailer going mad!!

    Small group of PCs? When everyone has left for the day, look at the network switch to see which LED is blinking the most.

    When you see some suspicious blinking, on the PC concerned use a simple sniffer like http://www.nirsoft.net/utils/smsniff.html on the PC to view the background network traffic.

    Or, out of hours, run netstat or tcpview.exe (sysinternals) on the Exchange server(s) to identify which PC has thousands of active or old connectins.

    Or do the same on the client PC(s). Then use standard malware tools or nuke the PCs.

  18. Received thanks from:

    Allen (19-01-2010)

  19. #12
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Re: HELP! Trojan mailer going mad!!

    Quote Originally Posted by Flash477 View Post
    Are you sure that the emails are coming from an internal source and that someone is not using your server as a relay? or would anyone be working from home and using that mail server?
    Quote Originally Posted by Jay View Post
    are you 100% sure you are not an open relay?
    Quote Originally Posted by Jiff Lemon View Post
    Open exchange system manager, expand the server, then protocols, properties of SMTP. Check the relay tab - What IP ranges are allowed to relay, and have you got the "allowed any authenticated user to relay" button ticked?
    I checked this and although it was limited to only sending messages from authenticated accounts, I now added the limit to only send from within the internal network.

    Along with all the other work I did last night, things appear to be a lot better today. Will keep monitoring it.

    Thanks everyone for your help!

  20. #13
    Jay
    Jay is offline
    Gentlemen.. we're history Jay's Avatar
    Join Date
    Aug 2006
    Location
    Jita
    Posts
    8,365
    Thanks
    304
    Thanked
    568 times in 409 posts

    Re: HELP! Trojan mailer going mad!!

    glad to see you got it sorted, now the hard work of getting of the blacklist starts! AOL's blacklists are the worst for this IMO.
    □ΞVΞ□

  21. #14
    HEXUS.social member Allen's Avatar
    Join Date
    Nov 2003
    Location
    Brighton
    Posts
    8,536
    Thanks
    363
    Thanked
    262 times in 168 posts
    • Allen's system
      • Motherboard:
      • ASUS Maximus VIII Gene
      • CPU:
      • Intel Core i5 6600K
      • Memory:
      • 2 x 8GB Kingston HyperX Predator DDR4-3000
      • Storage:
      • 256GB Samsung 950 PRO NVMe M.2 (OS) + 2 x 512GB Samsung 960 EVO in RAID 0 (Games)
      • Graphics card(s):
      • ASUS ROG Strix GeForce GTX 1080 Ti OC
      • PSU:
      • XFX P1-650X-NLG9 XXX 650W Modular
      • Case:
      • Fractal Design Node 804
      • Operating System:
      • Windows 10 Home 64-bit
      • Monitor(s):
      • 27" BenQ XL2730Z + 23" Dell U2311H
      • Internet:
      • Virgin Media 200Mbps

    Re: HELP! Trojan mailer going mad!!

    It's only on 3 blacklists from what I can see, and 2 of those are with UCEPROTECT who I believe are a pain to be removed from (as it costs you money).

    However, both L2 and L3 reports from UCEPROTECT advise that the IP is in a "spammy neighbourhood" and that our IP hasn't done anything wrong. So that's a good sign.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Trojan In Firefox Source Normal?
    By watercooled in forum Software
    Replies: 5
    Last Post: 21-08-2009, 05:19 PM
  2. Replies: 17
    Last Post: 15-10-2008, 11:05 PM
  3. Scan have lost me money and treated me like an idiot.
    By db2431 in forum SCAN.care@HEXUS
    Replies: 7
    Last Post: 01-12-2006, 12:58 PM
  4. Mobile trojan in the wild
    By 0iD in forum Smartphones and Tablets
    Replies: 2
    Last Post: 10-01-2005, 01:33 PM
  5. "Badparty-A" trojan warning
    By Paul Adams in forum Software
    Replies: 3
    Last Post: 17-04-2004, 04:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •